Analysis
-
max time kernel
157s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-12-2022 15:21
General
-
Target
aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8.exe
-
Size
1.0MB
-
MD5
c5c9a0332222e43d9573cc9c70c34355
-
SHA1
4db65d1c88c123806aba5f4d6889bf4bfa25cca9
-
SHA256
aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8
-
SHA512
b18dc4b1fd763a0940ee48ebe3f17e88de23177b05429850d2d29288223d9466c42c163ab9b1c0ad431024b6b6a7cfa46790d8cce67a92a3d289d5f5de097498
-
SSDEEP
12288:C2wr5i38VeUbBG7QUDcMBqD3cwkz7RZ/vCgC430iPigX5QOfenwa0bR+/UFQhf7c:V3kPOcEqDw3I4BTewauR/F8f9C14E
Malware Config
Extracted
darkcomet
Victima
mala-87.no-ip.org:1604
DC_MUTEX-WFM1HME
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
1H10Q6SrzhVj
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8.exe"C:\Users\Admin\AppData\Local\Temp\aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8.exeC:\Users\Admin\AppData\Local\Temp\aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.0MB
MD5c5c9a0332222e43d9573cc9c70c34355
SHA14db65d1c88c123806aba5f4d6889bf4bfa25cca9
SHA256aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8
SHA512b18dc4b1fd763a0940ee48ebe3f17e88de23177b05429850d2d29288223d9466c42c163ab9b1c0ad431024b6b6a7cfa46790d8cce67a92a3d289d5f5de097498
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.0MB
MD5c5c9a0332222e43d9573cc9c70c34355
SHA14db65d1c88c123806aba5f4d6889bf4bfa25cca9
SHA256aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8
SHA512b18dc4b1fd763a0940ee48ebe3f17e88de23177b05429850d2d29288223d9466c42c163ab9b1c0ad431024b6b6a7cfa46790d8cce67a92a3d289d5f5de097498
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
1.0MB
MD5c5c9a0332222e43d9573cc9c70c34355
SHA14db65d1c88c123806aba5f4d6889bf4bfa25cca9
SHA256aee9537368f0783e23baf4f027b85b1a0d511afc8a061b0e561cc5c0c0de3fd8
SHA512b18dc4b1fd763a0940ee48ebe3f17e88de23177b05429850d2d29288223d9466c42c163ab9b1c0ad431024b6b6a7cfa46790d8cce67a92a3d289d5f5de097498
-
memory/1020-153-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/1020-152-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/1020-145-0x0000000000000000-mapping.dmp
-
memory/1268-132-0x0000000000000000-mapping.dmp
-
memory/1268-133-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/1268-134-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/1268-136-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/1268-137-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/1268-151-0x0000000000400000-0x00000000004DC000-memory.dmpFilesize
880KB
-
memory/2400-144-0x0000000000000000-mapping.dmp
-
memory/2468-150-0x0000000000000000-mapping.dmp
-
memory/2816-143-0x0000000000000000-mapping.dmp
-
memory/3248-139-0x0000000000000000-mapping.dmp
-
memory/3744-138-0x0000000000000000-mapping.dmp
-
memory/4580-135-0x0000000000550000-0x0000000000554000-memory.dmpFilesize
16KB
-
memory/4948-140-0x0000000000000000-mapping.dmp