Overview

overview

10

Static

static

5

55fbc8f96b...19.exe

windows7-x64

10

55fbc8f96b...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 23:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919.exe

  • Size

    1.6MB

  • MD5

    e7881724e1d97b8004f05d94b99f15aa

  • SHA1

    6e35acbf488e569a2b23d2fac9abd1fdc76a010e

  • SHA256

    55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919

  • SHA512

    418156d64454b6587c21ab3e89b21c39d4f1c702f8530ea93a62694f63253e7487e2c80dd5151159b9e5e16bf204299669a057f9520cb6c39256bc9f0ccdb721

  • SSDEEP

    24576:6tb20pkaCqT5TBWgNQ7ad0AtBp5tncdp5JdL8JDOFrksduEIdN6A:nVg5tQ7ad7J5tKjJdL8ikuNIz5

Score
10/10
darkcometinfectedpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Infected

C2

rattingfordays.no-ip.biz:100

Mutex

DC_MUTEX-3K6C68T

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    JDBdm8s85Wwr

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919.exe
    "C:\Users\Admin\AppData\Local\Temp\55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Users\Admin\AppData\Local\Temp\55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919.exe
      "C:\Users\Admin\AppData\Local\Temp\55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\732120" "C:\Users\Admin\AppData\Local\Temp\55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919.exe
        "C:\Users\Admin\AppData\Local\Temp\55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\672072" "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1888
            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
              "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:632
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:824
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\531731" "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1724
                  • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\531731" "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                    9⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:1832
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:275457 /prefetch:2
                      10⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:1252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\672072
    Filesize

    15KB

    MD5

    7040a16aaf3f6e910659af3636bbe6be

    SHA1

    c4d72a1cf968da2ab274c8d9dc2b13a55223be64

    SHA256

    2b88e2d0b5ee95843e6bba987097ad42dc0c2715ea2adf47289f676795454aee

    SHA512

    199d43e845d7c6d394cae98a133c7fff96b71bdef8437aeb6651d44d6731a71efa2e23991384a9e1a3f66c7a38c9fcd71d7e16e2513e8148d21dd2b2bbc3e479

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\732120
    Filesize

    15KB

    MD5

    7040a16aaf3f6e910659af3636bbe6be

    SHA1

    c4d72a1cf968da2ab274c8d9dc2b13a55223be64

    SHA256

    2b88e2d0b5ee95843e6bba987097ad42dc0c2715ea2adf47289f676795454aee

    SHA512

    199d43e845d7c6d394cae98a133c7fff96b71bdef8437aeb6651d44d6731a71efa2e23991384a9e1a3f66c7a38c9fcd71d7e16e2513e8148d21dd2b2bbc3e479

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\incl1
    Filesize

    12KB

    MD5

    fcaa757b4fc32b9c0c66fe31b0de5376

    SHA1

    472bc2e27449278786857bfe609c868127606c3f

    SHA256

    c413b175de5a10cc23eff47d24279b269b3caf5e45d0f1de1ca645c4381fbac9

    SHA512

    ef6186305b43fc0e42cebaac82f123b83be7077a5dd1004bb9b4f82c95da57230b35a24f787ee8e63ed397e91660cfb40c1338f69c68bc7dbce381b53fe4f61c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\incl1
    Filesize

    12KB

    MD5

    fcaa757b4fc32b9c0c66fe31b0de5376

    SHA1

    472bc2e27449278786857bfe609c868127606c3f

    SHA256

    c413b175de5a10cc23eff47d24279b269b3caf5e45d0f1de1ca645c4381fbac9

    SHA512

    ef6186305b43fc0e42cebaac82f123b83be7077a5dd1004bb9b4f82c95da57230b35a24f787ee8e63ed397e91660cfb40c1338f69c68bc7dbce381b53fe4f61c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\incl2
    Filesize

    756KB

    MD5

    7b0aeacc3ec46411d355c090e84a2267

    SHA1

    df573a32519a78edaf37ef2b4d858b031976dc2d

    SHA256

    4b866c78b96f4f82dea55d9864195e8915b666c5e4e070196ac31fbec6510cd1

    SHA512

    8b697dbad9a709193555ab1ede5402f74f788500311d9a319fd164732c5be9b3c7038dc16bb1a6b1c565b60aa86bf2af57585ea065c15cbd2733bb03c758e2a7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\incl2
    Filesize

    756KB

    MD5

    7b0aeacc3ec46411d355c090e84a2267

    SHA1

    df573a32519a78edaf37ef2b4d858b031976dc2d

    SHA256

    4b866c78b96f4f82dea55d9864195e8915b666c5e4e070196ac31fbec6510cd1

    SHA512

    8b697dbad9a709193555ab1ede5402f74f788500311d9a319fd164732c5be9b3c7038dc16bb1a6b1c565b60aa86bf2af57585ea065c15cbd2733bb03c758e2a7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9L9PNDWY.txt
    Filesize

    608B

    MD5

    2f965ac8d11b974944c1efc3098c6be8

    SHA1

    2a2a4bb56a2278b216f0d6656967a4ac971a1472

    SHA256

    5028f1ea9977c62eed75790a57ee2382e5bfcb824a74a13f80a46ff9cc566926

    SHA512

    21e5eecbab47974515e61e61633e796f6c9b7ef845ce9017c9a4978fefebbd12f966cb4db7717bf1c854938c8a164a75aef094b56e9db30b3886671675cebd48

    Download Submit
  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.6MB

    MD5

    e7881724e1d97b8004f05d94b99f15aa

    SHA1

    6e35acbf488e569a2b23d2fac9abd1fdc76a010e

    SHA256

    55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919

    SHA512

    418156d64454b6587c21ab3e89b21c39d4f1c702f8530ea93a62694f63253e7487e2c80dd5151159b9e5e16bf204299669a057f9520cb6c39256bc9f0ccdb721

    Download Submit
  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.6MB

    MD5

    e7881724e1d97b8004f05d94b99f15aa

    SHA1

    6e35acbf488e569a2b23d2fac9abd1fdc76a010e

    SHA256

    55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919

    SHA512

    418156d64454b6587c21ab3e89b21c39d4f1c702f8530ea93a62694f63253e7487e2c80dd5151159b9e5e16bf204299669a057f9520cb6c39256bc9f0ccdb721

    Download Submit
  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.6MB

    MD5

    e7881724e1d97b8004f05d94b99f15aa

    SHA1

    6e35acbf488e569a2b23d2fac9abd1fdc76a010e

    SHA256

    55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919

    SHA512

    418156d64454b6587c21ab3e89b21c39d4f1c702f8530ea93a62694f63253e7487e2c80dd5151159b9e5e16bf204299669a057f9520cb6c39256bc9f0ccdb721

    Download Submit
  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.6MB

    MD5

    e7881724e1d97b8004f05d94b99f15aa

    SHA1

    6e35acbf488e569a2b23d2fac9abd1fdc76a010e

    SHA256

    55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919

    SHA512

    418156d64454b6587c21ab3e89b21c39d4f1c702f8530ea93a62694f63253e7487e2c80dd5151159b9e5e16bf204299669a057f9520cb6c39256bc9f0ccdb721

    Download Submit
  • \Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.6MB

    MD5

    e7881724e1d97b8004f05d94b99f15aa

    SHA1

    6e35acbf488e569a2b23d2fac9abd1fdc76a010e

    SHA256

    55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919

    SHA512

    418156d64454b6587c21ab3e89b21c39d4f1c702f8530ea93a62694f63253e7487e2c80dd5151159b9e5e16bf204299669a057f9520cb6c39256bc9f0ccdb721

    Download Submit
  • \Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.6MB

    MD5

    e7881724e1d97b8004f05d94b99f15aa

    SHA1

    6e35acbf488e569a2b23d2fac9abd1fdc76a010e

    SHA256

    55fbc8f96b54789e032d9d79bb766592e4ccc54c8e7eacbd16142f7f9d529919

    SHA512

    418156d64454b6587c21ab3e89b21c39d4f1c702f8530ea93a62694f63253e7487e2c80dd5151159b9e5e16bf204299669a057f9520cb6c39256bc9f0ccdb721

    Download Submit
  • memory/632-85-0x0000000000080000-0x000000000014A000-memory.dmp
    Filesize

    808KB

    Download
  • memory/632-83-0x000000000010F888-mapping.dmp
    Download
  • memory/632-87-0x0000000000080000-0x000000000014A000-memory.dmp
    Filesize

    808KB

    Download
  • memory/632-88-0x0000000000080000-0x000000000014A000-memory.dmp
    Filesize

    808KB

    Download
  • memory/632-89-0x0000000000080000-0x000000000014A000-memory.dmp
    Filesize

    808KB

    Download
  • memory/632-82-0x0000000000080000-0x000000000014A000-memory.dmp
    Filesize

    808KB

    Download
  • memory/1076-54-0x0000000076831000-0x0000000076833000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1624-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1888-74-0x0000000000000000-mapping.dmp
    Download
  • memory/2024-63-0x00000000002BF888-mapping.dmp
    Download
  • memory/2024-72-0x0000000000230000-0x00000000002FA000-memory.dmp
    Filesize

    808KB

    Download
  • memory/2024-66-0x0000000000230000-0x00000000002FA000-memory.dmp
    Filesize

    808KB

    Download
  • memory/2024-64-0x0000000000230000-0x00000000002FA000-memory.dmp
    Filesize

    808KB

    Download
  • memory/2024-62-0x0000000000230000-0x00000000002FA000-memory.dmp
    Filesize

    808KB

    Download
  • memory/2024-60-0x0000000000230000-0x00000000002FA000-memory.dmp
    Filesize

    808KB

    Download
  • memory/2028-55-0x0000000000000000-mapping.dmp
    Download