Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06-02-2024 22:33
Static task
static1
Behavioral task
behavioral1
Sample
95a0aae8a7984d30a627a9838acd5434.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
95a0aae8a7984d30a627a9838acd5434.exe
Resource
win10v2004-20231215-en
General
-
Target
95a0aae8a7984d30a627a9838acd5434.exe
-
Size
918KB
-
MD5
95a0aae8a7984d30a627a9838acd5434
-
SHA1
31c5e330f02018243b7252b2a8d7be986a3731e5
-
SHA256
7da760265773acb56206463de01f699ab9316c53456f8d3bdb18db51bfd36a0e
-
SHA512
af6640b7bb357c1c96f8a33a61d36dae35ffc91d54c0c2e6e5fbf0d9b7c9cf3de2a960cde18047d44b7a895f6cadd3420bee08f52feb14906193899f15196bf7
-
SSDEEP
12288:rkzu/UrGcXu2Dvy1ThzF6bWEhLWkWo41Z6tlpFe5vyDmSljuI9MK:Icosz6bWEhq8Ne5aDpFuuf
Malware Config
Extracted
darkcomet
Guest16_min
127.0.0.1:1604
DCMIN_MUTEX-72R2FVV
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
ojiVYv2dmChl
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Service.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" Service.exe -
Executes dropped EXE 2 IoCs
Processes:
Service.exeIMDCSC.exepid process 2680 Service.exe 2836 IMDCSC.exe -
Loads dropped DLL 2 IoCs
Processes:
95a0aae8a7984d30a627a9838acd5434.exeService.exepid process 2212 95a0aae8a7984d30a627a9838acd5434.exe 2680 Service.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Service.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" Service.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
95a0aae8a7984d30a627a9838acd5434.exedescription pid process target process PID 2212 set thread context of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
Service.exedescription pid process Token: SeIncreaseQuotaPrivilege 2680 Service.exe Token: SeSecurityPrivilege 2680 Service.exe Token: SeTakeOwnershipPrivilege 2680 Service.exe Token: SeLoadDriverPrivilege 2680 Service.exe Token: SeSystemProfilePrivilege 2680 Service.exe Token: SeSystemtimePrivilege 2680 Service.exe Token: SeProfSingleProcessPrivilege 2680 Service.exe Token: SeIncBasePriorityPrivilege 2680 Service.exe Token: SeCreatePagefilePrivilege 2680 Service.exe Token: SeBackupPrivilege 2680 Service.exe Token: SeRestorePrivilege 2680 Service.exe Token: SeShutdownPrivilege 2680 Service.exe Token: SeDebugPrivilege 2680 Service.exe Token: SeSystemEnvironmentPrivilege 2680 Service.exe Token: SeChangeNotifyPrivilege 2680 Service.exe Token: SeRemoteShutdownPrivilege 2680 Service.exe Token: SeUndockPrivilege 2680 Service.exe Token: SeManageVolumePrivilege 2680 Service.exe Token: SeImpersonatePrivilege 2680 Service.exe Token: SeCreateGlobalPrivilege 2680 Service.exe Token: 33 2680 Service.exe Token: 34 2680 Service.exe Token: 35 2680 Service.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
95a0aae8a7984d30a627a9838acd5434.exeService.exedescription pid process target process PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2212 wrote to memory of 2680 2212 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 2680 wrote to memory of 2836 2680 Service.exe IMDCSC.exe PID 2680 wrote to memory of 2836 2680 Service.exe IMDCSC.exe PID 2680 wrote to memory of 2836 2680 Service.exe IMDCSC.exe PID 2680 wrote to memory of 2836 2680 Service.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a0aae8a7984d30a627a9838acd5434.exe"C:\Users\Admin\AppData\Local\Temp\95a0aae8a7984d30a627a9838acd5434.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exeC:\Users\Admin\AppData\Local\Temp\\plugtemp\Service.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exeFilesize
240KB
MD563d307687d22c830409e57cc58d7049c
SHA177b693a490c920624c76f660c77250fba64d1226
SHA256cd0ea29e78bd64669478c71508ea2dc1a985221d081ff87bbca6215c1487e26f
SHA512d2747e7df2610c616db80b440e292f592789348a42ca3570f60ae3d3f654ffd3664cf475fa66be8f174ca2259aa300e0712a24cbbb1c47785bf943c1b555723e
-
C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exeFilesize
207KB
MD5a8c659c245bd01e4bda912e0f48204cc
SHA1c8a5bd5a8e28da9c315b70097ab376e419b84338
SHA25666cc5c3434268254195ffac327d35c5a825f66fe48c6815a8f8839034ad9225c
SHA5126236296e23b4a673f56ce39694183f7efe2c4117b37a54240a3557e91301b693ba9453873af6728522e127cca5316390ddd7d655b916fdc470c4629a5d4c95a6
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
267KB
MD535a0e61c8c0757a17a69ad881c8235c2
SHA1cd1ac30856790c4f790acc9e0f2c6df1110de035
SHA25675c8293f0493be3041e18d5d19fcf0da5c82c4f4ae4fa7d9998b5d121c30aa64
SHA512b33ba2fb8c05164efd987f16de910942900c81bcba7e74df037760c9ecb3aee7e784a353643de0b320997a088ba1333540f599970e5aad69ae715687d243914d
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
252KB
MD5790e19d9df13ea1898f2160d3dbbcfbf
SHA1f3c14b63bea0fe3000368b889716ce3c4333ab5c
SHA256ed511853dee13a1782b5a23c3f14788645c16b767e3375836e6c2ffc6ca05819
SHA5128489df3ec27a2ab86788a92b2f78ba84a3a5162a508d382072e19af36027e80fae288857ea756293da811a08819baac0a17d1518a5ec1a32c125ab86c1d31f22
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
179KB
MD54dcc8d82e2315c414c0f12df6973689d
SHA15bd349573269b93999c27f03ce12e1df26b02044
SHA256a70606f244a4f441fcc5d687122a80da8d5760993a865994ba1fecbdf6cf5527
SHA5127ff2a52e351aed2cb32f47f5970228892bab765afb3e909fd1d121c308d014a684cd6023cf75d0f1733674226d8fc7d54a72d932d9d1f24f7a9fdb47bc0d48d9
-
\Users\Admin\AppData\Local\Temp\plugtemp\Service.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
174KB
MD54ff7127bda76254eb8e327ec5cabd591
SHA1294c4f4c52c179957afdb891cbfba45b88765415
SHA2569defaa0967de4245f8650b145f7b2ce192a4bd912ff1bb3761126835e9332b4c
SHA512ddbf15955b8089843bfcf4fe322fc77754f4ae56ab6db8fc384dbd1e9fb4a34bfeed36a4efdc4fd8e47edb4ad077485a01ba07092448ddbc2f467d69245b703c
-
memory/2212-1-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2212-2-0x0000000002010000-0x0000000002050000-memory.dmpFilesize
256KB
-
memory/2212-40-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2212-0-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2680-10-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-18-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-26-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-20-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-24-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-27-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-28-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2680-16-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-29-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2680-14-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-12-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-9-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-38-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-8-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB