Overview

overview

10

Static

static

cdcbef9468...3e.exe

windows7-x64

10

cdcbef9468...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    186s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 00:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe

  • Size

    284KB

  • MD5

    d5a63e3923e6303bfddf09ad0ed4e180

  • SHA1

    7116926ad42ba42e7cc029125e65ba7f7b30bcad

  • SHA256

    cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e

  • SHA512

    88edb26a18dec93e77c1ff3d2b2c9634b88edd1f334139bcf5a9986171d17c1b36fbd2b12901677cb29df5304257f0f7c2c70661777c3f5346e0effc43ca422c

  • SSDEEP

    6144:aSMziw0/rI69JTH87oG2gAON1kBOFq8ApM9:aSMz0/L1YoLDLBc3ApM9

Score
10/10
darkcometdarkcometevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

DarkComet

C2

swixtor.no-ip.org:200

Mutex

DC_MUTEX-8T9CL5E

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    lq9FU6ZBn2HD

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe
    "C:\Users\Admin\AppData\Local\Temp\cdcbef9468496cd757f531e70ae814364734e7e06fb1685b41768b8cb3a13b3e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\9EEF.tmp\KeepThis.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        test.exe
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\test.exe" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1084
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp\test.exe" +s +h
            5⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:1712
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:892
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:2016
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          4⤵
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1312
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
              PID:1220

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Hidden Files and Directories

    2
    T1158

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\9EEF.tmp\KeepThis.bat
      Filesize

      39B

      MD5

      ff6557c86f258c3aec17f15579a7cc97

      SHA1

      feeb0a498b3f851a939b0e09fc8967a732fc2242

      SHA256

      36314ae3076f7de0aed8346749ec3b335aeea8be1fe564d14d689f067f424322

      SHA512

      d898d80623b5bc92cc7427dcfeb55ce337d6155eb99991e5686cdcea230d5a64bbb642337542e08905024d50156de7547b8f24c16882ec78ba90e5e022244925

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\test.exe
      Filesize

      690KB

      MD5

      68792f72501d008e36a4c1a6fdcf163f

      SHA1

      30d8bc4f8f812369158b464830ef27ff4dbca7a3

      SHA256

      ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea

      SHA512

      8a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\test.exe
      Filesize

      690KB

      MD5

      68792f72501d008e36a4c1a6fdcf163f

      SHA1

      30d8bc4f8f812369158b464830ef27ff4dbca7a3

      SHA256

      ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea

      SHA512

      8a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a

      Download Submit
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      690KB

      MD5

      68792f72501d008e36a4c1a6fdcf163f

      SHA1

      30d8bc4f8f812369158b464830ef27ff4dbca7a3

      SHA256

      ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea

      SHA512

      8a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a

      Download Submit
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      690KB

      MD5

      68792f72501d008e36a4c1a6fdcf163f

      SHA1

      30d8bc4f8f812369158b464830ef27ff4dbca7a3

      SHA256

      ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea

      SHA512

      8a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a

      Download Submit
    • \Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      690KB

      MD5

      68792f72501d008e36a4c1a6fdcf163f

      SHA1

      30d8bc4f8f812369158b464830ef27ff4dbca7a3

      SHA256

      ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea

      SHA512

      8a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a

      Download Submit
    • \Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      690KB

      MD5

      68792f72501d008e36a4c1a6fdcf163f

      SHA1

      30d8bc4f8f812369158b464830ef27ff4dbca7a3

      SHA256

      ef83b9ca6a9bae7b25d5413051e26fc4ed2af32eef7b61c4a15a6ce9cf80f6ea

      SHA512

      8a34149c1aa77856a7e42010cb5469b63c027346a2bb8c3ae23cb8a64cf24a1a4b5521bf2ba892fdceaac20851a49b849d41231dd740439c2b2ce5f5cc0ee32a

      Download Submit
    • memory/316-61-0x0000000140000000-0x00000001400C3000-memory.dmp
      Filesize

      780KB

      Download
    • memory/316-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/892-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1084-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1220-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1312-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1712-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1896-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1900-60-0x0000000076121000-0x0000000076123000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1900-58-0x0000000000000000-mapping.dmp
      Download
    • memory/2016-65-0x0000000000000000-mapping.dmp
      Download