Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
-
submitted
31-07-2022 19:28
General
-
Target
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe
-
Size
738KB
-
MD5
5eb58198721d4ded363e41e243e685cc
-
SHA1
d3e349f052d215f392fbbdc657583d808fe51828
-
SHA256
cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
-
SHA512
8fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
Malware Config
Extracted
darkcomet
delvie
saw-88.no-ip.biz:1604
DC_MUTEX-T3GAC5L
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
zSVFbDa27L2S
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe"C:\Users\Admin\AppData\Local\Temp\cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exeC:\Users\Admin\AppData\Local\Temp\cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\MSDCSC\msdcsc.exe"C:\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\MSDCSC\msdcsc.exeC:\MSDCSC\msdcsc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSDCSC\msdcsc.exeFilesize
738KB
MD55eb58198721d4ded363e41e243e685cc
SHA1d3e349f052d215f392fbbdc657583d808fe51828
SHA256cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
SHA5128fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
-
C:\MSDCSC\msdcsc.exeFilesize
738KB
MD55eb58198721d4ded363e41e243e685cc
SHA1d3e349f052d215f392fbbdc657583d808fe51828
SHA256cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
SHA5128fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
-
C:\MSDCSC\msdcsc.exeFilesize
738KB
MD55eb58198721d4ded363e41e243e685cc
SHA1d3e349f052d215f392fbbdc657583d808fe51828
SHA256cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
SHA5128fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
-
\MSDCSC\msdcsc.exeFilesize
738KB
MD55eb58198721d4ded363e41e243e685cc
SHA1d3e349f052d215f392fbbdc657583d808fe51828
SHA256cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
SHA5128fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
-
\MSDCSC\msdcsc.exeFilesize
738KB
MD55eb58198721d4ded363e41e243e685cc
SHA1d3e349f052d215f392fbbdc657583d808fe51828
SHA256cb96be84d722c68fb65e3523c4e0043cdc8cfa252ec045bc7c4ee230c85a83f8
SHA5128fd1ee50b3cd82d8764f818a78fc3f4fca83a689a8927b856feca15a469eb9e32447902cfd819ddbf5b97fabcfbea2de2464c0304bb3f5e10ff1ebe26e7737b6
-
memory/472-117-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/472-88-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/472-86-0x0000000000000000-mapping.dmp
-
memory/1536-68-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-77-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-79-0x0000000000490888-mapping.dmp
-
memory/1536-55-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-80-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-82-0x00000000762A1000-0x00000000762A3000-memory.dmpFilesize
8KB
-
memory/1536-83-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-74-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-71-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-56-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-64-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-61-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1536-58-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1700-114-0x0000000000490888-mapping.dmp
-
memory/1700-119-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1940-54-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB
-
memory/1940-81-0x0000000000400000-0x0000000000565000-memory.dmpFilesize
1.4MB