Analysis
-
max time kernel
44s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-02-2024 15:21
Behavioral task
behavioral1
Sample
RAT2.exe
Resource
win7-20231215-en
General
-
Target
RAT2.exe
-
Size
758KB
-
MD5
21d196003c2ebe1318a386a3f1b96bbc
-
SHA1
83ce95a86173ec0f6a708ee4cfd40260c5a624e7
-
SHA256
b7de3304bb713d3da34c1d057e8dd48c7b5677e94d0f93ddee96089ff6445c25
-
SHA512
f0947c77b3ce5b20d7df88ec8793f51bd7f9bc2a17f1c954e21c4bfe294213a38cae9657b4f892fd180cb7f43720d5c5cfaa1ff8923e10b456f23d66529202fa
-
SSDEEP
12288:b9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hTvvNVRuH:VZ1xuVVjfFoynPaVBUR8f+kN10EBdvzG
Malware Config
Extracted
darkcomet
Guest16
nayef.ddns.net:1604
DC_MUTEX-S42YJ4Y
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
7CVEBPhuYSgK
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
RAT2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" RAT2.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2700 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
RAT2.exepid process 2152 RAT2.exe 2152 RAT2.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RAT2.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" RAT2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
RAT2.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2152 RAT2.exe Token: SeSecurityPrivilege 2152 RAT2.exe Token: SeTakeOwnershipPrivilege 2152 RAT2.exe Token: SeLoadDriverPrivilege 2152 RAT2.exe Token: SeSystemProfilePrivilege 2152 RAT2.exe Token: SeSystemtimePrivilege 2152 RAT2.exe Token: SeProfSingleProcessPrivilege 2152 RAT2.exe Token: SeIncBasePriorityPrivilege 2152 RAT2.exe Token: SeCreatePagefilePrivilege 2152 RAT2.exe Token: SeBackupPrivilege 2152 RAT2.exe Token: SeRestorePrivilege 2152 RAT2.exe Token: SeShutdownPrivilege 2152 RAT2.exe Token: SeDebugPrivilege 2152 RAT2.exe Token: SeSystemEnvironmentPrivilege 2152 RAT2.exe Token: SeChangeNotifyPrivilege 2152 RAT2.exe Token: SeRemoteShutdownPrivilege 2152 RAT2.exe Token: SeUndockPrivilege 2152 RAT2.exe Token: SeManageVolumePrivilege 2152 RAT2.exe Token: SeImpersonatePrivilege 2152 RAT2.exe Token: SeCreateGlobalPrivilege 2152 RAT2.exe Token: 33 2152 RAT2.exe Token: 34 2152 RAT2.exe Token: 35 2152 RAT2.exe Token: SeIncreaseQuotaPrivilege 2700 msdcsc.exe Token: SeSecurityPrivilege 2700 msdcsc.exe Token: SeTakeOwnershipPrivilege 2700 msdcsc.exe Token: SeLoadDriverPrivilege 2700 msdcsc.exe Token: SeSystemProfilePrivilege 2700 msdcsc.exe Token: SeSystemtimePrivilege 2700 msdcsc.exe Token: SeProfSingleProcessPrivilege 2700 msdcsc.exe Token: SeIncBasePriorityPrivilege 2700 msdcsc.exe Token: SeCreatePagefilePrivilege 2700 msdcsc.exe Token: SeBackupPrivilege 2700 msdcsc.exe Token: SeRestorePrivilege 2700 msdcsc.exe Token: SeShutdownPrivilege 2700 msdcsc.exe Token: SeDebugPrivilege 2700 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2700 msdcsc.exe Token: SeChangeNotifyPrivilege 2700 msdcsc.exe Token: SeRemoteShutdownPrivilege 2700 msdcsc.exe Token: SeUndockPrivilege 2700 msdcsc.exe Token: SeManageVolumePrivilege 2700 msdcsc.exe Token: SeImpersonatePrivilege 2700 msdcsc.exe Token: SeCreateGlobalPrivilege 2700 msdcsc.exe Token: 33 2700 msdcsc.exe Token: 34 2700 msdcsc.exe Token: 35 2700 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2700 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
RAT2.exemsdcsc.exedescription pid process target process PID 2152 wrote to memory of 2700 2152 RAT2.exe msdcsc.exe PID 2152 wrote to memory of 2700 2152 RAT2.exe msdcsc.exe PID 2152 wrote to memory of 2700 2152 RAT2.exe msdcsc.exe PID 2152 wrote to memory of 2700 2152 RAT2.exe msdcsc.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe PID 2700 wrote to memory of 2660 2700 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RAT2.exe"C:\Users\Admin\AppData\Local\Temp\RAT2.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
758KB
MD521d196003c2ebe1318a386a3f1b96bbc
SHA183ce95a86173ec0f6a708ee4cfd40260c5a624e7
SHA256b7de3304bb713d3da34c1d057e8dd48c7b5677e94d0f93ddee96089ff6445c25
SHA512f0947c77b3ce5b20d7df88ec8793f51bd7f9bc2a17f1c954e21c4bfe294213a38cae9657b4f892fd180cb7f43720d5c5cfaa1ff8923e10b456f23d66529202fa
-
memory/2152-0-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2152-50-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/2660-13-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2660-49-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/2700-11-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2700-51-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/2700-52-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB
-
memory/2700-53-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2700-54-0x0000000000400000-0x00000000004CB000-memory.dmpFilesize
812KB