Overview

overview

10

Static

static

5

a093797edf...61.exe

windows7-x64

10

a093797edf...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-02-2024 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a093797edf6c04f4639d7001a7996861.exe

  • Size

    1.2MB

  • MD5

    a093797edf6c04f4639d7001a7996861

  • SHA1

    18e26ab3d87ff521756f3fcb2a9a577bea05f9ff

  • SHA256

    70fb7f4353898eb02416d7950e2a2895eab599c670faa7f84e2fa997d0a8da85

  • SHA512

    e1c607e493ea35123be937ea619aa179dc7c8467b0c2c06577279c5a1858ff5f4ee3907078264bfb861540732aaa2157b2b00803634fe1cc33930be9c6ac384f

  • SSDEEP

    24576:P4lavt0LkLL9IMixoEgeabcsI7en5aJQhJE13qIwq9MmCS:Kkwkn9IMHeabpg+hJtaPCS

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

10.10.0.100:1604

Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    z8kGcvNGHx7p

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a093797edf6c04f4639d7001a7996861.exe
    "C:\Users\Admin\AppData\Local\Temp\a093797edf6c04f4639d7001a7996861.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\4554\4554.exe
      "C:\Users\Admin\AppData\Local\Temp\4554\4554.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4554" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\4554" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:2436
      • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
        "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
        3⤵
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4554\4554.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2720
  • C:\Windows\SysWOW64\notepad.exe
    notepad
    1⤵
      PID:2492
    • C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\4554\4554.exe" +s +h
      1⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2416

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Modify Registry

    2
    T1112

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4554\4554.exe
      Filesize

      27KB

      MD5

      e34001ad4bb8a7fd9d24ab580f3cac0f

      SHA1

      f965b5b3f6c8125e5aeeb0d58669b1d07ebb2df6

      SHA256

      c27068bd5168e967f7d928321e661cca6c2d6040d275921a65fb572dd76ce535

      SHA512

      89217f8b643628164719815eafd4008fccebaa5ce57a4774e1f2831378380aeb3bb14cc6c51e1fcad571717f69fd36079d51b08f94f4a93a53f5206b44abf89a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\4554\4554.exe
      Filesize

      10KB

      MD5

      3218fa0c4258f3d363b940485d3dd5a2

      SHA1

      bdacc3e717305d15a3dbb4d38e2d5dec514c44c9

      SHA256

      12fd3d9c5946dcc74cc32791aa825e128f0bfc2438750c2aa10471d54b23119f

      SHA512

      2c829dcc6dd4e18179c642073fc1621f5720088f125760b2473809e6c7eeb1a5a28466c0a29666bd8cce7fe31c1bd4910a1dfc0a64fc70b4a4dd168e909966cd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\4554\4554.exe
      Filesize

      17KB

      MD5

      f0592e5217b489aec82ab87170502aa7

      SHA1

      df25f3206339c4f4f312cd824966e5166587fb43

      SHA256

      f8b1ac2f83eb915d764b94ac3b91fdd1e2debf77b41acdc5e66929df07cd48df

      SHA512

      ee368dc9847fbe7adc7ad369ce2f38bbd5b5145b5b4675ea482817a10e8fd336acba0d4307c3b90d6fda2ab59f375dca451ffebc35e3f1980ea4a314ebb50e66

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      52KB

      MD5

      e23907308f7c2ebcfdd5b68475d065fa

      SHA1

      e5b0dc36c19b5cceea7d35729a02f432f46f1bb0

      SHA256

      639dd5a7bbb50e9c6da5afbc62dd6a4b2c9aafa1304cd28298af021012477cfc

      SHA512

      949f56e6378f46eb652ed772f339974d72ec03090ed236b0eb8e8d270522118934efdbc6cd8ea4c54b9e491355dd17f3b753564140e6ada1f1374179d1ad4439

      Download Submit
    • \Users\Admin\AppData\Local\Temp\4554\4554.exe
      Filesize

      55KB

      MD5

      c297eabd9b601e8bf53038016660958f

      SHA1

      024ea784d78f717a8e409d9fc700f27770abf0f9

      SHA256

      18b03bea93c80cfa9fb838eb190f9c4e8c62fe637febe75162750ba54ffc5e0f

      SHA512

      134f6bb704a61f90137d36c768d0f6f37f22de9270bee814434cbf8775725d0bf4c3e6a8623e5608b3de9f28a6270f3dec8d7a31deaea07d350a1c7c4535c2c9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\4554\4554.exe
      Filesize

      53KB

      MD5

      a2a0894778cd2124f7a9cf17c21e22a9

      SHA1

      37c3b77c6bdc19651393d7216b10ae41d91a2771

      SHA256

      811b2c91bb37f3f02f7a7347130793451ce59bc0fa0e729c2d40306c812beecb

      SHA512

      bbf0a9abc8e29b50c92a57f408da170aa667b11b01e08aeb0097ae371114e601d3a949759dbdb82c9029f16770ad6baea9ee39bb51c2afbee104e5e0e187c011

      Download Submit
    • \Users\Admin\AppData\Local\Temp\4554\4554.exe
      Filesize

      62KB

      MD5

      c5a6a1ede088fc6d3ccaa4a911cda909

      SHA1

      3e32d9814b7868bdcc952e0d6cc8a71c05955b80

      SHA256

      ce7c5a363830e6c86d4bcbe2a1088b7f861d9470a596dcadd4d958927be32a72

      SHA512

      a89e8560aef96e6c9cfda05e5c58ac9a0e77c1011f0c0af520cafa77c3c62926b5091fc5c87fea8fe344f9818b65c114c66a74564412fedf2dfeeb4e308ef357

      Download Submit
    • \Users\Admin\AppData\Local\Temp\4554\4554.exe
      Filesize

      62KB

      MD5

      0aa7a5ee242a922c463b72f1c2e0bbb9

      SHA1

      1f2a801839dd18f803dd95702edd92e06eaf2420

      SHA256

      9cab2303b56e416282afd684436304f5749c31c83f9f8374964b96a982a5cf81

      SHA512

      d47e54272639f4d9e89dc649eca9e3e2ac087f4fc5493d2594311a4de66ececd12fe689159619fbcc16210bf2cb38d4923c3c92d1bc1eebb9e072383572d46cb

      Download Submit
    • \Users\Admin\AppData\Local\Temp\4554\4554.exe
      Filesize

      19KB

      MD5

      530ba652c75b15789e2532d13096e8de

      SHA1

      05d51940bcf525d9ea3aa522c7f41f5d75c1e15e

      SHA256

      7ae571baaef6259a0b0c8defb72189f1b810cf9cc745c59ea264e79c75ad3522

      SHA512

      d9eeec797acdde1371a27e27efbb2ed1c10b37ef8d31a0d8622ea5c9b2d1b5c9f172c458eef75432c7c8aeb2bcae1e05caae58280c7c2f27e029d6d2583c61da

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      207KB

      MD5

      f6e3f6eb13f88f831be42835fc3ab630

      SHA1

      3be5a3cd126a5f897799866dee3bfb04f4ec61e3

      SHA256

      8fe2924590e480ae8e2b95c5baf7ac530b114d8316452a90698d56295362a855

      SHA512

      e2ad096a4116c038e1e9a561270a19d82b0d58cb910ac4390109765b827b448e32efacbeb429696b87b46740e7e0caff5826b7b834a824e324673648f53e0fd9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      Filesize

      130KB

      MD5

      8ce25c8cd95d504e3374b7a82bdea874

      SHA1

      4ab29ba61fbc2dc59cd9322e6e8b6ccdc5f7b020

      SHA256

      169ebf0e216992970155652b1fe8f41dee346a6574e968d385cfeeeed7229994

      SHA512

      144cdf401f53e9125440a3c01468a6f67cd08df4c0df24f0086be8fb1bc3252c0bfe7f290081c5846d00c7a5e968050a0a74f457d831276c95a298d4a7bd7bc1

      Download Submit
    • memory/2492-44-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2492-69-0x0000000000430000-0x0000000000431000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2556-70-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2556-72-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2556-42-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2556-82-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2556-80-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2556-78-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2556-76-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2556-43-0x00000000001D0000-0x00000000001D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2556-74-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2692-27-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2692-28-0x00000000001D0000-0x00000000001D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2692-39-0x00000000021F0000-0x00000000022A7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2692-41-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/3048-16-0x0000000004B00000-0x0000000004BB7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/3048-17-0x0000000004B00000-0x0000000004BB7000-memory.dmp
      Filesize

      732KB

      Download