Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 06:12
General
-
Target
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe
-
Size
659KB
-
MD5
1d8488e1531d6a0b880347ac3c90aa55
-
SHA1
1240d4284b9a4d30b573cf3530a70cc109426051
-
SHA256
a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
-
SHA512
765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
Malware Config
Extracted
darkcomet
Sazan
carbonkarlduckdns.org:1604
DC_MUTEX-A82WM2C
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
AYz297gj1pvL
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE Zeus GameOver Possible DGA NXDOMAIN Responses
suricata: ET MALWARE Zeus GameOver Possible DGA NXDOMAIN Responses
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe"C:\Users\Admin\AppData\Local\Temp\a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d8488e1531d6a0b880347ac3c90aa55
SHA11240d4284b9a4d30b573cf3530a70cc109426051
SHA256a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
SHA512765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1d8488e1531d6a0b880347ac3c90aa55
SHA11240d4284b9a4d30b573cf3530a70cc109426051
SHA256a03f3f9f48a88f30a6826f42bff8e45565d2c058abed4a83725af7db272b216b
SHA512765a2a9d7f365ebc9c9082ea24ab9c5256b1bc44aa13596fec69c082cf0ac4a320f05ee78d7cd3df43237ac1246719dfc01d571bdf34d272141a5fb572e6388a
-
memory/992-114-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/1144-115-0x0000000000000000-mapping.dmp
-
memory/1144-119-0x0000000000610000-0x000000000075A000-memory.dmpFilesize
1.3MB
-
memory/1420-118-0x0000000000000000-mapping.dmp
-
memory/1420-120-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB