Overview

overview

10

Static

static

10

cea317bf98...JC.exe

windows7-x64

10

cea317bf98...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2023 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cea317bf984e8642317f2ea6700f0f40exe_JC.exe

  • Size

    658KB

  • MD5

    cea317bf984e8642317f2ea6700f0f40

  • SHA1

    b1e4a6444e78df514e7f9907b4dea4b84483d6a0

  • SHA256

    e270f2c865490cdfd709732746bb109a17c3869fc7332b453d8fcb723d739140

  • SHA512

    101e3a26832a3231e0bd1fe747aa41f6f329fea5f77eba19507def0de21802de3663208d54e7ead59d0e51cc0412372245521b181f525216a0593b242055971b

  • SSDEEP

    12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hI:KZ1xuVVjfFoynPaVBUR8f+kN10EBC

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:200

Mutex

DC_MUTEX-2FTZLRG

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    VK2SGSf1AiHA

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\cea317bf984e8642317f2ea6700f0f40exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\cea317bf984e8642317f2ea6700f0f40exe_JC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\cea317bf984e8642317f2ea6700f0f40exe_JC.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\cea317bf984e8642317f2ea6700f0f40exe_JC.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2764
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2768
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      658KB

      MD5

      cea317bf984e8642317f2ea6700f0f40

      SHA1

      b1e4a6444e78df514e7f9907b4dea4b84483d6a0

      SHA256

      e270f2c865490cdfd709732746bb109a17c3869fc7332b453d8fcb723d739140

      SHA512

      101e3a26832a3231e0bd1fe747aa41f6f329fea5f77eba19507def0de21802de3663208d54e7ead59d0e51cc0412372245521b181f525216a0593b242055971b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      658KB

      MD5

      cea317bf984e8642317f2ea6700f0f40

      SHA1

      b1e4a6444e78df514e7f9907b4dea4b84483d6a0

      SHA256

      e270f2c865490cdfd709732746bb109a17c3869fc7332b453d8fcb723d739140

      SHA512

      101e3a26832a3231e0bd1fe747aa41f6f329fea5f77eba19507def0de21802de3663208d54e7ead59d0e51cc0412372245521b181f525216a0593b242055971b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      658KB

      MD5

      cea317bf984e8642317f2ea6700f0f40

      SHA1

      b1e4a6444e78df514e7f9907b4dea4b84483d6a0

      SHA256

      e270f2c865490cdfd709732746bb109a17c3869fc7332b453d8fcb723d739140

      SHA512

      101e3a26832a3231e0bd1fe747aa41f6f329fea5f77eba19507def0de21802de3663208d54e7ead59d0e51cc0412372245521b181f525216a0593b242055971b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      658KB

      MD5

      cea317bf984e8642317f2ea6700f0f40

      SHA1

      b1e4a6444e78df514e7f9907b4dea4b84483d6a0

      SHA256

      e270f2c865490cdfd709732746bb109a17c3869fc7332b453d8fcb723d739140

      SHA512

      101e3a26832a3231e0bd1fe747aa41f6f329fea5f77eba19507def0de21802de3663208d54e7ead59d0e51cc0412372245521b181f525216a0593b242055971b

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      658KB

      MD5

      cea317bf984e8642317f2ea6700f0f40

      SHA1

      b1e4a6444e78df514e7f9907b4dea4b84483d6a0

      SHA256

      e270f2c865490cdfd709732746bb109a17c3869fc7332b453d8fcb723d739140

      SHA512

      101e3a26832a3231e0bd1fe747aa41f6f329fea5f77eba19507def0de21802de3663208d54e7ead59d0e51cc0412372245521b181f525216a0593b242055971b

      Download Submit

    • memory/1364-43-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/1364-0-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2500-44-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2500-11-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2500-45-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2500-46-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2500-47-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2500-48-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2500-49-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2500-50-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2500-52-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2500-53-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2500-56-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2984-42-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2984-13-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download