Overview

overview

10

Static

static

10

22681287fe...4b.exe

windows7-x64

10

22681287fe...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    213s
  • max time network
    248s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2022 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe

  • Size

    753KB

  • MD5

    6164b89fb1038bc271cad23b75b8bcda

  • SHA1

    9e8a1becd54a69adc7367e0c98cd33041f5e1ed5

  • SHA256

    22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b

  • SHA512

    7766a0c3ea22e7d4a440e9a687c6ee2f0e200035ce54cbd3ebe51dca1714dac74b1409ad7991965072b30f35d8c8ebc9a7f00d2acd8cd1c4f5cef7fa6ef680c1

  • SSDEEP

    12288:K4bUx79HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h:KJZ1xuVVjfFoynPaVBUR8f+kN10EB

Score
10/10
darkcometnewpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

new

C2

serverexe.no-ip.org:5112

Mutex

DC_MUTEX-79PF79N

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    oYlexrzdlPwE

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe
    "C:\Users\Admin\AppData\Local\Temp\22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Users\Admin\AppData\Local\Temp\TEST.EXE
      "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
        "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:5116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    Filesize

    658KB

    MD5

    3432fe314b8cb640b283998d08f9c71a

    SHA1

    d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

    SHA256

    cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

    SHA512

    2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    Filesize

    658KB

    MD5

    3432fe314b8cb640b283998d08f9c71a

    SHA1

    d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

    SHA256

    cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

    SHA512

    2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TEST.EXE
    Filesize

    658KB

    MD5

    3432fe314b8cb640b283998d08f9c71a

    SHA1

    d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

    SHA256

    cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

    SHA512

    2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TEST.EXE
    Filesize

    658KB

    MD5

    3432fe314b8cb640b283998d08f9c71a

    SHA1

    d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

    SHA256

    cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

    SHA512

    2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

    Download Submit

  • memory/876-135-0x0000000000000000-mapping.dmp

    Download

  • memory/1708-132-0x0000000000000000-mapping.dmp

    Download