Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 13:24
Behavioral task
behavioral1
Sample
a1f5a8ee77c66ba3b74b55f37be7b5e5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a1f5a8ee77c66ba3b74b55f37be7b5e5.exe
Resource
win10v2004-20240221-en
General
-
Target
a1f5a8ee77c66ba3b74b55f37be7b5e5.exe
-
Size
660KB
-
MD5
a1f5a8ee77c66ba3b74b55f37be7b5e5
-
SHA1
33c06f5fc98557b20be2719eb6b167de5db97833
-
SHA256
7e6a4187c63b71f6e3ee87adeda48474a0d9787161e2d375d5c9e3a449c902f7
-
SHA512
fcd3db5feeeec9a1fe83b8c934d0a8dbf264cafdf7cbaf20084febccda09ae863d34c6819b00ef01e18b94bddec6f89217d25e60d0e1b9ec1c607cc3a234be81
-
SSDEEP
12288:gXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Uv:mnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jf
Malware Config
Extracted
darkcomet
Guest16_min
chememo1.no-ip.org:81
DCMIN_MUTEX-7W4BBR2
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
1xSDcZWTTQQQ
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" a1f5a8ee77c66ba3b74b55f37be7b5e5.exe -
Executes dropped EXE 1 IoCs
Processes:
IMDCSC.exepid process 1740 IMDCSC.exe -
Loads dropped DLL 2 IoCs
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exepid process 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" a1f5a8ee77c66ba3b74b55f37be7b5e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeSecurityPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeTakeOwnershipPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeLoadDriverPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeSystemProfilePrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeSystemtimePrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeProfSingleProcessPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeIncBasePriorityPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeCreatePagefilePrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeBackupPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeRestorePrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeShutdownPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeDebugPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeSystemEnvironmentPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeChangeNotifyPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeRemoteShutdownPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeUndockPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeManageVolumePrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeImpersonatePrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeCreateGlobalPrivilege 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: 33 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: 34 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: 35 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeIncreaseQuotaPrivilege 1740 IMDCSC.exe Token: SeSecurityPrivilege 1740 IMDCSC.exe Token: SeTakeOwnershipPrivilege 1740 IMDCSC.exe Token: SeLoadDriverPrivilege 1740 IMDCSC.exe Token: SeSystemProfilePrivilege 1740 IMDCSC.exe Token: SeSystemtimePrivilege 1740 IMDCSC.exe Token: SeProfSingleProcessPrivilege 1740 IMDCSC.exe Token: SeIncBasePriorityPrivilege 1740 IMDCSC.exe Token: SeCreatePagefilePrivilege 1740 IMDCSC.exe Token: SeBackupPrivilege 1740 IMDCSC.exe Token: SeRestorePrivilege 1740 IMDCSC.exe Token: SeShutdownPrivilege 1740 IMDCSC.exe Token: SeDebugPrivilege 1740 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 1740 IMDCSC.exe Token: SeChangeNotifyPrivilege 1740 IMDCSC.exe Token: SeRemoteShutdownPrivilege 1740 IMDCSC.exe Token: SeUndockPrivilege 1740 IMDCSC.exe Token: SeManageVolumePrivilege 1740 IMDCSC.exe Token: SeImpersonatePrivilege 1740 IMDCSC.exe Token: SeCreateGlobalPrivilege 1740 IMDCSC.exe Token: 33 1740 IMDCSC.exe Token: 34 1740 IMDCSC.exe Token: 35 1740 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 1740 IMDCSC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exedescription pid process target process PID 1228 wrote to memory of 1740 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe IMDCSC.exe PID 1228 wrote to memory of 1740 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe IMDCSC.exe PID 1228 wrote to memory of 1740 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe IMDCSC.exe PID 1228 wrote to memory of 1740 1228 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1f5a8ee77c66ba3b74b55f37be7b5e5.exe"C:\Users\Admin\AppData\Local\Temp\a1f5a8ee77c66ba3b74b55f37be7b5e5.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
660KB
MD5a1f5a8ee77c66ba3b74b55f37be7b5e5
SHA133c06f5fc98557b20be2719eb6b167de5db97833
SHA2567e6a4187c63b71f6e3ee87adeda48474a0d9787161e2d375d5c9e3a449c902f7
SHA512fcd3db5feeeec9a1fe83b8c934d0a8dbf264cafdf7cbaf20084febccda09ae863d34c6819b00ef01e18b94bddec6f89217d25e60d0e1b9ec1c607cc3a234be81
-
memory/1228-10-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1228-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1740-16-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-18-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-13-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-14-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-15-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-11-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1740-17-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-12-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-19-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-20-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-21-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-22-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-23-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-24-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-25-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB