Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-12-2022 09:57
General
-
Target
883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2.exe
-
Size
1.3MB
-
MD5
613ab7ed6c2775609f3c9e7b165004da
-
SHA1
7d303cd2d2fea564dc21f0f68a24ef2258ea60b0
-
SHA256
883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2
-
SHA512
38a376a1230269abc1c94392e98c0a8b71b12ff3b690546751229528c82da8541840d572cb76a0b7f0f5df04c4939c65490d7f1f837af7c430feca4ecf6b775a
-
SSDEEP
24576:RRmJkcoQricOIQxiZY1ia132cWcOrcEMEsDhec44t+Ry34WyuHOiWSz:eJZoQrbTFZY1ia13ycOYEMbec4E12JiV
Malware Config
Extracted
darkcomet
power
gamesgate.servegame.com:1338
gamesgate.servegame.com:8080
gamesgate.servegame.com:1090
gamesgate.servegame.com:27015
gamesgate.servegame.com:5550
gamesgate.servegame.com:1080
gamesgate.servegame.com:2000
gamesgate.servegame.com:15963
DC_MUTEX-DS3FNSW
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
6NxBhjX09mvh
-
install
true
-
offline_keylogger
true
-
password
power94
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2.exe"C:\Users\Admin\AppData\Local\Temp\883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2.exe"C:\Users\Admin\AppData\Local\Temp\883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.3MB
MD5613ab7ed6c2775609f3c9e7b165004da
SHA17d303cd2d2fea564dc21f0f68a24ef2258ea60b0
SHA256883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2
SHA51238a376a1230269abc1c94392e98c0a8b71b12ff3b690546751229528c82da8541840d572cb76a0b7f0f5df04c4939c65490d7f1f837af7c430feca4ecf6b775a
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.3MB
MD5613ab7ed6c2775609f3c9e7b165004da
SHA17d303cd2d2fea564dc21f0f68a24ef2258ea60b0
SHA256883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2
SHA51238a376a1230269abc1c94392e98c0a8b71b12ff3b690546751229528c82da8541840d572cb76a0b7f0f5df04c4939c65490d7f1f837af7c430feca4ecf6b775a
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.3MB
MD5613ab7ed6c2775609f3c9e7b165004da
SHA17d303cd2d2fea564dc21f0f68a24ef2258ea60b0
SHA256883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2
SHA51238a376a1230269abc1c94392e98c0a8b71b12ff3b690546751229528c82da8541840d572cb76a0b7f0f5df04c4939c65490d7f1f837af7c430feca4ecf6b775a
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.3MB
MD5613ab7ed6c2775609f3c9e7b165004da
SHA17d303cd2d2fea564dc21f0f68a24ef2258ea60b0
SHA256883cf3810eb735788c1bd2a988516b0dff332834bde632a57de80f83bbfa56a2
SHA51238a376a1230269abc1c94392e98c0a8b71b12ff3b690546751229528c82da8541840d572cb76a0b7f0f5df04c4939c65490d7f1f837af7c430feca4ecf6b775a
-
memory/520-78-0x0000000000000000-mapping.dmp
-
memory/560-76-0x0000000000000000-mapping.dmp
-
memory/592-105-0x0000000000000000-mapping.dmp
-
memory/752-81-0x0000000000000000-mapping.dmp
-
memory/788-109-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/788-108-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/788-100-0x000000000048F888-mapping.dmp
-
memory/1336-74-0x0000000000000000-mapping.dmp
-
memory/1732-65-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-67-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-55-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-71-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-70-0x000000000048F888-mapping.dmp
-
memory/1732-56-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-69-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-73-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-107-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-64-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-62-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-60-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1732-58-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1812-80-0x0000000000000000-mapping.dmp
-
memory/1832-75-0x0000000000000000-mapping.dmp
-
memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB