Analysis

  • max time kernel
    171s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 10:02

General

  • Target

    0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe

  • Size

    2.7MB

  • MD5

    84bf54351957e900ffed47bec794bad7

  • SHA1

    99c2985eec7c242cc0b574138af08ae2f2d9c0ac

  • SHA256

    0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25

  • SHA512

    aafcfb2c36eb42b5e52d26c88a4e004bb89a1127a04714c245bdd09ad49d22f3bcfdbaf42aeed4d9932646e39422d66605149e858a4f35c9e8f59270e6751ba2

  • SSDEEP

    49152:bkwkn9IMHeae6S5VuaVP1L3TQ/8hdROmzdL0zy4tEwdHO5BIPbSj+XC2Qg9aPCS:IdnV5MVuQt7TQEh7OmJxw0MPWj+XC2FL

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

verydark25.no-ip.biz:100

Mutex

DCMIN_MUTEX-QPZZXFD

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    0GZSgZY5XLqM

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    Chrome Updater

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe
    "C:\Users\Admin\AppData\Local\Temp\0ed85fa7d62a79306a7e52a321de3d1880afd9ef5ba376569f528e7f52047f25.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\613\613.exe
      "C:\Users\Admin\AppData\Local\Temp\613\613.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Users\Admin\AppData\Local\Temp\613\613.exe
        "C:\Users\Admin\AppData\Local\Temp\613\613.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4192
        • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
          "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
            "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\613\613.exe

    Filesize

    1.5MB

    MD5

    e3db605b6b773ae7ed7fe8596abae583

    SHA1

    2b573adfe3e3a2edc68936a3e864d7a9a909f12d

    SHA256

    53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

    SHA512

    a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

  • C:\Users\Admin\AppData\Local\Temp\613\613.exe

    Filesize

    1.5MB

    MD5

    e3db605b6b773ae7ed7fe8596abae583

    SHA1

    2b573adfe3e3a2edc68936a3e864d7a9a909f12d

    SHA256

    53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

    SHA512

    a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

  • C:\Users\Admin\AppData\Local\Temp\613\613.exe

    Filesize

    1.5MB

    MD5

    e3db605b6b773ae7ed7fe8596abae583

    SHA1

    2b573adfe3e3a2edc68936a3e864d7a9a909f12d

    SHA256

    53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

    SHA512

    a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

  • C:\Users\Admin\AppData\Local\Temp\res.ico

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Local\Temp\res.ico2

    Filesize

    658KB

    MD5

    07c4d7f2b2cfa8ab7b39a250429bfa78

    SHA1

    dc0e4ca81efbef25aa53d08dbc7fd24008b790b9

    SHA256

    0076395fd58ddcfaa73dcce59a05eb3b45d7116f671f32b5077846bddf3c16b2

    SHA512

    2a806c450f58e3e583f956a0c4a756e71a87c9e6ebce12d9ff5fa01f5724ee5823f22183d73ca0cba5fed772139c576bdf883b237f3b8897fc5264cdc68aa005

  • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

    Filesize

    1.5MB

    MD5

    e3db605b6b773ae7ed7fe8596abae583

    SHA1

    2b573adfe3e3a2edc68936a3e864d7a9a909f12d

    SHA256

    53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

    SHA512

    a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

  • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

    Filesize

    1.5MB

    MD5

    e3db605b6b773ae7ed7fe8596abae583

    SHA1

    2b573adfe3e3a2edc68936a3e864d7a9a909f12d

    SHA256

    53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

    SHA512

    a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

  • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

    Filesize

    1.5MB

    MD5

    e3db605b6b773ae7ed7fe8596abae583

    SHA1

    2b573adfe3e3a2edc68936a3e864d7a9a909f12d

    SHA256

    53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

    SHA512

    a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

  • memory/2492-140-0x0000000000000000-mapping.dmp

  • memory/2760-146-0x0000000000000000-mapping.dmp

  • memory/2760-150-0x00000000000D0000-0x0000000000182000-memory.dmp

    Filesize

    712KB

  • memory/2760-151-0x00000000000D0000-0x0000000000182000-memory.dmp

    Filesize

    712KB

  • memory/2760-152-0x00000000000D0000-0x0000000000182000-memory.dmp

    Filesize

    712KB

  • memory/4192-139-0x00000000000D0000-0x0000000000182000-memory.dmp

    Filesize

    712KB

  • memory/4192-143-0x00000000000D0000-0x0000000000182000-memory.dmp

    Filesize

    712KB

  • memory/4192-138-0x00000000000D0000-0x0000000000182000-memory.dmp

    Filesize

    712KB

  • memory/4192-136-0x00000000000D0000-0x0000000000182000-memory.dmp

    Filesize

    712KB

  • memory/4192-135-0x0000000000000000-mapping.dmp

  • memory/4688-132-0x0000000000000000-mapping.dmp