Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 17:03

General

  • Target

    001d1b9ef0730a65eeb9d7e745d9cebb76207406fa5d9580599cc46307c88d86.exe

  • Size

    975KB

  • MD5

    af7484c40877c3d74d58100509797f71

  • SHA1

    70cd03800362f1b35dc5260642ebf7d2159f18b8

  • SHA256

    001d1b9ef0730a65eeb9d7e745d9cebb76207406fa5d9580599cc46307c88d86

  • SHA512

    b964f8277222df462ffd60b321ce856bdc4956234171bd8ea57dff4adfa02a07d0101e52eb5e5db5684a5b3f56b6ec67cadb10db9fb87b8d51affe8cba9220e1

  • SSDEEP

    12288:W9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hlx3st:yZ1xuVVjfFoynPaVBUR8f+kN10EBDBst

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

nakaga.ddns.net:1604

Mutex

DC_MUTEX-4A2S168

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    pkmsYsbr22Ni

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\001d1b9ef0730a65eeb9d7e745d9cebb76207406fa5d9580599cc46307c88d86.exe
    "C:\Users\Admin\AppData\Local\Temp\001d1b9ef0730a65eeb9d7e745d9cebb76207406fa5d9580599cc46307c88d86.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\001d1b9ef0730a65eeb9d7e745d9cebb76207406fa5d9580599cc46307c88d86.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\001d1b9ef0730a65eeb9d7e745d9cebb76207406fa5d9580599cc46307c88d86.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:3064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2524
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Deletes itself
      PID:2920
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2400
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2388

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Defense Evasion

    Modify Registry

    7
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      704KB

      MD5

      364b5d43fbd86a37afe2558f6fde918c

      SHA1

      13b06934374707cded7340d24d263de86b578d08

      SHA256

      2c211615de3f42a20a744db0261f96059bd579589e399f5efa83d5d1d249244e

      SHA512

      d9fc91363e690b3493a27deb4de51212a5ba8b5c6bfb147b7b9b42dd4d1688572c4c03d4e80eae5e8dc3de30bded813ce8e2ff87465366b2ae3eb824f46813e0

    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      512KB

      MD5

      747172d60c520ddd93eb2f5ca6f63839

      SHA1

      d5972b9a6157596c53ffc53115c164db3cbc36ce

      SHA256

      7c7036768f9744773b95e6e3ffdad3b58a2efddd47dd9ff42d266cb225a4a83f

      SHA512

      32e85c52ba96892bb3b0250dbe78b006ab2ed258d3c6c14d721e9e69321b02510cce6574396d844568f86e2a248a744bddfc6f331cadaab752c6dbe0ae08a8af

    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      975KB

      MD5

      af7484c40877c3d74d58100509797f71

      SHA1

      70cd03800362f1b35dc5260642ebf7d2159f18b8

      SHA256

      001d1b9ef0730a65eeb9d7e745d9cebb76207406fa5d9580599cc46307c88d86

      SHA512

      b964f8277222df462ffd60b321ce856bdc4956234171bd8ea57dff4adfa02a07d0101e52eb5e5db5684a5b3f56b6ec67cadb10db9fb87b8d51affe8cba9220e1

    • \Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      64KB

      MD5

      64801e5c05eda847c6488a2b59445d1d

      SHA1

      3a96b8a71afc35c7ea6fae9d7bc375fbd14571af

      SHA256

      0ab158a8a4174f782736abafac756ca3dbff767332058279be357b1afa7b6d61

      SHA512

      fa2060b7585965fc5ae76a44e4358ca1018d070e3142ed903926e54bfac030e924f8b8996602c1caa3ed1a1cc09aaa23858617bdba14a023a91451fa63a23f16

    • \Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      640KB

      MD5

      5b20d3dc2efe522a1707454a19ea5d04

      SHA1

      b57a8afac278566e8546e69317655b660c82c07f

      SHA256

      a67c6362fe60aa956d925b4c22513d1ab239933eeeb5e455ab5d428c15881b32

      SHA512

      7efe558301cc54147aa65c24ad5b54cfad4d4fdccd5fc5cf9ead2f9b7f168cfc058c65c5e1b92e6fcceb53e9aa010a081dab00c8c07ddef6e38f75d456d38fa6

    • memory/1708-0-0x0000000000240000-0x0000000000241000-memory.dmp
      Filesize

      4KB

    • memory/1708-70-0x0000000000400000-0x0000000000501000-memory.dmp
      Filesize

      1.0MB

    • memory/2388-69-0x00000000002D0000-0x00000000002D1000-memory.dmp
      Filesize

      4KB

    • memory/2400-37-0x00000000003C0000-0x00000000003C1000-memory.dmp
      Filesize

      4KB

    • memory/2400-72-0x0000000000400000-0x0000000000501000-memory.dmp
      Filesize

      1.0MB

    • memory/2400-73-0x0000000000400000-0x0000000000501000-memory.dmp
      Filesize

      1.0MB

    • memory/2400-74-0x0000000000400000-0x0000000000501000-memory.dmp
      Filesize

      1.0MB

    • memory/2400-75-0x0000000000400000-0x0000000000501000-memory.dmp
      Filesize

      1.0MB

    • memory/2400-76-0x0000000000400000-0x0000000000501000-memory.dmp
      Filesize

      1.0MB

    • memory/2400-77-0x0000000000400000-0x0000000000501000-memory.dmp
      Filesize

      1.0MB

    • memory/2920-28-0x00000000008C0000-0x00000000008C1000-memory.dmp
      Filesize

      4KB

    • memory/2920-4-0x00000000000C0000-0x00000000000C1000-memory.dmp
      Filesize

      4KB