Analysis

  • max time kernel
    153s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 06:32

General

  • Target

    ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe

  • Size

    767KB

  • MD5

    7c2424a3c3548fe475e16d10e5e18b50

  • SHA1

    c6a67fa3db86385781a9d6512ed3bd19ce700198

  • SHA256

    ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81

  • SHA512

    ee64bf32108bfe9b9156bb42edc9a28de34ed9331cd7d4ef3f049bee53beda780bdcce79d4e99072ee39ee51d73c3af623a1dd030a3d3003e10f130797ea3ce0

  • SSDEEP

    12288:mdsngxZoh0ucDuCkZurIi7oriJ+VM85CIJ91KBLiUbsnt6JrXbiDAYvT93b7MG58:asngtDuCkZurLo2CF5CIJ91KBXsnt61/

Malware Config

Extracted

Family

darkcomet

Botnet

RiotPointBeggers

C2

127.0.0.1:6514

darkscouting.no-ip.biz:6514

Mutex

DC_MUTEX-6D97NCS

Attributes
  • InstallPath

    SysAdmin\windesk.exe

  • gencode

    7ud6mCiyikB2

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    rundll32

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe
    "C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe
      C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4904
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4296
      • C:\Windows\SysAdmin\windesk.exe
        "C:\Windows\SysAdmin\windesk.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Windows\SysAdmin\windesk.exe
          C:\Windows\SysAdmin\windesk.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3436
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
              PID:320

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysAdmin\windesk.exe

            Filesize

            767KB

            MD5

            7c2424a3c3548fe475e16d10e5e18b50

            SHA1

            c6a67fa3db86385781a9d6512ed3bd19ce700198

            SHA256

            ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81

            SHA512

            ee64bf32108bfe9b9156bb42edc9a28de34ed9331cd7d4ef3f049bee53beda780bdcce79d4e99072ee39ee51d73c3af623a1dd030a3d3003e10f130797ea3ce0

          • C:\Windows\SysAdmin\windesk.exe

            Filesize

            767KB

            MD5

            7c2424a3c3548fe475e16d10e5e18b50

            SHA1

            c6a67fa3db86385781a9d6512ed3bd19ce700198

            SHA256

            ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81

            SHA512

            ee64bf32108bfe9b9156bb42edc9a28de34ed9331cd7d4ef3f049bee53beda780bdcce79d4e99072ee39ee51d73c3af623a1dd030a3d3003e10f130797ea3ce0

          • C:\Windows\SysAdmin\windesk.exe

            Filesize

            767KB

            MD5

            7c2424a3c3548fe475e16d10e5e18b50

            SHA1

            c6a67fa3db86385781a9d6512ed3bd19ce700198

            SHA256

            ddc36271746a38fd0af19f43d4f76f24aba08c0b76e766f7115f9a8f494bde81

            SHA512

            ee64bf32108bfe9b9156bb42edc9a28de34ed9331cd7d4ef3f049bee53beda780bdcce79d4e99072ee39ee51d73c3af623a1dd030a3d3003e10f130797ea3ce0

          • memory/3436-153-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3436-152-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/4904-134-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/4904-135-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/4904-137-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/4904-136-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/4904-142-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/5068-132-0x0000000000AA0000-0x0000000000AA4000-memory.dmp

            Filesize

            16KB