Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
29-11-2022 14:12
General
-
Target
7fb37de5b0d3a10bd5f0c4667421419d5948c422f89116a474250ecadec9ebcb.exe
-
Size
663KB
-
MD5
742b9cfbf6a1a647fff63a68db09ae9a
-
SHA1
401898c521fa87c5390fe84a420ad051b5f00e2e
-
SHA256
7fb37de5b0d3a10bd5f0c4667421419d5948c422f89116a474250ecadec9ebcb
-
SHA512
b20264cab69a080fbee3e117b7978c8e398b3ac898ab8a578dcfbda896148b334cdaa4244ee34064e3a38727556b04a17fa285c50fe344d6fe88ca92681d7e21
-
SSDEEP
12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hu:+Z1xuVVjfFoynPaVBUR8f+kN10EBE
Malware Config
Extracted
darkcomet
Guest16
darkcometrshack.zapto.org:1604
DC_MUTEX-WY98CUV
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
DSuCzdL0CcY0
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fb37de5b0d3a10bd5f0c4667421419d5948c422f89116a474250ecadec9ebcb.exe"C:\Users\Admin\AppData\Local\Temp\7fb37de5b0d3a10bd5f0c4667421419d5948c422f89116a474250ecadec9ebcb.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
663KB
MD5742b9cfbf6a1a647fff63a68db09ae9a
SHA1401898c521fa87c5390fe84a420ad051b5f00e2e
SHA2567fb37de5b0d3a10bd5f0c4667421419d5948c422f89116a474250ecadec9ebcb
SHA512b20264cab69a080fbee3e117b7978c8e398b3ac898ab8a578dcfbda896148b334cdaa4244ee34064e3a38727556b04a17fa285c50fe344d6fe88ca92681d7e21
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
663KB
MD5742b9cfbf6a1a647fff63a68db09ae9a
SHA1401898c521fa87c5390fe84a420ad051b5f00e2e
SHA2567fb37de5b0d3a10bd5f0c4667421419d5948c422f89116a474250ecadec9ebcb
SHA512b20264cab69a080fbee3e117b7978c8e398b3ac898ab8a578dcfbda896148b334cdaa4244ee34064e3a38727556b04a17fa285c50fe344d6fe88ca92681d7e21
-
memory/640-132-0x0000000000000000-mapping.dmp
-
memory/1448-136-0x0000000000000000-mapping.dmp
-
memory/4556-133-0x0000000000000000-mapping.dmp