Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
-
submitted
31-07-2022 11:41
General
-
Target
7925fb4943617c8bf2740c0d4030243a70d5461d6069ed136c7a0360c9545744.exe
-
Size
440KB
-
MD5
a56c8f7c8cc94966093d7ea2b3241f12
-
SHA1
e12bdd5b96295d73e2bd14b63d5be1dffe485796
-
SHA256
7925fb4943617c8bf2740c0d4030243a70d5461d6069ed136c7a0360c9545744
-
SHA512
5f343bd670d633f403d561312de638a4eac63bb937b86557c39b56f89a86ac94382319a36ac9bff5e9a4401e2f91950f4129e945e51668cd8937ec4a7c8849a6
Score
10/10
Malware Config
Extracted
Family
darkcomet
Botnet
garry
C2
212.83.162.240:4449
Mutex
DC_MUTEX-HVQYYV2
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
qP9qMy51lYCf
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
SQLBrowser
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7925fb4943617c8bf2740c0d4030243a70d5461d6069ed136c7a0360c9545744.exe"C:\Users\Admin\AppData\Local\Temp\7925fb4943617c8bf2740c0d4030243a70d5461d6069ed136c7a0360c9545744.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 6362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 9882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 9882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 9882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 10642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 11802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 12002⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 9123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 9203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 9763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 9563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 10083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 10123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 9643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4108 -ip 41081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4108 -ip 41081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4108 -ip 41081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4108 -ip 41081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4108 -ip 41081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4108 -ip 41081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4108 -ip 41081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4916 -ip 49161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
440KB
MD5a56c8f7c8cc94966093d7ea2b3241f12
SHA1e12bdd5b96295d73e2bd14b63d5be1dffe485796
SHA2567925fb4943617c8bf2740c0d4030243a70d5461d6069ed136c7a0360c9545744
SHA5125f343bd670d633f403d561312de638a4eac63bb937b86557c39b56f89a86ac94382319a36ac9bff5e9a4401e2f91950f4129e945e51668cd8937ec4a7c8849a6
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
440KB
MD5a56c8f7c8cc94966093d7ea2b3241f12
SHA1e12bdd5b96295d73e2bd14b63d5be1dffe485796
SHA2567925fb4943617c8bf2740c0d4030243a70d5461d6069ed136c7a0360c9545744
SHA5125f343bd670d633f403d561312de638a4eac63bb937b86557c39b56f89a86ac94382319a36ac9bff5e9a4401e2f91950f4129e945e51668cd8937ec4a7c8849a6
-
memory/1736-141-0x0000000000000000-mapping.dmp
-
memory/1824-144-0x0000000000000000-mapping.dmp
-
memory/3524-136-0x0000000000000000-mapping.dmp
-
memory/4100-137-0x0000000000000000-mapping.dmp
-
memory/4108-135-0x0000000000400000-0x0000000000B9C000-memory.dmpFilesize
7.6MB
-
memory/4108-132-0x0000000000E6B000-0x0000000000EAB000-memory.dmpFilesize
256KB
-
memory/4108-134-0x0000000000E6B000-0x0000000000EAB000-memory.dmpFilesize
256KB
-
memory/4108-133-0x0000000000400000-0x0000000000B9C000-memory.dmpFilesize
7.6MB
-
memory/4916-138-0x0000000000000000-mapping.dmp
-
memory/4916-142-0x0000000000C4B000-0x0000000000C8B000-memory.dmpFilesize
256KB
-
memory/4916-143-0x0000000000400000-0x0000000000B9C000-memory.dmpFilesize
7.6MB
-
memory/4916-145-0x0000000000C4B000-0x0000000000C8B000-memory.dmpFilesize
256KB
-
memory/4916-146-0x0000000000400000-0x0000000000B9C000-memory.dmpFilesize
7.6MB