Overview

overview

10

Static

static

10

06a15ab711...af.exe

windows7-x64

10

06a15ab711...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2023 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06a15ab711359ca5c66335039793daaf.exe

  • Size

    770KB

  • MD5

    06a15ab711359ca5c66335039793daaf

  • SHA1

    95bd3194b060bc8e775e5bc0a76bc6dc0094a70b

  • SHA256

    f51a0aa16b0a033eaeb45e5bbea6b492b499a0af1404309882f333f18f4e890a

  • SHA512

    925fe2815b0ff212a26b1d1e63de27c44f83069c9a8b3643f114c28b9b6764ca867e5039324ca92174730f777dcd75e5f4f43b13583ff8ad599fbe810a58f998

  • SSDEEP

    12288:P9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/B:5Z1xuVVjfFoynPaVBUR8f+kN10EdB

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

tihe17.zapto.org:8030

Mutex

DC_MUTEX-X1RN242

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    umehiZR0cf0n

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\06a15ab711359ca5c66335039793daaf.exe
    "C:\Users\Admin\AppData\Local\Temp\06a15ab711359ca5c66335039793daaf.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\1.EXE
      "C:\Users\Admin\AppData\Local\Temp\1.EXE"
      2⤵
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2852
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Deletes itself
      PID:2832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2788
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\06a15ab711359ca5c66335039793daaf.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2252
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2724
  • C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\06a15ab711359ca5c66335039793daaf.exe" +s +h
    1⤵
    • Sets file to hidden
    • Views/modifies file attributes
    PID:2732
  • C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    1⤵
    • Adds policy Run key to start application
    • Drops file in Program Files directory
    PID:2752
  • C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    1⤵
    • Sets file to hidden
    • Views/modifies file attributes
    PID:2744
  • C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    1⤵
      PID:3040
    • C:\Users\Admin\AppData\Local\Temp\1.EXE
      "C:\Users\Admin\AppData\Local\Temp\1.EXE"
      1⤵
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2988
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      1⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Users\Admin\AppData\Local\Temp\1.EXE
        "C:\Users\Admin\AppData\Local\Temp\1.EXE"
        2⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2892
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        2⤵
          PID:1872
      • C:\Windows\syswow64\svchost.exe
        C:\Windows\syswow64\svchost.exe
        1⤵
          PID:1596

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Impair Defenses

        2
        T1562

        Disable or Modify Tools

        2
        T1562.001

        Modify Registry

        8
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1.EXE
          Filesize

          13KB

          MD5

          95ff7bbd32e9002d393e056828187814

          SHA1

          68a9b42cc5a5fd10f3cd53baaacbb80646b0c057

          SHA256

          40999d697b90d2ef63889c53e00cc1be3f94d2a0581198ad6199ed2a29a14e94

          SHA512

          8bc2f53dab5afa0eeb577fa9521bea42ccf7b176a2733dd312779774b31bc9e65b4fac7942386e0af76fa5a7dcde5e5d401abc7befb16ffb8091befaf9cf2d77

          Download Submit

        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          44KB

          MD5

          55d4a0677b8c3c715dfc2b64a4f75842

          SHA1

          c67eecac3e38a5087d306c84d13f176541464722

          SHA256

          d561b6cc6f5428b4dd7707c1deccaca4c626f70c1bd5b11edf26d4203cc0154a

          SHA512

          7b8a87c1a731ef560cb0bb194a73747006899f903bb7ee71d6172445b3b4a169bf73507397ef188797d5e0e327a05bcdbca617ffb22e7145f3c8d73e85c6feb9

          Download Submit

        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          68KB

          MD5

          8cdb96cff85fe8ba4b8b88e2774b86bc

          SHA1

          5c5ca997bad149505fd39a6f1465841822ea26d3

          SHA256

          d497f93432e33df0913819f1d20d90abf303d8401824ce6cc222d7d5975403ac

          SHA512

          6b540dd59138ae62daad2f49b2e946892151a35cd862c5cc61dfc1a7165ae7a531f7f432f436d3a83f2026dfb7e8915849ed6b4c793c17887e771ea720fc6c5f

          Download Submit

        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          45KB

          MD5

          e9d3c2a214ea8b25a5463f44c8d38135

          SHA1

          c6dc1bcbf930cd1c370eb1e1b74018db696eff23

          SHA256

          334a68a6018b42ffe061d95bab745f81970ad608144e8612185ad9ab3e742183

          SHA512

          958a740fd6005ea3def08052b3e88083a5287be6b917a41d199b6df732ee38c1fd829cc78f6166ed051620f2b6bdc60382363ee9d8a24224ad9a2ef9927a4736

          Download Submit

        • \Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          33KB

          MD5

          28a2a47e034de140b56f3bb81ae307e8

          SHA1

          f13d8e8655675d0764f934e3e46ce7ea617a1b92

          SHA256

          cad45f242feb17537d94da531d60b2a71a3d87c245ec1c5be3ed266bbc3c1994

          SHA512

          a2289b4011eac705a7b7c6f97154c9961c7d103c0afc6059f899515e7536910a9f8b30aed8a206dade3c17f3c03de66de48a2a2a60a7a00814eeede7b41fd518

          Download Submit

        • \Users\Admin\Documents\MSDCSC\msdcsc.exe
          Filesize

          202KB

          MD5

          a1c2ef2db900186470d2ab1407bfbb8a

          SHA1

          c9df2cd14e37e9aba6e158af2ac2a9b7463f9e56

          SHA256

          be8900847f53e7244b2404f40d90440393087d7be7de7170cfffb22393bde4c0

          SHA512

          6d234f565d594fed8f5fb1d31cf371b342ddf39ad60982d6dac39ea6e3acf3faadfd1d032e36d3093b8aaadadf9efc5440e931e490ea1948c1c19b5415bb2d90

          Download Submit

        • memory/1596-81-0x0000000000020000-0x0000000000025000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1596-135-0x0000000000020000-0x0000000000025000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1872-120-0x0000000000490000-0x0000000000491000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2296-66-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

          Download

        • memory/2544-11-0x00000000024D0000-0x00000000024D5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/2544-80-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

          Download

        • memory/2544-64-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2544-14-0x00000000024D0000-0x00000000024D5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/2544-0-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2724-61-0x00000000034B0000-0x00000000034B5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/2724-49-0x0000000000250000-0x0000000000251000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2724-67-0x0000000000400000-0x00000000004CE000-memory.dmp

          Filesize

          824KB

          Download

        • memory/2752-17-0x0000000000020000-0x0000000000025000-memory.dmp

          Filesize

          20KB

          Download

        • memory/2752-16-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2752-15-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2832-40-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2832-18-0x0000000000080000-0x0000000000081000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2852-13-0x0000000000020000-0x0000000000022000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3040-65-0x0000000000020000-0x0000000000025000-memory.dmp

          Filesize

          20KB

          Download

        • memory/3040-62-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3040-63-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3040-132-0x0000000000020000-0x0000000000025000-memory.dmp

          Filesize

          20KB

          Download