Analysis

  • max time kernel
    152s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2022, 09:54

General

  • Target

    55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe

  • Size

    1.5MB

  • MD5

    370481138474cfcf39b8224c51f6be27

  • SHA1

    bc5e1ba878f76bf7e5e61d8c49c00b980236c70d

  • SHA256

    55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211

  • SHA512

    b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b

  • SSDEEP

    24576:jiBIGkbxqEcjsWiDxguehC2SF84fSGTEmSSautCzbqbtiEBCx6jq5Yzd5uQWQoq:mCUumo2EffYSab/qbpBCQf5Bloq

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

2.tcp.ngrok.io:17588

Mutex

DC_MUTEX-WW1H6BV

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    WSfeNvq2d8Yr

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
    "C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2000
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Modifies firewall policy service
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3764
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1520

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\MUZHIK-TELEVIZOR-PROTIVOGAZ.JPG

            Filesize

            865KB

            MD5

            506559174787b83187ec34afa1f8ef71

            SHA1

            19bb6efcd97598be64baa9a2e708c94bbd83b4e7

            SHA256

            a78bca77b067ccf10ef56b4a5f0b5e88925a602a126c774d3578f5d1830f458b

            SHA512

            17c5926c6f8432c3661d37ac70b94d8bca268fd0c3a5caf7159dd5ea36031f71f1530c0ae856eae938fc6037c664691c8e6ad1823bc27b5b7eb87dad8ca846d1

          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

            Filesize

            1.5MB

            MD5

            370481138474cfcf39b8224c51f6be27

            SHA1

            bc5e1ba878f76bf7e5e61d8c49c00b980236c70d

            SHA256

            55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211

            SHA512

            b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b

          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

            Filesize

            1.5MB

            MD5

            370481138474cfcf39b8224c51f6be27

            SHA1

            bc5e1ba878f76bf7e5e61d8c49c00b980236c70d

            SHA256

            55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211

            SHA512

            b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b