Overview

overview

10

Static

static

418c793d11...1f.exe

windows7-x64

10

418c793d11...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    182s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    418c793d114ddcb9dac4b04b08b32c74858b47f9df654c43e10b687ab8442e1f.exe

  • Size

    573KB

  • MD5

    c9c05cae0a7af3f0d2b4091682caa3e4

  • SHA1

    73ab52ec297aad007322feb4279605ac91ebb4e6

  • SHA256

    418c793d114ddcb9dac4b04b08b32c74858b47f9df654c43e10b687ab8442e1f

  • SHA512

    ba77a67e8851a73f238fd1f940bc3a3696a54d0aa51217c021d771a29a4599e012720bc6bd27e57942e1fcd3196cebde39bb1e41337026f6f1e24cdb9b5b3965

  • SSDEEP

    12288:qRWNcr8oxnJ9yxBdBaHnQuQUxM0lpS0WIzdfGWVX5eow:ZNBIJQteQYMapS0W6de6W

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

jonas24.no-ip.biz:1630

Mutex

DC_MUTEX-FYQ3L58

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    oVsFPxtqM18C

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\418c793d114ddcb9dac4b04b08b32c74858b47f9df654c43e10b687ab8442e1f.exe
    "C:\Users\Admin\AppData\Local\Temp\418c793d114ddcb9dac4b04b08b32c74858b47f9df654c43e10b687ab8442e1f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
        Server.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1212
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1780
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1492
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1132
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
              PID:1920
            • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
              "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
              5⤵
              • Modifies firewall policy service
              • Modifies security service
              • Windows security bypass
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Windows security modification
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:1512
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                6⤵
                • Modifies firewall policy service
                • Modifies security service
                • Windows security bypass
                • Disables RegEdit via registry modification
                • Adds Run key to start application
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:1264
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  7⤵
                    PID:1932

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Modify Existing Service

      2
      T1031

      Hidden Files and Directories

      2
      T1158

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      7
      T1112

      Disabling Security Tools

      2
      T1089

      Hidden Files and Directories

      2
      T1158

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat
        Filesize

        29B

        MD5

        2f7a8311a80bac88bdb24f6444cf867b

        SHA1

        b88808595430620ccb47e1513f9f80a7300672c7

        SHA256

        42a20ef5dd7d810ca2a2e64c84ce7ebdd1710ea338fed7c22d7b8b4c2ad0edd7

        SHA512

        c5805844df8d8f1a3bd10f25db72484cda47f7e6f77d7c823c6777497983ebd42a498f3efffddf0e9feeb0bb8c0e5d09c2a5bb1779c65841d8ea4f3ba47ae012

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
        Filesize

        476KB

        MD5

        8f6946a39d2fa75a1dfa050c61c2d10e

        SHA1

        1d710a544c0570e21e9668f9bcf286aa8651368d

        SHA256

        f2ac53cb6c9d4035953fd0facd4dc36baa8b1a7bd619d7787a6348c4ef76de21

        SHA512

        b6ab71d25dbb65d9d711fda0816876591c2df33276cd0ffa9f1627acb8fab1e030906d84498839fd954dc80813f6c24fe16edb23026c3d30f0e0a7a17468fc54

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
        Filesize

        476KB

        MD5

        8f6946a39d2fa75a1dfa050c61c2d10e

        SHA1

        1d710a544c0570e21e9668f9bcf286aa8651368d

        SHA256

        f2ac53cb6c9d4035953fd0facd4dc36baa8b1a7bd619d7787a6348c4ef76de21

        SHA512

        b6ab71d25dbb65d9d711fda0816876591c2df33276cd0ffa9f1627acb8fab1e030906d84498839fd954dc80813f6c24fe16edb23026c3d30f0e0a7a17468fc54

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • \Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
        Filesize

        476KB

        MD5

        8f6946a39d2fa75a1dfa050c61c2d10e

        SHA1

        1d710a544c0570e21e9668f9bcf286aa8651368d

        SHA256

        f2ac53cb6c9d4035953fd0facd4dc36baa8b1a7bd619d7787a6348c4ef76de21

        SHA512

        b6ab71d25dbb65d9d711fda0816876591c2df33276cd0ffa9f1627acb8fab1e030906d84498839fd954dc80813f6c24fe16edb23026c3d30f0e0a7a17468fc54

        Download Submit
      • \Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • \Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • \Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • \Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • \Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
        Filesize

        756KB

        MD5

        90a107c3d53c5cbecd748bce9005add6

        SHA1

        1a8ad010c53cd75af7d42cd22b90075d14e4842c

        SHA256

        78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

        SHA512

        9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

        Download Submit
      • memory/592-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1132-80-0x0000000000000000-mapping.dmp
        Download
      • memory/1212-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1220-54-0x0000000075A91000-0x0000000075A93000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1492-73-0x0000000000000000-mapping.dmp
        Download
      • memory/1512-84-0x0000000000000000-mapping.dmp
        Download
      • memory/1552-55-0x0000000000000000-mapping.dmp
        Download
      • memory/1780-76-0x0000000000000000-mapping.dmp
        Download
      • memory/1920-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1932-88-0x0000000000000000-mapping.dmp
        Download
      • memory/2024-68-0x0000000000000000-mapping.dmp
        Download