Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 19:16

General

  • Target

    87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3.exe

  • Size

    252KB

  • MD5

    32307c24db9052003547acd8c7814a09

  • SHA1

    1804e608aef820e4b344e996dbad49276cc237b5

  • SHA256

    87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

  • SHA512

    7e3db616a5e1e25eb2b94a8a537c90b657f99fa92471c38108eb0e859476a6e5adecfe3ef46da9729cc3605a79c694f74a2a923b4f6e5f9bc5d5515186bca596

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs
  • Disables RegEdit via registry modification
  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3.exe
    "C:\Users\Admin\AppData\Local\Temp\87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3.exe" +s +h
        3⤵
        • Views/modifies file attributes
        PID:956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Views/modifies file attributes
        PID:1712
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Deletes itself
      PID:628
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1016
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:876
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
            PID:544
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            3⤵
              PID:1224

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Modify Existing Service

        2
        T1031

        Hidden Files and Directories

        2
        T1158

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        7
        T1112

        Disabling Security Tools

        2
        T1089

        Hidden Files and Directories

        2
        T1158

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          252KB

          MD5

          32307c24db9052003547acd8c7814a09

          SHA1

          1804e608aef820e4b344e996dbad49276cc237b5

          SHA256

          87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

          SHA512

          7e3db616a5e1e25eb2b94a8a537c90b657f99fa92471c38108eb0e859476a6e5adecfe3ef46da9729cc3605a79c694f74a2a923b4f6e5f9bc5d5515186bca596

        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          252KB

          MD5

          32307c24db9052003547acd8c7814a09

          SHA1

          1804e608aef820e4b344e996dbad49276cc237b5

          SHA256

          87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

          SHA512

          7e3db616a5e1e25eb2b94a8a537c90b657f99fa92471c38108eb0e859476a6e5adecfe3ef46da9729cc3605a79c694f74a2a923b4f6e5f9bc5d5515186bca596

        • \Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          252KB

          MD5

          32307c24db9052003547acd8c7814a09

          SHA1

          1804e608aef820e4b344e996dbad49276cc237b5

          SHA256

          87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

          SHA512

          7e3db616a5e1e25eb2b94a8a537c90b657f99fa92471c38108eb0e859476a6e5adecfe3ef46da9729cc3605a79c694f74a2a923b4f6e5f9bc5d5515186bca596

        • \Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          252KB

          MD5

          32307c24db9052003547acd8c7814a09

          SHA1

          1804e608aef820e4b344e996dbad49276cc237b5

          SHA256

          87e1433bec2bd9d8fdc02e52d03d29005b82546996d045068ffce11088a660c3

          SHA512

          7e3db616a5e1e25eb2b94a8a537c90b657f99fa92471c38108eb0e859476a6e5adecfe3ef46da9729cc3605a79c694f74a2a923b4f6e5f9bc5d5515186bca596

        • memory/628-57-0x0000000000000000-mapping.dmp
        • memory/956-60-0x0000000000000000-mapping.dmp
        • memory/1016-63-0x0000000000000000-mapping.dmp
        • memory/1224-67-0x0000000000000000-mapping.dmp
        • memory/1272-54-0x0000000076171000-0x0000000076173000-memory.dmp
          Filesize

          8KB

        • memory/1660-56-0x0000000000000000-mapping.dmp
        • memory/1712-59-0x0000000000000000-mapping.dmp
        • memory/1768-55-0x0000000000000000-mapping.dmp