Analysis
-
max time kernel
150s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 19:50
General
-
Target
c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1.exe
-
Size
329KB
-
MD5
077feedaf2385940d6cb6c485254592f
-
SHA1
105d08d7b083f2204df82ab591c69ebeeddb4299
-
SHA256
c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1
-
SHA512
bb78dac12ccc5e84feed1849eb4433ae0850ac71b3df175613dc4bd0fcd520664cdf052345653bc8d48645179d269c3e55adb057f884947abb2e69252221562f
-
SSDEEP
6144:4Qg2zQOG2voQTgbCHEE/fNBLdT9/zxW4q1w12R8OUkYO/WJB:4QdG2wQTgblE3NldT9MZy12RsOk
Malware Config
Extracted
darkcomet
Hacker
cpuexplorerwindows.no-ip.org:1000
DC_MUTEX-25175UU
-
InstallPath
explorer\msdcsc.exe
-
gencode
J2mfaePjL8uT
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1.exe"C:\Users\Admin\AppData\Local\Temp\c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
-
C:\Users\Admin\Desktop\explorer\msdcsc.exe"C:\Users\Admin\Desktop\explorer\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\explorer\msdcsc.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\explorer\msdcsc.exeFilesize
329KB
MD5077feedaf2385940d6cb6c485254592f
SHA1105d08d7b083f2204df82ab591c69ebeeddb4299
SHA256c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1
SHA512bb78dac12ccc5e84feed1849eb4433ae0850ac71b3df175613dc4bd0fcd520664cdf052345653bc8d48645179d269c3e55adb057f884947abb2e69252221562f
-
C:\Users\Admin\Desktop\explorer\msdcsc.exeFilesize
329KB
MD5077feedaf2385940d6cb6c485254592f
SHA1105d08d7b083f2204df82ab591c69ebeeddb4299
SHA256c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1
SHA512bb78dac12ccc5e84feed1849eb4433ae0850ac71b3df175613dc4bd0fcd520664cdf052345653bc8d48645179d269c3e55adb057f884947abb2e69252221562f
-
C:\Users\Admin\Desktop\explorer\msdcsc.exeFilesize
329KB
MD5077feedaf2385940d6cb6c485254592f
SHA1105d08d7b083f2204df82ab591c69ebeeddb4299
SHA256c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1
SHA512bb78dac12ccc5e84feed1849eb4433ae0850ac71b3df175613dc4bd0fcd520664cdf052345653bc8d48645179d269c3e55adb057f884947abb2e69252221562f
-
\Users\Admin\Desktop\explorer\msdcsc.exeFilesize
329KB
MD5077feedaf2385940d6cb6c485254592f
SHA1105d08d7b083f2204df82ab591c69ebeeddb4299
SHA256c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1
SHA512bb78dac12ccc5e84feed1849eb4433ae0850ac71b3df175613dc4bd0fcd520664cdf052345653bc8d48645179d269c3e55adb057f884947abb2e69252221562f
-
\Users\Admin\Desktop\explorer\msdcsc.exeFilesize
329KB
MD5077feedaf2385940d6cb6c485254592f
SHA1105d08d7b083f2204df82ab591c69ebeeddb4299
SHA256c704c4d969efd8e763ca9652d892da7c920001486bdf25c86a890166a0990ce1
SHA512bb78dac12ccc5e84feed1849eb4433ae0850ac71b3df175613dc4bd0fcd520664cdf052345653bc8d48645179d269c3e55adb057f884947abb2e69252221562f
-
memory/760-80-0x0000000000000000-mapping.dmp
-
memory/784-59-0x0000000000370000-0x0000000000380000-memory.dmpFilesize
64KB
-
memory/784-73-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/784-62-0x00000000003A0000-0x00000000003B0000-memory.dmpFilesize
64KB
-
memory/784-63-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/784-61-0x0000000000390000-0x00000000003A0000-memory.dmpFilesize
64KB
-
memory/784-55-0x0000000000270000-0x0000000000280000-memory.dmpFilesize
64KB
-
memory/784-56-0x0000000000300000-0x0000000000310000-memory.dmpFilesize
64KB
-
memory/784-57-0x0000000000310000-0x0000000000320000-memory.dmpFilesize
64KB
-
memory/784-54-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/784-60-0x0000000000380000-0x0000000000390000-memory.dmpFilesize
64KB
-
memory/784-58-0x0000000000320000-0x0000000000330000-memory.dmpFilesize
64KB
-
memory/816-115-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/816-105-0x00000000004C0E70-mapping.dmp
-
memory/816-110-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/816-111-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/816-114-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1080-94-0x0000000000360000-0x0000000000370000-memory.dmpFilesize
64KB
-
memory/1080-92-0x0000000000340000-0x0000000000350000-memory.dmpFilesize
64KB
-
memory/1080-108-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1080-97-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1080-85-0x0000000000000000-mapping.dmp
-
memory/1080-93-0x0000000000350000-0x0000000000360000-memory.dmpFilesize
64KB
-
memory/1080-87-0x00000000002A0000-0x00000000002B0000-memory.dmpFilesize
64KB
-
memory/1080-88-0x00000000002B0000-0x00000000002C0000-memory.dmpFilesize
64KB
-
memory/1080-89-0x0000000000300000-0x0000000000310000-memory.dmpFilesize
64KB
-
memory/1080-91-0x0000000000330000-0x0000000000340000-memory.dmpFilesize
64KB
-
memory/1380-79-0x0000000000000000-mapping.dmp
-
memory/1480-77-0x0000000000000000-mapping.dmp
-
memory/1496-75-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1496-71-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1496-74-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1496-72-0x0000000075FC1000-0x0000000075FC3000-memory.dmpFilesize
8KB
-
memory/1496-96-0x0000000003AA0000-0x0000000003AAB000-memory.dmpFilesize
44KB
-
memory/1496-64-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1496-98-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1496-76-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1496-70-0x00000000004C0E70-mapping.dmp
-
memory/1496-65-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1496-69-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1496-67-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/1528-78-0x0000000000000000-mapping.dmp
-
memory/1824-81-0x0000000000000000-mapping.dmp
-
memory/1960-112-0x0000000000000000-mapping.dmp