Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 16:21

General

  • Target

    175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe

  • Size

    885KB

  • MD5

    914c1a5ce18d5c385aa68eb2f627b683

  • SHA1

    faa8d0acb8ea3bcf164850fa274a3728a473d394

  • SHA256

    175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df

  • SHA512

    1cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be

  • SSDEEP

    12288:IphltQjZMzBLrnl/f1xYPBXfWau3JOq2oth4i73zi/94fuhoAfWl9H5IXMmtVXGI:jW9rn56BXfWauZXD73zi/MjAfiSZM4

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-J5EQEUY

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    YSvPW7HraQLS

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe
    "C:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2100
    • C:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe
      C:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Windows\SysWOW64\cmd.exe
          /c net stop MpsSvc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4440
          • C:\Windows\SysWOW64\net.exe
            net stop MpsSvc
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3748
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop MpsSvc
              6⤵
                PID:3052
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1712
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      1⤵
        PID:4944

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

              Filesize

              885KB

              MD5

              914c1a5ce18d5c385aa68eb2f627b683

              SHA1

              faa8d0acb8ea3bcf164850fa274a3728a473d394

              SHA256

              175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df

              SHA512

              1cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be

            • C:\Users\Admin\AppData\Local\Temp\175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df.exe

              Filesize

              885KB

              MD5

              914c1a5ce18d5c385aa68eb2f627b683

              SHA1

              faa8d0acb8ea3bcf164850fa274a3728a473d394

              SHA256

              175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df

              SHA512

              1cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be

            • C:\Users\Admin\AppData\Roaming\InstallDir\help.exe

              Filesize

              885KB

              MD5

              914c1a5ce18d5c385aa68eb2f627b683

              SHA1

              faa8d0acb8ea3bcf164850fa274a3728a473d394

              SHA256

              175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df

              SHA512

              1cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

              Filesize

              885KB

              MD5

              914c1a5ce18d5c385aa68eb2f627b683

              SHA1

              faa8d0acb8ea3bcf164850fa274a3728a473d394

              SHA256

              175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df

              SHA512

              1cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be

            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

              Filesize

              885KB

              MD5

              914c1a5ce18d5c385aa68eb2f627b683

              SHA1

              faa8d0acb8ea3bcf164850fa274a3728a473d394

              SHA256

              175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df

              SHA512

              1cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be

            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

              Filesize

              885KB

              MD5

              914c1a5ce18d5c385aa68eb2f627b683

              SHA1

              faa8d0acb8ea3bcf164850fa274a3728a473d394

              SHA256

              175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df

              SHA512

              1cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be

            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

              Filesize

              885KB

              MD5

              914c1a5ce18d5c385aa68eb2f627b683

              SHA1

              faa8d0acb8ea3bcf164850fa274a3728a473d394

              SHA256

              175acb4cbfabe1653e0ab5a30ff9f093e47bbed4a58df2d3e6e6efdd9b51f5df

              SHA512

              1cc0928d68d8d62bb7782eab716daaebfd57a66feb76b0d308e4d7ca895b9731399275ca63fe17a0ca415b786f74021496941ed71eca421bd84e217797fe74be

            • memory/1712-159-0x0000000000400000-0x00000000004CA000-memory.dmp

              Filesize

              808KB

            • memory/1712-158-0x0000000000400000-0x00000000004CA000-memory.dmp

              Filesize

              808KB

            • memory/1932-134-0x0000000000400000-0x00000000004CA000-memory.dmp

              Filesize

              808KB

            • memory/1932-138-0x0000000000400000-0x00000000004CA000-memory.dmp

              Filesize

              808KB

            • memory/1932-142-0x0000000000400000-0x00000000004CA000-memory.dmp

              Filesize

              808KB

            • memory/1932-136-0x0000000000400000-0x00000000004CA000-memory.dmp

              Filesize

              808KB

            • memory/1932-157-0x0000000000400000-0x00000000004CA000-memory.dmp

              Filesize

              808KB

            • memory/1932-141-0x0000000000400000-0x00000000004CA000-memory.dmp

              Filesize

              808KB

            • memory/4448-137-0x0000000000740000-0x0000000000744000-memory.dmp

              Filesize

              16KB