Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-03-2024 14:53
Behavioral task
behavioral1
Sample
HELLO.unp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
HELLO.unp.exe
Resource
win10v2004-20240319-en
General
-
Target
HELLO.unp.exe
-
Size
658KB
-
MD5
267094ebf6a54d3d49f534edae1cd2dc
-
SHA1
c160f42f2c8797f091e5ca82d81381f532b22587
-
SHA256
6cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f
-
SHA512
04ce86f361b48d820b1f45942c8d440597dafe1fe7cebca0f9a7a5689050ce7278ac0cd5c3f0f4a309d2e2f344d58c1976345308617bc89ac1ddbce63348e623
-
SSDEEP
12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:JZ1xuVVjfFoynPaVBUR8f+kN10Ed
Malware Config
Extracted
darkcomet
Guest16_min
lightttt.ddns.net:1604
DCMIN_MUTEX-BJLBQY4
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
u03TbGe5ctBh
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HELLO.unp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\DCSCMIN\\IMDCSC.exe" HELLO.unp.exe -
Executes dropped EXE 1 IoCs
Processes:
IMDCSC.exepid process 2028 IMDCSC.exe -
Loads dropped DLL 2 IoCs
Processes:
HELLO.unp.exepid process 2972 HELLO.unp.exe 2972 HELLO.unp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HELLO.unp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\DCSCMIN\\IMDCSC.exe" HELLO.unp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
HELLO.unp.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2972 HELLO.unp.exe Token: SeSecurityPrivilege 2972 HELLO.unp.exe Token: SeTakeOwnershipPrivilege 2972 HELLO.unp.exe Token: SeLoadDriverPrivilege 2972 HELLO.unp.exe Token: SeSystemProfilePrivilege 2972 HELLO.unp.exe Token: SeSystemtimePrivilege 2972 HELLO.unp.exe Token: SeProfSingleProcessPrivilege 2972 HELLO.unp.exe Token: SeIncBasePriorityPrivilege 2972 HELLO.unp.exe Token: SeCreatePagefilePrivilege 2972 HELLO.unp.exe Token: SeBackupPrivilege 2972 HELLO.unp.exe Token: SeRestorePrivilege 2972 HELLO.unp.exe Token: SeShutdownPrivilege 2972 HELLO.unp.exe Token: SeDebugPrivilege 2972 HELLO.unp.exe Token: SeSystemEnvironmentPrivilege 2972 HELLO.unp.exe Token: SeChangeNotifyPrivilege 2972 HELLO.unp.exe Token: SeRemoteShutdownPrivilege 2972 HELLO.unp.exe Token: SeUndockPrivilege 2972 HELLO.unp.exe Token: SeManageVolumePrivilege 2972 HELLO.unp.exe Token: SeImpersonatePrivilege 2972 HELLO.unp.exe Token: SeCreateGlobalPrivilege 2972 HELLO.unp.exe Token: 33 2972 HELLO.unp.exe Token: 34 2972 HELLO.unp.exe Token: 35 2972 HELLO.unp.exe Token: SeIncreaseQuotaPrivilege 2028 IMDCSC.exe Token: SeSecurityPrivilege 2028 IMDCSC.exe Token: SeTakeOwnershipPrivilege 2028 IMDCSC.exe Token: SeLoadDriverPrivilege 2028 IMDCSC.exe Token: SeSystemProfilePrivilege 2028 IMDCSC.exe Token: SeSystemtimePrivilege 2028 IMDCSC.exe Token: SeProfSingleProcessPrivilege 2028 IMDCSC.exe Token: SeIncBasePriorityPrivilege 2028 IMDCSC.exe Token: SeCreatePagefilePrivilege 2028 IMDCSC.exe Token: SeBackupPrivilege 2028 IMDCSC.exe Token: SeRestorePrivilege 2028 IMDCSC.exe Token: SeShutdownPrivilege 2028 IMDCSC.exe Token: SeDebugPrivilege 2028 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 2028 IMDCSC.exe Token: SeChangeNotifyPrivilege 2028 IMDCSC.exe Token: SeRemoteShutdownPrivilege 2028 IMDCSC.exe Token: SeUndockPrivilege 2028 IMDCSC.exe Token: SeManageVolumePrivilege 2028 IMDCSC.exe Token: SeImpersonatePrivilege 2028 IMDCSC.exe Token: SeCreateGlobalPrivilege 2028 IMDCSC.exe Token: 33 2028 IMDCSC.exe Token: 34 2028 IMDCSC.exe Token: 35 2028 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 2028 IMDCSC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
HELLO.unp.exedescription pid process target process PID 2972 wrote to memory of 2028 2972 HELLO.unp.exe IMDCSC.exe PID 2972 wrote to memory of 2028 2972 HELLO.unp.exe IMDCSC.exe PID 2972 wrote to memory of 2028 2972 HELLO.unp.exe IMDCSC.exe PID 2972 wrote to memory of 2028 2972 HELLO.unp.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HELLO.unp.exe"C:\Users\Admin\AppData\Local\Temp\HELLO.unp.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe"C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exeFilesize
658KB
MD5267094ebf6a54d3d49f534edae1cd2dc
SHA1c160f42f2c8797f091e5ca82d81381f532b22587
SHA2566cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f
SHA51204ce86f361b48d820b1f45942c8d440597dafe1fe7cebca0f9a7a5689050ce7278ac0cd5c3f0f4a309d2e2f344d58c1976345308617bc89ac1ddbce63348e623
-
memory/2028-10-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2028-13-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2028-15-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2972-0-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2972-12-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB