Analysis
-
max time kernel
160s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
07-03-2024 20:49
General
-
Target
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe
-
Size
283KB
-
MD5
5d3a6ff4d3968270f9f09e351c24cb3c
-
SHA1
4dbc0b4033cc9174e4fde4c382046205ac44b453
-
SHA256
68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7
-
SHA512
33904af3e7602c0c586ec1e8a4050ac3b9a5338798c42d94aa9e6317860716b74e28c13896d352a73f3ca0708959b3730dafb94121cb28bedd6424a807493e08
-
SSDEEP
6144:AcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37+:AcW7KEZlPzCy37+
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
darkcomet3.ddns.net:1604
DC_MUTEX-ZJFLPGE
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
J1Dp0ixzbN0M
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Modifies security service 2 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 4 IoCs
-
UPX dump on OEP (original entry point) 7 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe"C:\Users\Admin\AppData\Local\Temp\68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\68fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
283KB
MD55d3a6ff4d3968270f9f09e351c24cb3c
SHA14dbc0b4033cc9174e4fde4c382046205ac44b453
SHA25668fc96d5c5f960966b6d7afd2e52f8e97c31afaa35091bd4656f0f2095217bb7
SHA51233904af3e7602c0c586ec1e8a4050ac3b9a5338798c42d94aa9e6317860716b74e28c13896d352a73f3ca0708959b3730dafb94121cb28bedd6424a807493e08
-
memory/584-38-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2496-0-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2496-1-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2496-34-0x0000000003B30000-0x0000000003BF7000-memory.dmpFilesize
796KB
-
memory/2496-37-0x0000000003B30000-0x0000000003BF7000-memory.dmpFilesize
796KB
-
memory/2496-43-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2680-5-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2680-25-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2944-35-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2944-39-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/2944-40-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB