Analysis

  • max time kernel
    110s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 14:31

General

  • Target

    d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe

  • Size

    1.6MB

  • MD5

    a20d99cf1d92e6b93810eed118feb880

  • SHA1

    f10a8c84559386e512815f5e7b0e803c2cbc9ea2

  • SHA256

    d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e

  • SHA512

    cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4

  • SSDEEP

    24576:rthEVaPqLeyARPeXzlXEUYHDCQCm1ZTPGpVGsl10nupkTIC06pTzNnm:/EVUck8jlVbQCm7aH5l13a66pHs

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

67.149.136.142:200

Mutex

DC_MUTEX-8W2HP8D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    EJ1PSg89PChw

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
    "C:\Users\Admin\AppData\Local\Temp\d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Users\Admin\AppData\Roaming\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
      C:\Users\Admin\AppData\Roaming\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\system32\explorer.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:312
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\explorer.exe" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\SysWOW64\explorer.exe" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in System32 directory
            • Views/modifies file attributes
            PID:488
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\SysWOW64" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:4724
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
            PID:4472
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            4⤵
            • Executes dropped EXE
            PID:4860
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Tempscratch.cmd
        2⤵
          PID:996
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3588

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Tempscratch.cmd

              Filesize

              290B

              MD5

              144cad0760a5a3c194e8f81b1a199207

              SHA1

              9a56de0c82cf9f2817763d9b6616f1bb434775b5

              SHA256

              7622731f0d69b59fe7bb6d70e4f55ccd54562406d1c92b429ecf4e5d33adbd6e

              SHA512

              47854437f0dd08ae8a0fff3498b464dc959a5ba358c9983ef4aa51ab29e2d58f948f82afa526a4ed214ceed695fd9d3c4cd70fefe2e1fb7c7619d079d16e7a31

            • C:\Users\Admin\AppData\Roaming\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe

              Filesize

              1.6MB

              MD5

              a20d99cf1d92e6b93810eed118feb880

              SHA1

              f10a8c84559386e512815f5e7b0e803c2cbc9ea2

              SHA256

              d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e

              SHA512

              cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4

            • C:\Users\Admin\AppData\Roaming\86050d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e.exe

              Filesize

              1.6MB

              MD5

              a20d99cf1d92e6b93810eed118feb880

              SHA1

              f10a8c84559386e512815f5e7b0e803c2cbc9ea2

              SHA256

              d083f1a5350e9fd23e9ac8e23d42feb463e515910f1e892a609d980ac4e3553e

              SHA512

              cd49a1f5374d2b63561568c0d820fd2ba6d2d54a249f808e6826a5a499a0bc046a081a66f485069d24006da56841b1bb451fc858a19f65b44f5e68d7b404c7d4

            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

              Filesize

              4.2MB

              MD5

              0155e85852fde62a441cbaf485e023be

              SHA1

              59482d4b1c0f061426ef71bff8506230faa00701

              SHA256

              e0689419d3d7879a229ecf3e74639e4e9ba0669ed4574f47b108097593fc9fbc

              SHA512

              f1a43adb7b0203dc5ad4613da9645070c4da0d15d8788b50644cb80420d4a38151488aa3888da39a6cb17ef6d3f5ebc5fe08ac948dca1fd0c852dceecd3bafff

            • memory/312-156-0x00000000012D0000-0x00000000013A7000-memory.dmp

              Filesize

              860KB

            • memory/312-148-0x00000000012D0000-0x00000000013A7000-memory.dmp

              Filesize

              860KB

            • memory/312-147-0x00000000012D0000-0x00000000013A7000-memory.dmp

              Filesize

              860KB

            • memory/312-142-0x00000000012D0000-0x00000000013A7000-memory.dmp

              Filesize

              860KB

            • memory/312-143-0x00000000012D0000-0x00000000013A7000-memory.dmp

              Filesize

              860KB

            • memory/312-144-0x00000000012D0000-0x00000000013A7000-memory.dmp

              Filesize

              860KB

            • memory/4452-140-0x0000000000400000-0x00000000004FE000-memory.dmp

              Filesize

              1016KB

            • memory/4452-132-0x0000000000400000-0x00000000004FE000-memory.dmp

              Filesize

              1016KB

            • memory/4452-133-0x0000000000400000-0x00000000004FE000-memory.dmp

              Filesize

              1016KB

            • memory/4568-146-0x0000000000400000-0x00000000004FE000-memory.dmp

              Filesize

              1016KB

            • memory/4568-145-0x0000000000400000-0x00000000004FE000-memory.dmp

              Filesize

              1016KB

            • memory/4568-138-0x0000000000400000-0x00000000004FE000-memory.dmp

              Filesize

              1016KB