Overview

overview

10

Static

static

c2b9789afd...03.exe

windows7-x64

10

c2b9789afd...03.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe

  • Size

    1.4MB

  • MD5

    963fcbc4e17e12ed311ebafd76c308b7

  • SHA1

    094d1280d925811e88ee511e75dcef95d977d4fd

  • SHA256

    c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903

  • SHA512

    01a0a8f6674574bd1cb3b71d194285ec968e25594c5bebe4de55c023dd4f9ef46f45330162eda251e62842148d08312b8465c6b50d49f2a332743b43e010d65f

  • SSDEEP

    24576:xUP/y4LAuYTJkkhas4G3nJvvQMOHIvtThAECEXNj8ASgnSjDQizcROqxGZ:Mq4LAv1kk8zk5OuNhAECkNigSvbPqU

Score
10/10
darkcomethfevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

thailandhack.no-ip.org:83

Mutex

DC_MUTEX-KT2FTNQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    vt9w2l6Dosvn

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe
    "C:\Users\Admin\AppData\Local\Temp\c2b9789afd8ef5c0d52b89acd6979206b4afd2857e81a8e1fe1583cb3248d903.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\212r.exe
      "C:\Users\Admin\AppData\Local\Temp\212r.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Modifies firewall policy service
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:644
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\212r.exe
    Filesize

    1.2MB

    MD5

    3539ab0f4c2410b3083e7c14ef56534a

    SHA1

    bd9b11442936503eabd931049ad12c7929387988

    SHA256

    6ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a

    SHA512

    6707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\212r.exe
    Filesize

    1.2MB

    MD5

    3539ab0f4c2410b3083e7c14ef56534a

    SHA1

    bd9b11442936503eabd931049ad12c7929387988

    SHA256

    6ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a

    SHA512

    6707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\´éҹ˹éÒàÊ×éÍ1 copy.JPG
    Filesize

    97KB

    MD5

    9cb2bc22b877519f49122ab3af08a77e

    SHA1

    e4b4223bac51e0a46097a2356e690c26a6aa52a7

    SHA256

    3d30cd299f122d6d16a2cb2b9b202f20336f8509f74b006696e9a04d719bd7ee

    SHA512

    7ce2a02621bb56579704bce06cbce4fe123904d0fbd685b29a0accdb2c0adf0373fdb3329fedeb68dd95c42f929f3bbf332c1bfb456316e433a34a263d90b987

    Download Submit
  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.2MB

    MD5

    3539ab0f4c2410b3083e7c14ef56534a

    SHA1

    bd9b11442936503eabd931049ad12c7929387988

    SHA256

    6ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a

    SHA512

    6707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463

    Download Submit
  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.2MB

    MD5

    3539ab0f4c2410b3083e7c14ef56534a

    SHA1

    bd9b11442936503eabd931049ad12c7929387988

    SHA256

    6ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a

    SHA512

    6707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463

    Download Submit
  • \Users\Admin\AppData\Local\Temp\212r.exe
    Filesize

    1.2MB

    MD5

    3539ab0f4c2410b3083e7c14ef56534a

    SHA1

    bd9b11442936503eabd931049ad12c7929387988

    SHA256

    6ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a

    SHA512

    6707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463

    Download Submit
  • \Users\Admin\AppData\Local\Temp\212r.exe
    Filesize

    1.2MB

    MD5

    3539ab0f4c2410b3083e7c14ef56534a

    SHA1

    bd9b11442936503eabd931049ad12c7929387988

    SHA256

    6ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a

    SHA512

    6707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463

    Download Submit
  • \Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.2MB

    MD5

    3539ab0f4c2410b3083e7c14ef56534a

    SHA1

    bd9b11442936503eabd931049ad12c7929387988

    SHA256

    6ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a

    SHA512

    6707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463

    Download Submit
  • \Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.2MB

    MD5

    3539ab0f4c2410b3083e7c14ef56534a

    SHA1

    bd9b11442936503eabd931049ad12c7929387988

    SHA256

    6ac0695b6649ce7df26c3b257bd8b00bcc9e363f0b92ef0e53ffd56ee717a50a

    SHA512

    6707d7a2fa9041b6c63033e8b3aeb7795e138d00fc53be5a9f97117ccb77f0c0e456cccf0262bf3d491d24d413ca040b364d9b1275f7bb9372e9487b67c1c463

    Download Submit
  • memory/644-77-0x0000000000400000-0x00000000006AC000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/644-75-0x0000000000400000-0x00000000006AC000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/644-83-0x0000000000400000-0x00000000006AC000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/644-82-0x0000000000400000-0x00000000006AC000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/644-72-0x0000000000000000-mapping.dmp
    Download
  • memory/644-81-0x0000000000400000-0x00000000006AC000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/644-78-0x00000000002E0000-0x0000000000340000-memory.dmp
    Filesize

    384KB

    Download
  • memory/1988-56-0x0000000075911000-0x0000000075913000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1988-62-0x0000000003E60000-0x000000000410C000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/1988-61-0x0000000003E60000-0x000000000410C000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/2008-76-0x0000000006990000-0x0000000006C3C000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/2008-66-0x0000000000400000-0x00000000006AC000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/2008-79-0x0000000000400000-0x00000000006AC000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/2008-63-0x0000000000400000-0x00000000006AC000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/2008-64-0x00000000006B0000-0x0000000000710000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2008-69-0x0000000000400000-0x00000000006AC000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/2008-59-0x0000000000000000-mapping.dmp
    Download