Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
23-11-2022 15:43
General
-
Target
81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
-
Size
1004KB
-
MD5
a60109684df6f7ee0d7f942956464212
-
SHA1
4262a7dfff7827f3cc3144c5334d28bfab5c8594
-
SHA256
81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14
-
SHA512
cdf617a1825d33e0a3c32557003214f0e662f3c40709c29e21cf02c6bc6f75ce1299aea1606c9ed3c12aa5b756472285ecb34e22c33c7bb10fd7a191176b00b7
-
SSDEEP
24576:8Z1xuVVjfFoynPaVBUR8f+kN10EBrC8rnzJ:sQDgok30wC8h
Malware Config
Extracted
darkcomet
Guest
rathostyes.no-ip.biz:200
DC_MUTEX-H2N8TTG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
SdzuEnJoJxxU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
rundll.exe
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe"C:\Users\Admin\AppData\Local\Temp\81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
1004KB
MD5a60109684df6f7ee0d7f942956464212
SHA14262a7dfff7827f3cc3144c5334d28bfab5c8594
SHA25681c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14
SHA512cdf617a1825d33e0a3c32557003214f0e662f3c40709c29e21cf02c6bc6f75ce1299aea1606c9ed3c12aa5b756472285ecb34e22c33c7bb10fd7a191176b00b7
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
1004KB
MD5a60109684df6f7ee0d7f942956464212
SHA14262a7dfff7827f3cc3144c5334d28bfab5c8594
SHA25681c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14
SHA512cdf617a1825d33e0a3c32557003214f0e662f3c40709c29e21cf02c6bc6f75ce1299aea1606c9ed3c12aa5b756472285ecb34e22c33c7bb10fd7a191176b00b7
-
memory/1212-135-0x0000000000000000-mapping.dmp