Analysis

  • max time kernel
    130s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 06:27

General

  • Target

    e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

  • Size

    1.1MB

  • MD5

    49357de181571d86ef91c9225b95b474

  • SHA1

    8f74e682dfe7072d026d88ef84f32dadaa977461

  • SHA256

    e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

  • SHA512

    56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

  • SSDEEP

    24576:8MwVW5oFASygtv2/ryWLivEDT00MVq3UHr2BlKVb:8OoFASyg92T/oEDT9MVQU8ib

Malware Config

Extracted

Family

darkcomet

Botnet

Securityy ;3

C2

89.215.253.73:1605

Mutex

DCMIN_MUTEX-V730MT7

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    jmPfYy0Z7wHy

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
    "C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
          PID:1476
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MpsSvc
            4⤵
              PID:1920
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:996
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:275457 /prefetch:2
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1908
        • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
          C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1756
          • C:\Windows\SysWOW64\cmd.exe
            /c net stop MpsSvc
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2008
            • C:\Windows\SysWOW64\net.exe
              net stop MpsSvc
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1684
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop MpsSvc
                5⤵
                  PID:1828
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              PID:1776
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
                4⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2020
            • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
              C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
              3⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              PID:1700
              • C:\DCSCMIN\IMDCSC.exe
                "C:\DCSCMIN\IMDCSC.exe"
                4⤵
                  PID:808

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4F60DE61-494C-11ED-B390-DA7E66F9F45D}.dat

                  Filesize

                  5KB

                  MD5

                  c90caf548ac0d2da88241a29c62882fc

                  SHA1

                  ed991c35d69fbbfd3231da0de2923e036fb9a4eb

                  SHA256

                  394bffb11ce581027681f2f05f6f5823bf76538e47aed5a5dacec31f79f5e7ee

                  SHA512

                  771e2974bd6dc98cee73ea5a6d5dbe4b421dcdf3efec9ba62ec4e1a696ca96eb0594326a07b3c13c1c53ea464b97bfacf0c60cbbe926ef26b1e42186d62ce3ee

                • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5329AE00-494C-11ED-B390-DA7E66F9F45D}.dat

                  Filesize

                  3KB

                  MD5

                  91d21db0e0cafda9d5475f5fb6627408

                  SHA1

                  420766a367195062b1fcfca05922f2dd5eaa9aab

                  SHA256

                  e6415d9835ccafc6ae361c9f941d726954570abd113270aa3be24c50204b6d39

                  SHA512

                  0eee044b3e658db66bfd38fe302518ff8f428227b631985c5d8036121565330fde2a1ac56f2a7f92435720e5289173ea6b95209aeb239d93dabfcc51fe554879

                • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

                  Filesize

                  1.1MB

                  MD5

                  49357de181571d86ef91c9225b95b474

                  SHA1

                  8f74e682dfe7072d026d88ef84f32dadaa977461

                  SHA256

                  e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                  SHA512

                  56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

                  Filesize

                  1.1MB

                  MD5

                  49357de181571d86ef91c9225b95b474

                  SHA1

                  8f74e682dfe7072d026d88ef84f32dadaa977461

                  SHA256

                  e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                  SHA512

                  56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                • C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

                  Filesize

                  1.1MB

                  MD5

                  49357de181571d86ef91c9225b95b474

                  SHA1

                  8f74e682dfe7072d026d88ef84f32dadaa977461

                  SHA256

                  e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                  SHA512

                  56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\N6IEFYFA.txt

                  Filesize

                  603B

                  MD5

                  101a22a401f33e942d75e2cdd46b380b

                  SHA1

                  c39dccb7d5942dad34d08875df1c81f8901660be

                  SHA256

                  191be43a8b2c3b38c4b0cc43b4acff30c417f2b047acbf3325e136f5aaa21fbf

                  SHA512

                  eabaa97fda457dab702ed002e950a80cfda04e8b965ec2ba51c82cb95398c552c737f0b9c85a09635e6fcb53a2aaa6b0e025e991831b7cf03ff4aae562b9ae0a

                • \DCSCMIN\IMDCSC.exe

                  Filesize

                  1.1MB

                  MD5

                  49357de181571d86ef91c9225b95b474

                  SHA1

                  8f74e682dfe7072d026d88ef84f32dadaa977461

                  SHA256

                  e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                  SHA512

                  56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                • \DCSCMIN\IMDCSC.exe

                  Filesize

                  1.1MB

                  MD5

                  49357de181571d86ef91c9225b95b474

                  SHA1

                  8f74e682dfe7072d026d88ef84f32dadaa977461

                  SHA256

                  e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                  SHA512

                  56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                • \Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

                  Filesize

                  1.1MB

                  MD5

                  49357de181571d86ef91c9225b95b474

                  SHA1

                  8f74e682dfe7072d026d88ef84f32dadaa977461

                  SHA256

                  e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                  SHA512

                  56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                • \Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

                  Filesize

                  1.1MB

                  MD5

                  49357de181571d86ef91c9225b95b474

                  SHA1

                  8f74e682dfe7072d026d88ef84f32dadaa977461

                  SHA256

                  e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                  SHA512

                  56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                • memory/1700-96-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-107-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-101-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-100-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-78-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-79-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-81-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-83-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-85-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-87-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-88-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-90-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1700-92-0x0000000000400000-0x00000000004B2000-memory.dmp

                  Filesize

                  712KB

                • memory/1756-71-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                • memory/1756-59-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                • memory/1756-95-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                • memory/1756-60-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                • memory/1756-65-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                • memory/1756-73-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                • memory/1756-62-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                • memory/1756-67-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                • memory/1756-64-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                • memory/1940-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

                  Filesize

                  8KB

                • memory/1940-56-0x0000000000230000-0x0000000000234000-memory.dmp

                  Filesize

                  16KB