Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 23:26
Behavioral task
behavioral1
Sample
432239af3b4ba67d938ffc6bfb22956e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
432239af3b4ba67d938ffc6bfb22956e.exe
Resource
win10v2004-20231215-en
General
-
Target
432239af3b4ba67d938ffc6bfb22956e.exe
-
Size
658KB
-
MD5
432239af3b4ba67d938ffc6bfb22956e
-
SHA1
a46d496a95e639d8161dd2512809163f55ed9445
-
SHA256
35df31a35807ceb59bbcc4808292565d64b37c60fee9c98fc3406e40ce6889d5
-
SHA512
549967e66367f0a288850dabb5732382e5c01f0542d193d4006215d4f65f819c5492e1c88f143cfb628fe8c2252b458c5fc12da9f3aedff8ebf1fb37986ac0ac
-
SSDEEP
12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hm:+Z1xuVVjfFoynPaVBUR8f+kN10EBg
Malware Config
Extracted
darkcomet
Guest16_min
xerxesrox.no-ip.biz:83
DCMIN_MUTEX-EHQMHJU
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
PcrJ6QRL7ZlH
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
432239af3b4ba67d938ffc6bfb22956e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\DCSCMIN\\IMDCSC.exe" 432239af3b4ba67d938ffc6bfb22956e.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
432239af3b4ba67d938ffc6bfb22956e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 432239af3b4ba67d938ffc6bfb22956e.exe -
Executes dropped EXE 1 IoCs
Processes:
IMDCSC.exepid process 2092 IMDCSC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
432239af3b4ba67d938ffc6bfb22956e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DCSCMIN\\IMDCSC.exe" 432239af3b4ba67d938ffc6bfb22956e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
432239af3b4ba67d938ffc6bfb22956e.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeSecurityPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeTakeOwnershipPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeLoadDriverPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeSystemProfilePrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeSystemtimePrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeProfSingleProcessPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeIncBasePriorityPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeCreatePagefilePrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeBackupPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeRestorePrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeShutdownPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeDebugPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeSystemEnvironmentPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeChangeNotifyPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeRemoteShutdownPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeUndockPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeManageVolumePrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeImpersonatePrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeCreateGlobalPrivilege 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: 33 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: 34 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: 35 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: 36 3632 432239af3b4ba67d938ffc6bfb22956e.exe Token: SeIncreaseQuotaPrivilege 2092 IMDCSC.exe Token: SeSecurityPrivilege 2092 IMDCSC.exe Token: SeTakeOwnershipPrivilege 2092 IMDCSC.exe Token: SeLoadDriverPrivilege 2092 IMDCSC.exe Token: SeSystemProfilePrivilege 2092 IMDCSC.exe Token: SeSystemtimePrivilege 2092 IMDCSC.exe Token: SeProfSingleProcessPrivilege 2092 IMDCSC.exe Token: SeIncBasePriorityPrivilege 2092 IMDCSC.exe Token: SeCreatePagefilePrivilege 2092 IMDCSC.exe Token: SeBackupPrivilege 2092 IMDCSC.exe Token: SeRestorePrivilege 2092 IMDCSC.exe Token: SeShutdownPrivilege 2092 IMDCSC.exe Token: SeDebugPrivilege 2092 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 2092 IMDCSC.exe Token: SeChangeNotifyPrivilege 2092 IMDCSC.exe Token: SeRemoteShutdownPrivilege 2092 IMDCSC.exe Token: SeUndockPrivilege 2092 IMDCSC.exe Token: SeManageVolumePrivilege 2092 IMDCSC.exe Token: SeImpersonatePrivilege 2092 IMDCSC.exe Token: SeCreateGlobalPrivilege 2092 IMDCSC.exe Token: 33 2092 IMDCSC.exe Token: 34 2092 IMDCSC.exe Token: 35 2092 IMDCSC.exe Token: 36 2092 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 2092 IMDCSC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
432239af3b4ba67d938ffc6bfb22956e.exedescription pid process target process PID 3632 wrote to memory of 2092 3632 432239af3b4ba67d938ffc6bfb22956e.exe IMDCSC.exe PID 3632 wrote to memory of 2092 3632 432239af3b4ba67d938ffc6bfb22956e.exe IMDCSC.exe PID 3632 wrote to memory of 2092 3632 432239af3b4ba67d938ffc6bfb22956e.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\432239af3b4ba67d938ffc6bfb22956e.exe"C:\Users\Admin\AppData\Local\Temp\432239af3b4ba67d938ffc6bfb22956e.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe"C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exeFilesize
658KB
MD5432239af3b4ba67d938ffc6bfb22956e
SHA1a46d496a95e639d8161dd2512809163f55ed9445
SHA25635df31a35807ceb59bbcc4808292565d64b37c60fee9c98fc3406e40ce6889d5
SHA512549967e66367f0a288850dabb5732382e5c01f0542d193d4006215d4f65f819c5492e1c88f143cfb628fe8c2252b458c5fc12da9f3aedff8ebf1fb37986ac0ac
-
memory/2092-18-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-15-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-19-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-14-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-20-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-16-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-17-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-21-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-27-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-12-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB
-
memory/2092-26-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-22-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-23-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-24-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2092-25-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3632-0-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/3632-13-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB