Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2024 22:33
Static task
static1
Behavioral task
behavioral1
Sample
95a0aae8a7984d30a627a9838acd5434.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
95a0aae8a7984d30a627a9838acd5434.exe
Resource
win10v2004-20231215-en
General
-
Target
95a0aae8a7984d30a627a9838acd5434.exe
-
Size
918KB
-
MD5
95a0aae8a7984d30a627a9838acd5434
-
SHA1
31c5e330f02018243b7252b2a8d7be986a3731e5
-
SHA256
7da760265773acb56206463de01f699ab9316c53456f8d3bdb18db51bfd36a0e
-
SHA512
af6640b7bb357c1c96f8a33a61d36dae35ffc91d54c0c2e6e5fbf0d9b7c9cf3de2a960cde18047d44b7a895f6cadd3420bee08f52feb14906193899f15196bf7
-
SSDEEP
12288:rkzu/UrGcXu2Dvy1ThzF6bWEhLWkWo41Z6tlpFe5vyDmSljuI9MK:Icosz6bWEhq8Ne5aDpFuuf
Malware Config
Extracted
darkcomet
Guest16_min
127.0.0.1:1604
DCMIN_MUTEX-72R2FVV
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
ojiVYv2dmChl
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Service.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" Service.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Service.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation Service.exe -
Executes dropped EXE 2 IoCs
Processes:
Service.exeIMDCSC.exepid process 1208 Service.exe 2560 IMDCSC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Service.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" Service.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
95a0aae8a7984d30a627a9838acd5434.exedescription pid process target process PID 4076 set thread context of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Service.exedescription pid process Token: SeIncreaseQuotaPrivilege 1208 Service.exe Token: SeSecurityPrivilege 1208 Service.exe Token: SeTakeOwnershipPrivilege 1208 Service.exe Token: SeLoadDriverPrivilege 1208 Service.exe Token: SeSystemProfilePrivilege 1208 Service.exe Token: SeSystemtimePrivilege 1208 Service.exe Token: SeProfSingleProcessPrivilege 1208 Service.exe Token: SeIncBasePriorityPrivilege 1208 Service.exe Token: SeCreatePagefilePrivilege 1208 Service.exe Token: SeBackupPrivilege 1208 Service.exe Token: SeRestorePrivilege 1208 Service.exe Token: SeShutdownPrivilege 1208 Service.exe Token: SeDebugPrivilege 1208 Service.exe Token: SeSystemEnvironmentPrivilege 1208 Service.exe Token: SeChangeNotifyPrivilege 1208 Service.exe Token: SeRemoteShutdownPrivilege 1208 Service.exe Token: SeUndockPrivilege 1208 Service.exe Token: SeManageVolumePrivilege 1208 Service.exe Token: SeImpersonatePrivilege 1208 Service.exe Token: SeCreateGlobalPrivilege 1208 Service.exe Token: 33 1208 Service.exe Token: 34 1208 Service.exe Token: 35 1208 Service.exe Token: 36 1208 Service.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
95a0aae8a7984d30a627a9838acd5434.exeService.exedescription pid process target process PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 4076 wrote to memory of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe PID 1208 wrote to memory of 2560 1208 Service.exe IMDCSC.exe PID 1208 wrote to memory of 2560 1208 Service.exe IMDCSC.exe PID 1208 wrote to memory of 2560 1208 Service.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a0aae8a7984d30a627a9838acd5434.exe"C:\Users\Admin\AppData\Local\Temp\95a0aae8a7984d30a627a9838acd5434.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exeC:\Users\Admin\AppData\Local\Temp\\plugtemp\Service.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/1208-6-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1208-9-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1208-10-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1208-12-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1208-13-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/1208-25-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4076-0-0x0000000074B50000-0x0000000075101000-memory.dmpFilesize
5.7MB
-
memory/4076-1-0x0000000074B50000-0x0000000075101000-memory.dmpFilesize
5.7MB
-
memory/4076-2-0x0000000001530000-0x0000000001540000-memory.dmpFilesize
64KB
-
memory/4076-28-0x0000000074B50000-0x0000000075101000-memory.dmpFilesize
5.7MB