Analysis
-
max time kernel
151s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
01-10-2022 20:59
General
-
Target
e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a.exe
-
Size
636KB
-
MD5
6aa8b96dc40d343ed01f71a98bc33dd0
-
SHA1
f3054de583789ae77b90268b89b15842c81da48b
-
SHA256
e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a
-
SHA512
d248d8f1db0b34dcdee876e3a5e52e8585bfec4d49765458ea620b4276ed5a691deae5eb5007e37ce9979a919c3c8fc59de8fe617dcab6321719a6c8303e7934
-
SSDEEP
12288:rClWWlTMKehR5IjmGRUqA6bARgoCfrgbisv69Wu:r3WlYKer2Wo0RgoCfriv+
Malware Config
Extracted
darkcomet
Guest16
microchip.myftp.org:80
microchip.myftp.org:5190
microchip.myftp.org:25
microchip.myftp.org:110
microchip.myftp.org:945
DC_MUTEX-22M89DH
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
bNsEugEKgtYk
-
install
true
-
offline_keylogger
true
-
password
pa$$w0rd117756
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a.exe"C:\Users\Admin\AppData\Local\Temp\e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a.exe"C:\Users\Admin\AppData\Local\Temp\e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
636KB
MD56aa8b96dc40d343ed01f71a98bc33dd0
SHA1f3054de583789ae77b90268b89b15842c81da48b
SHA256e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a
SHA512d248d8f1db0b34dcdee876e3a5e52e8585bfec4d49765458ea620b4276ed5a691deae5eb5007e37ce9979a919c3c8fc59de8fe617dcab6321719a6c8303e7934
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
636KB
MD56aa8b96dc40d343ed01f71a98bc33dd0
SHA1f3054de583789ae77b90268b89b15842c81da48b
SHA256e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a
SHA512d248d8f1db0b34dcdee876e3a5e52e8585bfec4d49765458ea620b4276ed5a691deae5eb5007e37ce9979a919c3c8fc59de8fe617dcab6321719a6c8303e7934
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
636KB
MD56aa8b96dc40d343ed01f71a98bc33dd0
SHA1f3054de583789ae77b90268b89b15842c81da48b
SHA256e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a
SHA512d248d8f1db0b34dcdee876e3a5e52e8585bfec4d49765458ea620b4276ed5a691deae5eb5007e37ce9979a919c3c8fc59de8fe617dcab6321719a6c8303e7934
-
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
636KB
MD56aa8b96dc40d343ed01f71a98bc33dd0
SHA1f3054de583789ae77b90268b89b15842c81da48b
SHA256e1988357bf7b368cd41004b28d836914b075f0f35d985c426397d343f0c1e78a
SHA512d248d8f1db0b34dcdee876e3a5e52e8585bfec4d49765458ea620b4276ed5a691deae5eb5007e37ce9979a919c3c8fc59de8fe617dcab6321719a6c8303e7934
-
memory/624-84-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/624-69-0x0000000000000000-mapping.dmp
-
memory/1196-65-0x0000000000400000-0x000000000049F000-memory.dmpFilesize
636KB
-
memory/1268-60-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1268-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1268-66-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/1268-67-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1268-62-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1268-61-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1268-54-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1268-71-0x00000000033C0000-0x000000000345F000-memory.dmpFilesize
636KB
-
memory/1268-58-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1268-56-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1268-55-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB