Overview

overview

10

Static

static

10

24c1639572...86.exe

windows7-x64

10

24c1639572...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    180s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24c1639572bc578e73fb540049f85965d7507193295d92f76182a74f1159cb86.exe

  • Size

    902KB

  • MD5

    24f9560078b41421ef6e7b578e11707d

  • SHA1

    9538044dde6f01d845ed85f2aba2d6c5dba4ed84

  • SHA256

    24c1639572bc578e73fb540049f85965d7507193295d92f76182a74f1159cb86

  • SHA512

    d16e5473c101b5753e329b952acc84c3c6a0a61444e1a584b91e4966edf0f736bee7b34e096a19ae77be5de131da564a0295199156d088cf99bc6dff57caa63d

  • SSDEEP

    24576:LAz5yV99MCTKMQtCypy9IvmAro8+Ehds7ULh6kR:MIEXpIchds7ULhL

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

nizamcik.zapto.org:1604

Mutex

DC_MUTEX-11C9ZRU

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    dmLlC7W9J569

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24c1639572bc578e73fb540049f85965d7507193295d92f76182a74f1159cb86.exe
    "C:\Users\Admin\AppData\Local\Temp\24c1639572bc578e73fb540049f85965d7507193295d92f76182a74f1159cb86.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Users\Admin\AppData\Local\Temp\WindowsPerformanceController.oohqjqzw3il.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      C:\Users\Admin\AppData\Local\Temp\WindowsPerformanceController.oohqjqzw3il.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1220
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          3⤵
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            4⤵
              PID:1556

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      4
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\WindowsPerformanceController.oohqjqzw3il.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
        Filesize

        715KB

        MD5

        414312cdb310c45b4eb399b7d8ea9469

        SHA1

        69d7034422d76f4ffefa9e53765c1cdab21f6297

        SHA256

        706d041d6d4777163cb7ac730caf7f97f6f3f3bd6cfa06cddfb28efe3618b418

        SHA512

        1756d4ac297bae3bf6718d328d981753e64964673ecfe4edab4f6942437ea6bd2b3b0064f2d6a5ba217befb8d36c1af78df0af909dcebd2bee037f829fcad380

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\WindowsPerformanceController.oohqjqzw3il.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
        Filesize

        715KB

        MD5

        414312cdb310c45b4eb399b7d8ea9469

        SHA1

        69d7034422d76f4ffefa9e53765c1cdab21f6297

        SHA256

        706d041d6d4777163cb7ac730caf7f97f6f3f3bd6cfa06cddfb28efe3618b418

        SHA512

        1756d4ac297bae3bf6718d328d981753e64964673ecfe4edab4f6942437ea6bd2b3b0064f2d6a5ba217befb8d36c1af78df0af909dcebd2bee037f829fcad380

        Download Submit
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        715KB

        MD5

        414312cdb310c45b4eb399b7d8ea9469

        SHA1

        69d7034422d76f4ffefa9e53765c1cdab21f6297

        SHA256

        706d041d6d4777163cb7ac730caf7f97f6f3f3bd6cfa06cddfb28efe3618b418

        SHA512

        1756d4ac297bae3bf6718d328d981753e64964673ecfe4edab4f6942437ea6bd2b3b0064f2d6a5ba217befb8d36c1af78df0af909dcebd2bee037f829fcad380

        Download Submit
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        715KB

        MD5

        414312cdb310c45b4eb399b7d8ea9469

        SHA1

        69d7034422d76f4ffefa9e53765c1cdab21f6297

        SHA256

        706d041d6d4777163cb7ac730caf7f97f6f3f3bd6cfa06cddfb28efe3618b418

        SHA512

        1756d4ac297bae3bf6718d328d981753e64964673ecfe4edab4f6942437ea6bd2b3b0064f2d6a5ba217befb8d36c1af78df0af909dcebd2bee037f829fcad380

        Download Submit
      • \Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        715KB

        MD5

        414312cdb310c45b4eb399b7d8ea9469

        SHA1

        69d7034422d76f4ffefa9e53765c1cdab21f6297

        SHA256

        706d041d6d4777163cb7ac730caf7f97f6f3f3bd6cfa06cddfb28efe3618b418

        SHA512

        1756d4ac297bae3bf6718d328d981753e64964673ecfe4edab4f6942437ea6bd2b3b0064f2d6a5ba217befb8d36c1af78df0af909dcebd2bee037f829fcad380

        Download Submit
      • \Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        715KB

        MD5

        414312cdb310c45b4eb399b7d8ea9469

        SHA1

        69d7034422d76f4ffefa9e53765c1cdab21f6297

        SHA256

        706d041d6d4777163cb7ac730caf7f97f6f3f3bd6cfa06cddfb28efe3618b418

        SHA512

        1756d4ac297bae3bf6718d328d981753e64964673ecfe4edab4f6942437ea6bd2b3b0064f2d6a5ba217befb8d36c1af78df0af909dcebd2bee037f829fcad380

        Download Submit
      • memory/360-60-0x00000000004AC000-0x00000000004CB000-memory.dmp
        Filesize

        124KB

        Download
      • memory/360-54-0x000007FEF40C0000-0x000007FEF4AE3000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/360-56-0x00000000004AC000-0x00000000004CB000-memory.dmp
        Filesize

        124KB

        Download
      • memory/360-55-0x000007FEF3020000-0x000007FEF40B6000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/948-59-0x00000000767D1000-0x00000000767D3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/948-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1220-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1556-70-0x0000000000000000-mapping.dmp
        Download
      • memory/1664-66-0x0000000000000000-mapping.dmp
        Download