Analysis

  • max time kernel
    205s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 06:11

General

  • Target

    24716fe5a1d2d5f9981444cf994191bf079ce985aff699062f7e7b3dc1644624.exe

  • Size

    836KB

  • MD5

    6f90f939b919550ee51d5c8d628cf6e3

  • SHA1

    372d4f0fe47bd63c6df8a9cc785637126935ca87

  • SHA256

    24716fe5a1d2d5f9981444cf994191bf079ce985aff699062f7e7b3dc1644624

  • SHA512

    346296703898a8673555f4cffad0c2e00cee9495d56442744efee77aec70ed291df98859a08c848ab0f4eafd1fac7e21da31d70a20d80e766486402471ee93da

  • SSDEEP

    24576:GcK0FPnmjaDqRTzhuMC1cwzrZttdIE9qOk2VMJGn:V+aDqXud1PZ69OHVR

Malware Config

Extracted

Family

darkcomet

Botnet

hard

C2

gabrielzinho.no-ip.org:1604

Mutex

DC_MUTEX-ZVWF6UW

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    aUYHsEtnsFw3

  • install

    true

  • offline_keylogger

    true

  • password

    87080060abc

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24716fe5a1d2d5f9981444cf994191bf079ce985aff699062f7e7b3dc1644624.exe
    "C:\Users\Admin\AppData\Local\Temp\24716fe5a1d2d5f9981444cf994191bf079ce985aff699062f7e7b3dc1644624.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\AppData\Local\Temp\24716fe5a1d2d5f9981444cf994191bf079ce985aff699062f7e7b3dc1644624.exe
      "C:\Users\Admin\AppData\Local\Temp\24716fe5a1d2d5f9981444cf994191bf079ce985aff699062f7e7b3dc1644624.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
          "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2364
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
              PID:4160

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\699c4b9cdebca7aaea5193cae8a50098_e32e1c79-b88e-4709-94fb-81034ca3398e
      Filesize

      50B

      MD5

      5b63d4dd8c04c88c0e30e494ec6a609a

      SHA1

      884d5a8bdc25fe794dc22ef9518009dcf0069d09

      SHA256

      4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

      SHA512

      15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

    • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      Filesize

      836KB

      MD5

      6f90f939b919550ee51d5c8d628cf6e3

      SHA1

      372d4f0fe47bd63c6df8a9cc785637126935ca87

      SHA256

      24716fe5a1d2d5f9981444cf994191bf079ce985aff699062f7e7b3dc1644624

      SHA512

      346296703898a8673555f4cffad0c2e00cee9495d56442744efee77aec70ed291df98859a08c848ab0f4eafd1fac7e21da31d70a20d80e766486402471ee93da

    • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      Filesize

      836KB

      MD5

      6f90f939b919550ee51d5c8d628cf6e3

      SHA1

      372d4f0fe47bd63c6df8a9cc785637126935ca87

      SHA256

      24716fe5a1d2d5f9981444cf994191bf079ce985aff699062f7e7b3dc1644624

      SHA512

      346296703898a8673555f4cffad0c2e00cee9495d56442744efee77aec70ed291df98859a08c848ab0f4eafd1fac7e21da31d70a20d80e766486402471ee93da

    • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      Filesize

      836KB

      MD5

      6f90f939b919550ee51d5c8d628cf6e3

      SHA1

      372d4f0fe47bd63c6df8a9cc785637126935ca87

      SHA256

      24716fe5a1d2d5f9981444cf994191bf079ce985aff699062f7e7b3dc1644624

      SHA512

      346296703898a8673555f4cffad0c2e00cee9495d56442744efee77aec70ed291df98859a08c848ab0f4eafd1fac7e21da31d70a20d80e766486402471ee93da

    • memory/2364-145-0x0000000000000000-mapping.dmp
    • memory/2364-150-0x0000000000400000-0x00000000004CA000-memory.dmp
      Filesize

      808KB

    • memory/2368-139-0x0000000000000000-mapping.dmp
    • memory/3640-138-0x0000000000400000-0x00000000004CA000-memory.dmp
      Filesize

      808KB

    • memory/3640-137-0x0000000000400000-0x00000000004CA000-memory.dmp
      Filesize

      808KB

    • memory/3640-135-0x0000000000400000-0x00000000004CA000-memory.dmp
      Filesize

      808KB

    • memory/3640-134-0x0000000000000000-mapping.dmp
    • memory/3640-136-0x0000000000400000-0x00000000004CA000-memory.dmp
      Filesize

      808KB

    • memory/3640-151-0x0000000000400000-0x00000000004CA000-memory.dmp
      Filesize

      808KB

    • memory/4160-152-0x0000000000000000-mapping.dmp