Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 06:27

General

  • Target

    e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

  • Size

    1.1MB

  • MD5

    49357de181571d86ef91c9225b95b474

  • SHA1

    8f74e682dfe7072d026d88ef84f32dadaa977461

  • SHA256

    e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

  • SHA512

    56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

  • SSDEEP

    24576:8MwVW5oFASygtv2/ryWLivEDT00MVq3UHr2BlKVb:8OoFASyg92T/oEDT9MVQU8ib

Malware Config

Extracted

Family

darkcomet

Botnet

Securityy ;3

C2

89.215.253.73:1605

Mutex

DCMIN_MUTEX-V730MT7

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    jmPfYy0Z7wHy

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 9 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
    "C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MpsSvc
          4⤵
            PID:512
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:360
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3408
      • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
        C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Windows\SysWOW64\cmd.exe
          /c net stop MpsSvc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1848
          • C:\Windows\SysWOW64\net.exe
            net stop MpsSvc
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:372
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MpsSvc
              5⤵
                PID:2652
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            3⤵
            • Modifies Internet Explorer settings
            PID:2996
          • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
            C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe
            3⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Checks computer location settings
            • Adds Run key to start application
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4136
            • C:\DCSCMIN\IMDCSC.exe
              "C:\DCSCMIN\IMDCSC.exe"
              4⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              PID:432
              • C:\Windows\SysWOW64\cmd.exe
                /c net stop MpsSvc
                5⤵
                  PID:1500
                  • C:\Windows\SysWOW64\net.exe
                    net stop MpsSvc
                    6⤵
                      PID:1016
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop MpsSvc
                        7⤵
                          PID:1152
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe"
                      5⤵
                      • Modifies Internet Explorer settings
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:3696
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3696 CREDAT:17410 /prefetch:2
                        6⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:3524
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3696 CREDAT:17414 /prefetch:2
                        6⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:1752
                    • C:\DCSCMIN\IMDCSC.exe
                      C:\DCSCMIN\IMDCSC.exe
                      5⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4164
                      • C:\Windows\SysWOW64\cmd.exe
                        /c net stop MpsSvc
                        6⤵
                          PID:2000
                          • C:\Windows\SysWOW64\net.exe
                            net stop MpsSvc
                            7⤵
                              PID:3724
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop MpsSvc
                                8⤵
                                  PID:1280
                            • C:\Program Files\Internet Explorer\iexplore.exe
                              "C:\Program Files\Internet Explorer\iexplore.exe"
                              6⤵
                              • Modifies Internet Explorer settings
                              PID:4756
                            • C:\DCSCMIN\IMDCSC.exe
                              C:\DCSCMIN\IMDCSC.exe
                              6⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:4728

                  Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\DCSCMIN\IMDCSC.exe

                          Filesize

                          1.1MB

                          MD5

                          49357de181571d86ef91c9225b95b474

                          SHA1

                          8f74e682dfe7072d026d88ef84f32dadaa977461

                          SHA256

                          e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                          SHA512

                          56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                        • C:\DCSCMIN\IMDCSC.exe

                          Filesize

                          1.1MB

                          MD5

                          49357de181571d86ef91c9225b95b474

                          SHA1

                          8f74e682dfe7072d026d88ef84f32dadaa977461

                          SHA256

                          e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                          SHA512

                          56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                        • C:\DCSCMIN\IMDCSC.exe

                          Filesize

                          1.1MB

                          MD5

                          49357de181571d86ef91c9225b95b474

                          SHA1

                          8f74e682dfe7072d026d88ef84f32dadaa977461

                          SHA256

                          e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                          SHA512

                          56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                        • C:\DCSCMIN\IMDCSC.exe

                          Filesize

                          1.1MB

                          MD5

                          49357de181571d86ef91c9225b95b474

                          SHA1

                          8f74e682dfe7072d026d88ef84f32dadaa977461

                          SHA256

                          e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                          SHA512

                          56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                          Filesize

                          471B

                          MD5

                          fceed7a5f76725fb398c6a91ff552899

                          SHA1

                          237aec000ae7c7c35a639664b1ad6c0d842a0749

                          SHA256

                          2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

                          SHA512

                          adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

                          Filesize

                          404B

                          MD5

                          e91d0ccc141e8cd3c1acd1d37cba31ff

                          SHA1

                          1d1885a33fc9d53076cbf08ed18822c9a4d9f77e

                          SHA256

                          90d72dc1d0ef5fe6f19629e673a49c05f15f8c7612bbb49f1aa127b7e927c957

                          SHA512

                          b191defda59e6b427525ae1e84b8683cae9fb3d2e18d8e70af52feff9e7199d7c37871a007576024dc3e2030f9dcdd3096cdff53d44d43506b2c51b7f4ba780d

                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3572DFFB-493B-11ED-A0EE-4A7057C3C021}.dat

                          Filesize

                          5KB

                          MD5

                          f63725c0920a9d9ec62fe989432e8d18

                          SHA1

                          c567d6d7c8aa0214114d5528ebd7c197421caed7

                          SHA256

                          c0f1e1f1e2233333e0a31e2a82ae44d9fad08998ab0dde798c22c7986db89e74

                          SHA512

                          895205e131144c614c8fa8832aa30753760f8007f32b0703ef4457f4edfebbe189dad4baec549d3f2883e7dbd6f6929cad09a180f269825fd1f8d71c3aed2405

                        • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

                          Filesize

                          1.1MB

                          MD5

                          49357de181571d86ef91c9225b95b474

                          SHA1

                          8f74e682dfe7072d026d88ef84f32dadaa977461

                          SHA256

                          e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                          SHA512

                          56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                        • C:\Users\Admin\AppData\Local\Temp\e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec.exe

                          Filesize

                          1.1MB

                          MD5

                          49357de181571d86ef91c9225b95b474

                          SHA1

                          8f74e682dfe7072d026d88ef84f32dadaa977461

                          SHA256

                          e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                          SHA512

                          56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                        • C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

                          Filesize

                          1.1MB

                          MD5

                          49357de181571d86ef91c9225b95b474

                          SHA1

                          8f74e682dfe7072d026d88ef84f32dadaa977461

                          SHA256

                          e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                          SHA512

                          56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                        • C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

                          Filesize

                          1.1MB

                          MD5

                          49357de181571d86ef91c9225b95b474

                          SHA1

                          8f74e682dfe7072d026d88ef84f32dadaa977461

                          SHA256

                          e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                          SHA512

                          56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                        • C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

                          Filesize

                          1.1MB

                          MD5

                          49357de181571d86ef91c9225b95b474

                          SHA1

                          8f74e682dfe7072d026d88ef84f32dadaa977461

                          SHA256

                          e6d9908e1ac0cccc96e3f76eff46c4d8cf94941cc15dc9a64e9fdb3abf9c16ec

                          SHA512

                          56482bbb1e64eb191e062792978eed6b9cefb804e38e56de59b9abc2c1dc61dcbc79cb105896fcb18334ce312e3bbf38d5071ddb31496141c803f34f5224c723

                        • memory/3400-132-0x00000000005B0000-0x00000000005B4000-memory.dmp

                          Filesize

                          16KB

                        • memory/4084-150-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                        • memory/4084-144-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                        • memory/4084-139-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                        • memory/4084-140-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                        • memory/4084-137-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                        • memory/4136-152-0x0000000000400000-0x00000000004B2000-memory.dmp

                          Filesize

                          712KB

                        • memory/4136-151-0x0000000000400000-0x00000000004B2000-memory.dmp

                          Filesize

                          712KB

                        • memory/4136-147-0x0000000000400000-0x00000000004B2000-memory.dmp

                          Filesize

                          712KB

                        • memory/4136-149-0x0000000000400000-0x00000000004B2000-memory.dmp

                          Filesize

                          712KB

                        • memory/4164-168-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                        • memory/4164-164-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                        • memory/4164-175-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                        • memory/4164-165-0x0000000000400000-0x00000000004D7000-memory.dmp

                          Filesize

                          860KB

                        • memory/4728-177-0x0000000000400000-0x00000000004B2000-memory.dmp

                          Filesize

                          712KB