Overview

overview

10

Static

static

10

27a57d1fca...8d.exe

windows7-x64

10

27a57d1fca...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27a57d1fca8d099b7876b56c82c5d88d.exe

  • Size

    660KB

  • MD5

    27a57d1fca8d099b7876b56c82c5d88d

  • SHA1

    7ef8df1692fb110fe3adaa3fd94e6b1a483c0244

  • SHA256

    ad3b7f8850afcbe69d1ebc88cfbe86a208fc0620e7a00079ee0e32446c7257f5

  • SHA512

    15b7213699c19b23ca42be95f7db12cd23e1b67532642072fcdb1bb4246b2c24dec73ac69b01966d5b0135223c1bbf4d29a51435dc973659ebe6efb8c49749e3

  • SSDEEP

    12288:wX2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/Q0e:2ss2Sm39NNv9wY7tHwbzfIoK6MoG

Score
10/10
darkcomet777evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

777

C2

mandoo.no-ip.org:3366

Mutex

DC_MUTEX-7UAXXG6

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    hvljDtRVRRkE

  • install

    true

  • offline_keylogger

    true

  • password

    1443813678

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\27a57d1fca8d099b7876b56c82c5d88d.exe
    "C:\Users\Admin\AppData\Local\Temp\27a57d1fca8d099b7876b56c82c5d88d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    PID:1508
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
        PID:3696
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          3⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1860
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        2⤵
          PID:3316
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          2⤵
            PID:4280
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\27a57d1fca8d099b7876b56c82c5d88d.exe" +s +h
            2⤵
              PID:1296
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            1⤵
              PID:3044
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              1⤵
                PID:2640
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Users\Admin\AppData\Local\Temp\27a57d1fca8d099b7876b56c82c5d88d.exe" +s +h
                1⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:2476

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              2
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Winlogon Helper DLL

              1
              T1547.004

              Privilege Escalation

              Boot or Logon Autostart Execution

              2
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Winlogon Helper DLL

              1
              T1547.004

              Defense Evasion

              Modify Registry

              2
              T1112

              Hide Artifacts

              2
              T1564

              Hidden Files and Directories

              2
              T1564.001

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • memory/1508-0-0x0000000002400000-0x0000000002401000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1508-14-0x0000000000400000-0x00000000004B4000-memory.dmp
                Filesize

                720KB

                Download
              • memory/2640-16-0x0000000000400000-0x00000000004B4000-memory.dmp
                Filesize

                720KB

                Download
              • memory/3044-18-0x00000000009E0000-0x00000000009E1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3316-17-0x0000000000400000-0x00000000004B4000-memory.dmp
                Filesize

                720KB

                Download
              • memory/3316-15-0x00000000006B0000-0x00000000006B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4280-3-0x0000000000980000-0x0000000000981000-memory.dmp
                Filesize

                4KB

                Download