Overview

overview

10

Static

static

418c793d11...1f.exe

windows7-x64

10

418c793d11...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    418c793d114ddcb9dac4b04b08b32c74858b47f9df654c43e10b687ab8442e1f.exe

  • Size

    573KB

  • MD5

    c9c05cae0a7af3f0d2b4091682caa3e4

  • SHA1

    73ab52ec297aad007322feb4279605ac91ebb4e6

  • SHA256

    418c793d114ddcb9dac4b04b08b32c74858b47f9df654c43e10b687ab8442e1f

  • SHA512

    ba77a67e8851a73f238fd1f940bc3a3696a54d0aa51217c021d771a29a4599e012720bc6bd27e57942e1fcd3196cebde39bb1e41337026f6f1e24cdb9b5b3965

  • SSDEEP

    12288:qRWNcr8oxnJ9yxBdBaHnQuQUxM0lpS0WIzdfGWVX5eow:ZNBIJQteQYMapS0W6de6W

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

jonas24.no-ip.biz:1630

Mutex

DC_MUTEX-FYQ3L58

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    oVsFPxtqM18C

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\418c793d114ddcb9dac4b04b08b32c74858b47f9df654c43e10b687ab8442e1f.exe
    "C:\Users\Admin\AppData\Local\Temp\418c793d114ddcb9dac4b04b08b32c74858b47f9df654c43e10b687ab8442e1f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:920
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
        Server.sfx.exe -p123 -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1136
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1020
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1448
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4136
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:4848
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
              PID:3384
            • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
              "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
              5⤵
              • Modifies firewall policy service
              • Modifies security service
              • Windows security bypass
              • Disables RegEdit via registry modification
              • Executes dropped EXE
              • Windows security modification
              • Adds Run key to start application
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4052
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                6⤵
                  PID:4480
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  6⤵
                    PID:812
                  • C:\Windows\SysWOW64\notepad.exe
                    notepad
                    6⤵
                      PID:1408

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
            Filesize

            756KB

            MD5

            90a107c3d53c5cbecd748bce9005add6

            SHA1

            1a8ad010c53cd75af7d42cd22b90075d14e4842c

            SHA256

            78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

            SHA512

            9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
            Filesize

            756KB

            MD5

            90a107c3d53c5cbecd748bce9005add6

            SHA1

            1a8ad010c53cd75af7d42cd22b90075d14e4842c

            SHA256

            78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

            SHA512

            9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fud.bat
            Filesize

            29B

            MD5

            2f7a8311a80bac88bdb24f6444cf867b

            SHA1

            b88808595430620ccb47e1513f9f80a7300672c7

            SHA256

            42a20ef5dd7d810ca2a2e64c84ce7ebdd1710ea338fed7c22d7b8b4c2ad0edd7

            SHA512

            c5805844df8d8f1a3bd10f25db72484cda47f7e6f77d7c823c6777497983ebd42a498f3efffddf0e9feeb0bb8c0e5d09c2a5bb1779c65841d8ea4f3ba47ae012

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
            Filesize

            476KB

            MD5

            8f6946a39d2fa75a1dfa050c61c2d10e

            SHA1

            1d710a544c0570e21e9668f9bcf286aa8651368d

            SHA256

            f2ac53cb6c9d4035953fd0facd4dc36baa8b1a7bd619d7787a6348c4ef76de21

            SHA512

            b6ab71d25dbb65d9d711fda0816876591c2df33276cd0ffa9f1627acb8fab1e030906d84498839fd954dc80813f6c24fe16edb23026c3d30f0e0a7a17468fc54

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.sfx.exe
            Filesize

            476KB

            MD5

            8f6946a39d2fa75a1dfa050c61c2d10e

            SHA1

            1d710a544c0570e21e9668f9bcf286aa8651368d

            SHA256

            f2ac53cb6c9d4035953fd0facd4dc36baa8b1a7bd619d7787a6348c4ef76de21

            SHA512

            b6ab71d25dbb65d9d711fda0816876591c2df33276cd0ffa9f1627acb8fab1e030906d84498839fd954dc80813f6c24fe16edb23026c3d30f0e0a7a17468fc54

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
            Filesize

            756KB

            MD5

            90a107c3d53c5cbecd748bce9005add6

            SHA1

            1a8ad010c53cd75af7d42cd22b90075d14e4842c

            SHA256

            78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

            SHA512

            9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\server.exe
            Filesize

            756KB

            MD5

            90a107c3d53c5cbecd748bce9005add6

            SHA1

            1a8ad010c53cd75af7d42cd22b90075d14e4842c

            SHA256

            78f119546654d1e4236221242d84ab342e558c382bc7174c6062c9ffae1c6447

            SHA512

            9f943fb6d0424694646398880e0706a69db68216cbef00351b6a1d3457f621cd5965d570068f53ecee107130f506eb395a7e021662a82f13bc746ff88a63bfbc

            Download Submit

          • memory/812-148-0x0000000000000000-mapping.dmp

            Download

          • memory/1020-140-0x0000000000000000-mapping.dmp

            Download

          • memory/1136-137-0x0000000000000000-mapping.dmp

            Download

          • memory/1200-134-0x0000000000000000-mapping.dmp

            Download

          • memory/1408-149-0x0000000000000000-mapping.dmp

            Download

          • memory/1448-143-0x0000000000000000-mapping.dmp

            Download

          • memory/3384-142-0x0000000000000000-mapping.dmp

            Download

          • memory/3972-132-0x0000000000000000-mapping.dmp

            Download

          • memory/4052-145-0x0000000000000000-mapping.dmp

            Download

          • memory/4136-141-0x0000000000000000-mapping.dmp

            Download

          • memory/4848-144-0x0000000000000000-mapping.dmp

            Download