Analysis

  • max time kernel
    163s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2022, 14:31

General

  • Target

    d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe

  • Size

    1.6MB

  • MD5

    a20d99cf1d92e6b93810eed118feb880

  • SHA1

    f10a8c84559386e512815f5e7b0e803c2cbc9ea2

  • SHA256

    d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e

  • SHA512

    cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4

  • SSDEEP

    24576:rthEVaPqLeyARPeXzlXEUYHDCQCm1ZTPGpVGsl10nupkTIC06pTzNnm:/EVUck8jlVbQCm7aH5l13a66pHs

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

67.149.136.142:200

Mutex

DC_MUTEX-8W2HP8D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    EJ1PSg89PChw

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
    "C:\Users\Admin\AppData\Local\Temp\d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
      C:\Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\explorer.exe" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\SysWOW64\explorer.exe" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:556
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\SysWOW64" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:744
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
            PID:1544
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            4⤵
            • Executes dropped EXE
            PID:1984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Tempscratch.cmd
        2⤵
        • Deletes itself
        PID:1408
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:2016

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Tempscratch.cmd

            Filesize

            290B

            MD5

            144cad0760a5a3c194e8f81b1a199207

            SHA1

            9a56de0c82cf9f2817763d9b6616f1bb434775b5

            SHA256

            7622731f0d69b59fe7bb6d70e4f55ccd54562406d1c92b429ecf4e5d33adbd6e

            SHA512

            47854437f0dd08ae8a0fff3498b464dc959a5ba358c9983ef4aa51ab29e2d58f948f82afa526a4ed214ceed695fd9d3c4cd70fefe2e1fb7c7619d079d16e7a31

          • C:\Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe

            Filesize

            1.6MB

            MD5

            a20d99cf1d92e6b93810eed118feb880

            SHA1

            f10a8c84559386e512815f5e7b0e803c2cbc9ea2

            SHA256

            d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e

            SHA512

            cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4

          • C:\Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe

            Filesize

            1.6MB

            MD5

            a20d99cf1d92e6b93810eed118feb880

            SHA1

            f10a8c84559386e512815f5e7b0e803c2cbc9ea2

            SHA256

            d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e

            SHA512

            cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4

          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

            Filesize

            2.5MB

            MD5

            40d777b7a95e00593eb1568c68514493

            SHA1

            89a175a12bc20104770d0ef83e553f8b0e06274b

            SHA256

            0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894

            SHA512

            d5719baef8bef791ef99b4c88d449d45f199638438bd929c1a3e7a74309931c72e03567633135a4fcf4c92e2b53e552f9526cba2e1d85383906d3c1aa21dd67f

          • \Users\Admin\AppData\Roaming\67051d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe

            Filesize

            1.6MB

            MD5

            a20d99cf1d92e6b93810eed118feb880

            SHA1

            f10a8c84559386e512815f5e7b0e803c2cbc9ea2

            SHA256

            d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e

            SHA512

            cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4

          • \Users\Admin\Documents\MSDCSC\msdcsc.exe

            Filesize

            2.5MB

            MD5

            40d777b7a95e00593eb1568c68514493

            SHA1

            89a175a12bc20104770d0ef83e553f8b0e06274b

            SHA256

            0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894

            SHA512

            d5719baef8bef791ef99b4c88d449d45f199638438bd929c1a3e7a74309931c72e03567633135a4fcf4c92e2b53e552f9526cba2e1d85383906d3c1aa21dd67f

          • memory/888-64-0x0000000000400000-0x00000000004FE000-memory.dmp

            Filesize

            1016KB

          • memory/888-55-0x0000000000400000-0x00000000004FE000-memory.dmp

            Filesize

            1016KB

          • memory/888-54-0x0000000076961000-0x0000000076963000-memory.dmp

            Filesize

            8KB

          • memory/1060-63-0x0000000000400000-0x00000000004FE000-memory.dmp

            Filesize

            1016KB

          • memory/1060-69-0x0000000000400000-0x00000000004FE000-memory.dmp

            Filesize

            1016KB

          • memory/1412-70-0x00000000001B0000-0x0000000000287000-memory.dmp

            Filesize

            860KB

          • memory/1412-73-0x00000000001B0000-0x0000000000287000-memory.dmp

            Filesize

            860KB

          • memory/1412-72-0x00000000001B0000-0x0000000000287000-memory.dmp

            Filesize

            860KB

          • memory/1412-67-0x00000000001B0000-0x0000000000287000-memory.dmp

            Filesize

            860KB

          • memory/1412-65-0x00000000001B0000-0x0000000000287000-memory.dmp

            Filesize

            860KB

          • memory/1412-87-0x00000000001B0000-0x0000000000287000-memory.dmp

            Filesize

            860KB

          • memory/1984-84-0x0000000074431000-0x0000000074433000-memory.dmp

            Filesize

            8KB

          • memory/2016-85-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

            Filesize

            8KB

          • memory/2016-86-0x0000000003940000-0x0000000003950000-memory.dmp

            Filesize

            64KB