Overview

overview

10

Static

static

0aff8ddb4f...ec.exe

windows7_x64

8

0aff8ddb4f...ec.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    30-05-2022 05:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe

  • Size

    683KB

  • MD5

    8bb19f064991f91dca466784b13e2bb3

  • SHA1

    517682367ad7b45ab2f4eba49bff723f033cfc6d

  • SHA256

    0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec

  • SHA512

    0752b19d991542ee5834d62b614ead5cdb90b365a5fed03a830cf57761fc00c6142d40f8f0da1bee0acb90e5f3aed14afdaa25e33b9ad132dbeec1a1c3286beb

Score
10/10
darkcomethackevasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

hack

C2

dianabol89.zapto.org:1604

Mutex

DC_MUTEX-MJBT6M8

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    qtA8PLYkzZVo

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe
    "C:\Users\Admin\AppData\Local\Temp\0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
      "C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Users\Admin\AppData\Local\Temp\0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe
        "C:\Users\Admin\AppData\Local\Temp\0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Checks computer location settings
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4520
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4080
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec.exe" +s +h
            5⤵
            • Views/modifies file attributes
            PID:3312
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4712
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Views/modifies file attributes
            PID:4092
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
            PID:780
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            4⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:208
            • C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
              "C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2124
              • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2956
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  7⤵
                    PID:4636

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Hidden Files and Directories

      2
      T1158

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Hidden Files and Directories

      2
      T1158

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
        Filesize

        964KB

        MD5

        2ee38ff20b9d582668d0ff14bde48fcf

        SHA1

        ccd75e289a21ee01aac4878b248f877115ea5186

        SHA256

        0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

        SHA512

        7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
        Filesize

        964KB

        MD5

        2ee38ff20b9d582668d0ff14bde48fcf

        SHA1

        ccd75e289a21ee01aac4878b248f877115ea5186

        SHA256

        0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

        SHA512

        7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
        Filesize

        964KB

        MD5

        2ee38ff20b9d582668d0ff14bde48fcf

        SHA1

        ccd75e289a21ee01aac4878b248f877115ea5186

        SHA256

        0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

        SHA512

        7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\JQDRLENE.exe
        Filesize

        964KB

        MD5

        2ee38ff20b9d582668d0ff14bde48fcf

        SHA1

        ccd75e289a21ee01aac4878b248f877115ea5186

        SHA256

        0df50d6001913e1ff647d4bec049e9806ea1ea4826324ce972e0a8caf5a02873

        SHA512

        7e7c0ca12c49ef6566198f68b0eb38e8f5dfc307edbfe833781b7c981042390a87cfc00aa13cce8d0db8c49ddff4bba91009d79ff5ec3f0a398925d8c0aa6346

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\HWCGYUDD\rGwUjG
        Filesize

        251KB

        MD5

        89beea19c83fa8ba7869b6218e4d426b

        SHA1

        3e77050911a80a01f43396306b42bffa7612a0df

        SHA256

        58a2ef01854c591089a7789f0257796a7c1385bd23fdad621d00ea50ee7de473

        SHA512

        1e1b4e00f8c221fc8454958b531916b1f990c67074f812528c5fc79e08570a7345ccd9ec589c82e91d0c1ddb4d08c54d49c8bd17eff815a205c7af46b3a1d22d

        Download Submit
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        683KB

        MD5

        8bb19f064991f91dca466784b13e2bb3

        SHA1

        517682367ad7b45ab2f4eba49bff723f033cfc6d

        SHA256

        0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec

        SHA512

        0752b19d991542ee5834d62b614ead5cdb90b365a5fed03a830cf57761fc00c6142d40f8f0da1bee0acb90e5f3aed14afdaa25e33b9ad132dbeec1a1c3286beb

        Download Submit
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        683KB

        MD5

        8bb19f064991f91dca466784b13e2bb3

        SHA1

        517682367ad7b45ab2f4eba49bff723f033cfc6d

        SHA256

        0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec

        SHA512

        0752b19d991542ee5834d62b614ead5cdb90b365a5fed03a830cf57761fc00c6142d40f8f0da1bee0acb90e5f3aed14afdaa25e33b9ad132dbeec1a1c3286beb

        Download Submit
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        683KB

        MD5

        8bb19f064991f91dca466784b13e2bb3

        SHA1

        517682367ad7b45ab2f4eba49bff723f033cfc6d

        SHA256

        0aff8ddb4ffe9e66e64bc83259098b2f3cceaea0524bced7751d69f6026195ec

        SHA512

        0752b19d991542ee5834d62b614ead5cdb90b365a5fed03a830cf57761fc00c6142d40f8f0da1bee0acb90e5f3aed14afdaa25e33b9ad132dbeec1a1c3286beb

        Download Submit
      • memory/208-149-0x0000000000000000-mapping.dmp
        Download
      • memory/780-146-0x0000000000000000-mapping.dmp
        Download
      • memory/2124-152-0x0000000000000000-mapping.dmp
        Download
      • memory/2956-166-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/2956-165-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/2956-163-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/2956-162-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/2956-158-0x0000000000000000-mapping.dmp
        Download
      • memory/3312-147-0x0000000000000000-mapping.dmp
        Download
      • memory/3460-130-0x0000000000000000-mapping.dmp
        Download
      • memory/4080-144-0x0000000000000000-mapping.dmp
        Download
      • memory/4092-148-0x0000000000000000-mapping.dmp
        Download
      • memory/4520-141-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/4520-138-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/4520-137-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/4520-157-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/4520-142-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/4520-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4520-139-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/4520-140-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/4520-143-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/4636-164-0x0000000000000000-mapping.dmp
        Download
      • memory/4712-145-0x0000000000000000-mapping.dmp
        Download