Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2024, 18:09

General

  • Target

    6b18a6b20832fb7929ccb4b3043f3218.exe

  • Size

    964KB

  • MD5

    6b18a6b20832fb7929ccb4b3043f3218

  • SHA1

    6f35aca55396af3e9f8e6939c4ee1bfb3f5bc69a

  • SHA256

    70635ba75fdb495bb4c0209f26176f0c0d40fd294c8b39898f18742f2e55ce20

  • SHA512

    f69815bc4bead7481be0ecaa43eb53b32c26a5502e40f4b3f68789534cf501246528a35e86bf3b092aed4864691192527414c7c949327c7610e1659377b230f9

  • SSDEEP

    24576:CMFvr6fMVQXwU23E/0iprDKUHSIHzOIfbfxRwv6lRu9xitRHsn:CMFO+QXwb3xGmDIHzOIfjblRuCto

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

84.72.27.213:1604

Mutex

DC_MUTEX-3WNETRQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    RJVLW58TNDYF

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Program crash 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b18a6b20832fb7929ccb4b3043f3218.exe
    "C:\Users\Admin\AppData\Local\Temp\6b18a6b20832fb7929ccb4b3043f3218.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Local\Temp\6b18a6b20832fb7929ccb4b3043f3218.exe
      "C:\Users\Admin\AppData\Local\Temp\6b18a6b20832fb7929ccb4b3043f3218.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3604
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3340
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              6⤵
                PID:4648
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 84
                  7⤵
                  • Program crash
                  PID:4940
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4648 -ip 4648
      1⤵
        PID:2528

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

              Filesize

              964KB

              MD5

              6b18a6b20832fb7929ccb4b3043f3218

              SHA1

              6f35aca55396af3e9f8e6939c4ee1bfb3f5bc69a

              SHA256

              70635ba75fdb495bb4c0209f26176f0c0d40fd294c8b39898f18742f2e55ce20

              SHA512

              f69815bc4bead7481be0ecaa43eb53b32c26a5502e40f4b3f68789534cf501246528a35e86bf3b092aed4864691192527414c7c949327c7610e1659377b230f9

            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

              Filesize

              642KB

              MD5

              83ca740e49c563d0601ac4814fbaf290

              SHA1

              52078490097e9507c60531b081231b89fcc10a27

              SHA256

              c1634b036cc7b82c68246af1fb32fbca23d364a05763a1d70bfbeb2a1b8c74bf

              SHA512

              33817687be440fb581d3bbb411ee56e531e7fd5c13aca582a0814ed896b8ca2bd0e10be7757fe686c7501ced58e7d121dbf9d5588667926e6affcd1cc91a63d9

            • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

              Filesize

              694KB

              MD5

              889d5824f56c3e078758ef4e53f31727

              SHA1

              e77aacc4bc9edde803f92a70ea50f9fa4975cf35

              SHA256

              30fb698b784ebb140d2d21b137d762638a58d8ceef1942a22923ca7fb1b53de3

              SHA512

              d656a683b0051989c958de8ea3c689e080612a78a36da3d7ba7154fcc82977fc1136d5e1b54208336ee9ecfcf36a7e61edbc19b0ffac0d6a667679c5a613e5a1

            • memory/3340-29-0x0000000000400000-0x00000000004F1000-memory.dmp

              Filesize

              964KB

            • memory/3604-28-0x0000000000810000-0x0000000000811000-memory.dmp

              Filesize

              4KB

            • memory/3604-27-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

            • memory/3604-26-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

            • memory/3604-30-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

            • memory/4072-6-0x0000000000750000-0x0000000000751000-memory.dmp

              Filesize

              4KB

            • memory/4072-5-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

            • memory/4072-19-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

            • memory/4072-2-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

            • memory/4072-4-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB

            • memory/4072-3-0x0000000000400000-0x00000000004F2000-memory.dmp

              Filesize

              968KB