Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 13:24
Behavioral task
behavioral1
Sample
a1f5a8ee77c66ba3b74b55f37be7b5e5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a1f5a8ee77c66ba3b74b55f37be7b5e5.exe
Resource
win10v2004-20240221-en
General
-
Target
a1f5a8ee77c66ba3b74b55f37be7b5e5.exe
-
Size
660KB
-
MD5
a1f5a8ee77c66ba3b74b55f37be7b5e5
-
SHA1
33c06f5fc98557b20be2719eb6b167de5db97833
-
SHA256
7e6a4187c63b71f6e3ee87adeda48474a0d9787161e2d375d5c9e3a449c902f7
-
SHA512
fcd3db5feeeec9a1fe83b8c934d0a8dbf264cafdf7cbaf20084febccda09ae863d34c6819b00ef01e18b94bddec6f89217d25e60d0e1b9ec1c607cc3a234be81
-
SSDEEP
12288:gXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Uv:mnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jf
Malware Config
Extracted
darkcomet
Guest16_min
chememo1.no-ip.org:81
DCMIN_MUTEX-7W4BBR2
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
1xSDcZWTTQQQ
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" a1f5a8ee77c66ba3b74b55f37be7b5e5.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation a1f5a8ee77c66ba3b74b55f37be7b5e5.exe -
Executes dropped EXE 1 IoCs
Processes:
IMDCSC.exepid process 1740 IMDCSC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" a1f5a8ee77c66ba3b74b55f37be7b5e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeSecurityPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeTakeOwnershipPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeLoadDriverPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeSystemProfilePrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeSystemtimePrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeProfSingleProcessPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeIncBasePriorityPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeCreatePagefilePrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeBackupPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeRestorePrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeShutdownPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeDebugPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeSystemEnvironmentPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeChangeNotifyPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeRemoteShutdownPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeUndockPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeManageVolumePrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeImpersonatePrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeCreateGlobalPrivilege 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: 33 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: 34 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: 35 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: 36 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe Token: SeIncreaseQuotaPrivilege 1740 IMDCSC.exe Token: SeSecurityPrivilege 1740 IMDCSC.exe Token: SeTakeOwnershipPrivilege 1740 IMDCSC.exe Token: SeLoadDriverPrivilege 1740 IMDCSC.exe Token: SeSystemProfilePrivilege 1740 IMDCSC.exe Token: SeSystemtimePrivilege 1740 IMDCSC.exe Token: SeProfSingleProcessPrivilege 1740 IMDCSC.exe Token: SeIncBasePriorityPrivilege 1740 IMDCSC.exe Token: SeCreatePagefilePrivilege 1740 IMDCSC.exe Token: SeBackupPrivilege 1740 IMDCSC.exe Token: SeRestorePrivilege 1740 IMDCSC.exe Token: SeShutdownPrivilege 1740 IMDCSC.exe Token: SeDebugPrivilege 1740 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 1740 IMDCSC.exe Token: SeChangeNotifyPrivilege 1740 IMDCSC.exe Token: SeRemoteShutdownPrivilege 1740 IMDCSC.exe Token: SeUndockPrivilege 1740 IMDCSC.exe Token: SeManageVolumePrivilege 1740 IMDCSC.exe Token: SeImpersonatePrivilege 1740 IMDCSC.exe Token: SeCreateGlobalPrivilege 1740 IMDCSC.exe Token: 33 1740 IMDCSC.exe Token: 34 1740 IMDCSC.exe Token: 35 1740 IMDCSC.exe Token: 36 1740 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 1740 IMDCSC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a1f5a8ee77c66ba3b74b55f37be7b5e5.exedescription pid process target process PID 2948 wrote to memory of 1740 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe IMDCSC.exe PID 2948 wrote to memory of 1740 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe IMDCSC.exe PID 2948 wrote to memory of 1740 2948 a1f5a8ee77c66ba3b74b55f37be7b5e5.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1f5a8ee77c66ba3b74b55f37be7b5e5.exe"C:\Users\Admin\AppData\Local\Temp\a1f5a8ee77c66ba3b74b55f37be7b5e5.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeFilesize
660KB
MD5a1f5a8ee77c66ba3b74b55f37be7b5e5
SHA133c06f5fc98557b20be2719eb6b167de5db97833
SHA2567e6a4187c63b71f6e3ee87adeda48474a0d9787161e2d375d5c9e3a449c902f7
SHA512fcd3db5feeeec9a1fe83b8c934d0a8dbf264cafdf7cbaf20084febccda09ae863d34c6819b00ef01e18b94bddec6f89217d25e60d0e1b9ec1c607cc3a234be81
-
memory/1740-18-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-15-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-19-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-14-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-20-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-16-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-17-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-21-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-13-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/1740-27-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-26-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-22-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-23-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-24-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1740-25-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2948-0-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/2948-12-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB