Overview

overview

10

Static

static

10

242f313590...21.exe

windows7-x64

10

242f313590...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2022 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe

  • Size

    1.3MB

  • MD5

    65335c3362c2a5af1662e5d596e812c0

  • SHA1

    49d54432fc1691d0f6b477e7c4ccc4162ea6bd41

  • SHA256

    242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21

  • SHA512

    043828beaffc5e73707021320877e65dc26b4d7957702f855241ed777087dd8c608af71f14a5d4c4d5ff3229c42a4ab831bc2310c5f6bf6a7452d697783bd7f4

  • SSDEEP

    24576:xQtAJH+PECTpJzNYDoKVf7LtxBezzJ34GAx+0QRWoJEfg0oChGdJQbjPbNW5tYeH:+SH+PECTpJzNYDnVjLtxclmJQRV2o3Mj

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

herorivals.ddns.net:1604

herorivals.ddns.net:1605
Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    jZMx1931CGta

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Microsoft

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe
    "C:\Users\Admin\AppData\Local\Temp\242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\systeminf1.exe
      "C:\Windows\system32\systeminf1.exe"
      2⤵
      • Executes dropped EXE
      PID:1256
    • C:\Windows\SysWOW64\systeminf2.exe
      "C:\Windows\system32\systeminf2.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\systeminf2.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\SysWOW64\systeminf2.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:1788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\SysWOW64" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:1380
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\systeminf2.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 4
          4⤵
          • Runs ping.exe
          PID:1856
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
            PID:1512
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
              PID:1576

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Modify Existing Service

      2
      T1031

      Hidden Files and Directories

      2
      T1158

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      6
      T1112

      Disabling Security Tools

      2
      T1089

      Hidden Files and Directories

      2
      T1158

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        650KB

        MD5

        552473949ab5541cf86c13a5d0687ccf

        SHA1

        38c1a2f1bdb20e810a827201531748ec22f9f021

        SHA256

        fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

        SHA512

        8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

        Download Submit
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        650KB

        MD5

        552473949ab5541cf86c13a5d0687ccf

        SHA1

        38c1a2f1bdb20e810a827201531748ec22f9f021

        SHA256

        fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

        SHA512

        8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

        Download Submit
      • C:\Windows\SysWOW64\systeminf1.exe
        Filesize

        94KB

        MD5

        8f6ee86140c12ebc9d2b640112db78a4

        SHA1

        5c9af3a3df26b7129649d0961895bf6f58e6e265

        SHA256

        fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde

        SHA512

        5091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f

        Download Submit
      • C:\Windows\SysWOW64\systeminf1.exe
        Filesize

        94KB

        MD5

        8f6ee86140c12ebc9d2b640112db78a4

        SHA1

        5c9af3a3df26b7129649d0961895bf6f58e6e265

        SHA256

        fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde

        SHA512

        5091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f

        Download Submit
      • C:\Windows\SysWOW64\systeminf2.exe
        Filesize

        650KB

        MD5

        552473949ab5541cf86c13a5d0687ccf

        SHA1

        38c1a2f1bdb20e810a827201531748ec22f9f021

        SHA256

        fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

        SHA512

        8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

        Download Submit
      • C:\Windows\SysWOW64\systeminf2.exe
        Filesize

        650KB

        MD5

        552473949ab5541cf86c13a5d0687ccf

        SHA1

        38c1a2f1bdb20e810a827201531748ec22f9f021

        SHA256

        fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

        SHA512

        8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

        Download Submit
      • \Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        650KB

        MD5

        552473949ab5541cf86c13a5d0687ccf

        SHA1

        38c1a2f1bdb20e810a827201531748ec22f9f021

        SHA256

        fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

        SHA512

        8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

        Download Submit
      • \Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        650KB

        MD5

        552473949ab5541cf86c13a5d0687ccf

        SHA1

        38c1a2f1bdb20e810a827201531748ec22f9f021

        SHA256

        fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

        SHA512

        8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

        Download Submit
      • \Windows\SysWOW64\systeminf1.exe
        Filesize

        94KB

        MD5

        8f6ee86140c12ebc9d2b640112db78a4

        SHA1

        5c9af3a3df26b7129649d0961895bf6f58e6e265

        SHA256

        fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde

        SHA512

        5091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f

        Download Submit
      • \Windows\SysWOW64\systeminf2.exe
        Filesize

        650KB

        MD5

        552473949ab5541cf86c13a5d0687ccf

        SHA1

        38c1a2f1bdb20e810a827201531748ec22f9f021

        SHA256

        fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

        SHA512

        8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

        Download Submit
      • \Windows\SysWOW64\systeminf2.exe
        Filesize

        650KB

        MD5

        552473949ab5541cf86c13a5d0687ccf

        SHA1

        38c1a2f1bdb20e810a827201531748ec22f9f021

        SHA256

        fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

        SHA512

        8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

        Download Submit
      • memory/1256-78-0x000000001B176000-0x000000001B195000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1256-56-0x0000000000000000-mapping.dmp
        Download
      • memory/1256-65-0x0000000000A10000-0x0000000000A2E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1284-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1380-70-0x0000000000000000-mapping.dmp
        Download
      • memory/1528-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1532-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1788-69-0x0000000000000000-mapping.dmp
        Download
      • memory/1792-74-0x0000000000000000-mapping.dmp
        Download
      • memory/1856-71-0x0000000000000000-mapping.dmp
        Download
      • memory/2036-61-0x0000000000000000-mapping.dmp
        Download