Analysis

  • max time kernel
    165s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 15:55

General

  • Target

    af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe

  • Size

    363KB

  • MD5

    6868581b7a7f2803a837171254fe6331

  • SHA1

    80e54e9ae298e949e49e06d927a9a5b31b5db21c

  • SHA256

    af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c

  • SHA512

    78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead

  • SSDEEP

    6144:mmluhyzPvCVoxWCmzUiQbbHhDPx3IfTYjDQ8g5J/ZAv5lFd+V5WnbFwPYzaYd+J:mwWyztxWdzjQbzhV3pjcpJ/2xMYwPY21

Malware Config

Extracted

Family

darkcomet

Botnet

Zombie

C2

microsoftsystem.servehttp.com:1488

Mutex

DC_MUTEX-ADWJ2LM

Attributes
  • InstallPath

    MSNetwork\lsmass.exe

  • gencode

    lajRRURGWL6z

  • install

    true

  • offline_keylogger

    true

  • password

    4nT1Cr4Ck3R3nCrYpT10n

  • persistence

    true

  • reg_key

    Windows-Network Component

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
    "C:\Users\Admin\AppData\Local\Temp\af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" " stop sharedaccess"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 " stop sharedaccess"
        3⤵
          PID:220
      • C:\Users\Admin\AppData\Local\Temp\af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe
        "C:\Users\Admin\AppData\Local\Temp\af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Checks computer location settings
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
            PID:3512
          • C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
            "C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe"
            3⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" " stop sharedaccess"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4904
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 " stop sharedaccess"
                5⤵
                  PID:1300
              • C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
                "C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe"
                4⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:3152

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        2
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
          Filesize

          363KB

          MD5

          6868581b7a7f2803a837171254fe6331

          SHA1

          80e54e9ae298e949e49e06d927a9a5b31b5db21c

          SHA256

          af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c

          SHA512

          78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead

        • C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
          Filesize

          363KB

          MD5

          6868581b7a7f2803a837171254fe6331

          SHA1

          80e54e9ae298e949e49e06d927a9a5b31b5db21c

          SHA256

          af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c

          SHA512

          78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead

        • C:\Users\Admin\AppData\Local\Temp\MSNetwork\lsmass.exe
          Filesize

          363KB

          MD5

          6868581b7a7f2803a837171254fe6331

          SHA1

          80e54e9ae298e949e49e06d927a9a5b31b5db21c

          SHA256

          af300f7416cec20a6de2129f132de30826b546b19a69231fcc94ee716f55908c

          SHA512

          78cb03d3409db160f0cf69b951c4352a83227a1205f5a7db7aeacf820b06302d80b06fdc643b615bad3fe56b59224370c05c41f1ab9e753d1a39463ca6f8cead

        • memory/220-135-0x0000000000000000-mapping.dmp
        • memory/824-138-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/824-139-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/824-140-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/824-137-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/824-142-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/824-136-0x0000000000000000-mapping.dmp
        • memory/1300-149-0x0000000000000000-mapping.dmp
        • memory/2004-143-0x0000000000000000-mapping.dmp
        • memory/2844-134-0x0000000000000000-mapping.dmp
        • memory/3152-150-0x0000000000000000-mapping.dmp
        • memory/3152-154-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/3152-155-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/3152-156-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/3152-157-0x0000000000400000-0x00000000004B7000-memory.dmp
          Filesize

          732KB

        • memory/3512-141-0x0000000000000000-mapping.dmp
        • memory/4904-148-0x0000000000000000-mapping.dmp