Analysis
-
max time kernel
150s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-05-2021 10:02
General
-
Target
FOTOVERANO15.scr
-
Size
874KB
-
MD5
ec692bde91ad1c6e182843bc0a5c7e81
-
SHA1
54996c1d4aeaf76855b7b73a323b74c191573863
-
SHA256
de19d8ea2911ff7e337823576e214151ad4426206db8e9ea9880778f2592f935
-
SHA512
4b4d5b7707071b86cb2d55411766bb3ebde9a8765becdaf5840d78be6e278f5b3d2bbe2888350a4d113c49a65c9b8e2ec818429db91c72529b0fbfd12f9c7dbe
Malware Config
Extracted
darkcomet
FOTOVERANO15
seguridadsocial.ddns.net:1604
DC_MUTEX-MKHPJPY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
lsBsa7lPZ9Fu
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FOTOVERANO15.scr"C:\Users\Admin\AppData\Local\Temp\FOTOVERANO15.scr" /S1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aeffb88a40a4be078244229bcfee3d2f
SHA1d7289fe88f0929c36dd642f2b16bdb649bbc88eb
SHA25671204f05c21a26aba9343ec13042d96ae3b3bf6702a38dd3a6a42a09ee96042b
SHA512af0c7e413680b62d12445bee0577bf288195395b4935cf9a5fbe372d4ea490d6ab07082d24d7f72ca020a8e0ccca713a800a3eb0aebb38b3ddb629d083538d80
-
MD5
ec692bde91ad1c6e182843bc0a5c7e81
SHA154996c1d4aeaf76855b7b73a323b74c191573863
SHA256de19d8ea2911ff7e337823576e214151ad4426206db8e9ea9880778f2592f935
SHA5124b4d5b7707071b86cb2d55411766bb3ebde9a8765becdaf5840d78be6e278f5b3d2bbe2888350a4d113c49a65c9b8e2ec818429db91c72529b0fbfd12f9c7dbe
-
MD5
ec692bde91ad1c6e182843bc0a5c7e81
SHA154996c1d4aeaf76855b7b73a323b74c191573863
SHA256de19d8ea2911ff7e337823576e214151ad4426206db8e9ea9880778f2592f935
SHA5124b4d5b7707071b86cb2d55411766bb3ebde9a8765becdaf5840d78be6e278f5b3d2bbe2888350a4d113c49a65c9b8e2ec818429db91c72529b0fbfd12f9c7dbe
-
MD5
ec692bde91ad1c6e182843bc0a5c7e81
SHA154996c1d4aeaf76855b7b73a323b74c191573863
SHA256de19d8ea2911ff7e337823576e214151ad4426206db8e9ea9880778f2592f935
SHA5124b4d5b7707071b86cb2d55411766bb3ebde9a8765becdaf5840d78be6e278f5b3d2bbe2888350a4d113c49a65c9b8e2ec818429db91c72529b0fbfd12f9c7dbe
-
MD5
ec692bde91ad1c6e182843bc0a5c7e81
SHA154996c1d4aeaf76855b7b73a323b74c191573863
SHA256de19d8ea2911ff7e337823576e214151ad4426206db8e9ea9880778f2592f935
SHA5124b4d5b7707071b86cb2d55411766bb3ebde9a8765becdaf5840d78be6e278f5b3d2bbe2888350a4d113c49a65c9b8e2ec818429db91c72529b0fbfd12f9c7dbe
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
-
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
