Analysis
-
max time kernel
0s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
31/12/2023, 13:44
General
-
Target
387e8c87ac61853543b43747feff0897.exe
-
Size
515KB
-
MD5
387e8c87ac61853543b43747feff0897
-
SHA1
6505a260581d6d78b3c8ca0501b56e266ac25d4f
-
SHA256
23ff4eb48f2c98a3868ee8abbfcd28427f877864759e0d84c82895b51f78e8d0
-
SHA512
5451d60875562cf41bcdd703edd7a1efde19b1ed86f7a78f69a52e8d05b34b437e9704ed1c576d54e364c55a66274922f09138d220d30d675c17418967a16e29
-
SSDEEP
12288:wf2QkXEU9Nha3ZqyBPoMrliN/ddRAe8CT:QxeEo+LBPorzRAe7T
Malware Config
Extracted
darkcomet
DC
rsguide.no-ip.biz:1604
DC_MUTEX-9USF8JU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
RvWB7ovy3Ji4
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
rundll32
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\387e8c87ac61853543b43747feff0897.exe"C:\Users\Admin\AppData\Local\Temp\387e8c87ac61853543b43747feff0897.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RSbot.exe"C:\Users\Admin\AppData\Local\Temp\RSbot.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\j.vbs"2⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h1⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
4KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
4KB
-
Filesize
712KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB