Overview

overview

10

Static

static

10

242f313590...21.exe

windows7-x64

10

242f313590...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2022 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe

  • Size

    1.3MB

  • MD5

    65335c3362c2a5af1662e5d596e812c0

  • SHA1

    49d54432fc1691d0f6b477e7c4ccc4162ea6bd41

  • SHA256

    242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21

  • SHA512

    043828beaffc5e73707021320877e65dc26b4d7957702f855241ed777087dd8c608af71f14a5d4c4d5ff3229c42a4ab831bc2310c5f6bf6a7452d697783bd7f4

  • SSDEEP

    24576:xQtAJH+PECTpJzNYDoKVf7LtxBezzJ34GAx+0QRWoJEfg0oChGdJQbjPbNW5tYeH:+SH+PECTpJzNYDnVjLtxclmJQRV2o3Mj

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

herorivals.ddns.net:1604

herorivals.ddns.net:1605
Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    jZMx1931CGta

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Microsoft

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe
    "C:\Users\Admin\AppData\Local\Temp\242f31359003b155e7b63772a3178e08ee4ed985f9997bfceb736b9b9ec15e21.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Windows\SysWOW64\systeminf1.exe
      "C:\Windows\system32\systeminf1.exe"
      2⤵
      • Executes dropped EXE
      PID:3752
    • C:\Windows\SysWOW64\systeminf2.exe
      "C:\Windows\system32\systeminf2.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\systeminf2.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\SysWOW64\systeminf2.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:5072
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\SysWOW64" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:4320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Windows\SysWOW64\systeminf2.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 4
          4⤵
          • Runs ping.exe
          PID:3552
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies firewall policy service
          • Modifies security service
          • Windows security bypass
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

2
T1031

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Disabling Security Tools

2
T1089

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    650KB

    MD5

    552473949ab5541cf86c13a5d0687ccf

    SHA1

    38c1a2f1bdb20e810a827201531748ec22f9f021

    SHA256

    fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

    SHA512

    8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

    Download Submit
  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    650KB

    MD5

    552473949ab5541cf86c13a5d0687ccf

    SHA1

    38c1a2f1bdb20e810a827201531748ec22f9f021

    SHA256

    fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

    SHA512

    8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

    Download Submit
  • C:\Windows\SysWOW64\systeminf1.exe
    Filesize

    94KB

    MD5

    8f6ee86140c12ebc9d2b640112db78a4

    SHA1

    5c9af3a3df26b7129649d0961895bf6f58e6e265

    SHA256

    fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde

    SHA512

    5091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f

    Download Submit
  • C:\Windows\SysWOW64\systeminf1.exe
    Filesize

    94KB

    MD5

    8f6ee86140c12ebc9d2b640112db78a4

    SHA1

    5c9af3a3df26b7129649d0961895bf6f58e6e265

    SHA256

    fdad7fe01215afeb8aff1a74c9c69f34ac5fcddc622da622591ce42825f84bde

    SHA512

    5091ff6f7befdccebaa31ff1da79299460aa9a919cc51bd48cd24e8ddb8f7eed165ae032c70f30897cdae3da9a1fec99d502fbe526d8a890887119acf387362f

    Download Submit
  • C:\Windows\SysWOW64\systeminf2.exe
    Filesize

    650KB

    MD5

    552473949ab5541cf86c13a5d0687ccf

    SHA1

    38c1a2f1bdb20e810a827201531748ec22f9f021

    SHA256

    fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

    SHA512

    8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

    Download Submit
  • C:\Windows\SysWOW64\systeminf2.exe
    Filesize

    650KB

    MD5

    552473949ab5541cf86c13a5d0687ccf

    SHA1

    38c1a2f1bdb20e810a827201531748ec22f9f021

    SHA256

    fab5a805543b152f3cca1a3096d95003cc434897eeebe50520fa304ae114b124

    SHA512

    8ff686d433a34de9fb56c01c71255b698be635e5994a8565130e1ab6566019f4e093f92e4bfc287abc842aca5a8ab7d6aac272760cacc8e84a3767f85e132619

    Download Submit
  • memory/1392-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1820-146-0x0000000000000000-mapping.dmp
    Download
  • memory/2468-139-0x0000000000000000-mapping.dmp
    Download
  • memory/2856-141-0x0000000000000000-mapping.dmp
    Download
  • memory/3552-144-0x0000000000000000-mapping.dmp
    Download
  • memory/3752-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3752-145-0x00007FFF78560000-0x00007FFF79021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3752-138-0x0000000000E00000-0x0000000000E1E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3752-149-0x00007FFF78560000-0x00007FFF79021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4320-143-0x0000000000000000-mapping.dmp
    Download
  • memory/4868-140-0x0000000000000000-mapping.dmp
    Download
  • memory/5072-142-0x0000000000000000-mapping.dmp
    Download