Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 14:53
Behavioral task
behavioral1
Sample
HELLO.unp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
HELLO.unp.exe
Resource
win10v2004-20240319-en
General
-
Target
HELLO.unp.exe
-
Size
658KB
-
MD5
267094ebf6a54d3d49f534edae1cd2dc
-
SHA1
c160f42f2c8797f091e5ca82d81381f532b22587
-
SHA256
6cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f
-
SHA512
04ce86f361b48d820b1f45942c8d440597dafe1fe7cebca0f9a7a5689050ce7278ac0cd5c3f0f4a309d2e2f344d58c1976345308617bc89ac1ddbce63348e623
-
SSDEEP
12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:JZ1xuVVjfFoynPaVBUR8f+kN10Ed
Malware Config
Extracted
darkcomet
Guest16_min
lightttt.ddns.net:1604
DCMIN_MUTEX-BJLBQY4
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
u03TbGe5ctBh
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HELLO.unp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\DCSCMIN\\IMDCSC.exe" HELLO.unp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HELLO.unp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation HELLO.unp.exe -
Executes dropped EXE 1 IoCs
Processes:
IMDCSC.exepid process 992 IMDCSC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HELLO.unp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\DCSCMIN\\IMDCSC.exe" HELLO.unp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
HELLO.unp.exeIMDCSC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3572 HELLO.unp.exe Token: SeSecurityPrivilege 3572 HELLO.unp.exe Token: SeTakeOwnershipPrivilege 3572 HELLO.unp.exe Token: SeLoadDriverPrivilege 3572 HELLO.unp.exe Token: SeSystemProfilePrivilege 3572 HELLO.unp.exe Token: SeSystemtimePrivilege 3572 HELLO.unp.exe Token: SeProfSingleProcessPrivilege 3572 HELLO.unp.exe Token: SeIncBasePriorityPrivilege 3572 HELLO.unp.exe Token: SeCreatePagefilePrivilege 3572 HELLO.unp.exe Token: SeBackupPrivilege 3572 HELLO.unp.exe Token: SeRestorePrivilege 3572 HELLO.unp.exe Token: SeShutdownPrivilege 3572 HELLO.unp.exe Token: SeDebugPrivilege 3572 HELLO.unp.exe Token: SeSystemEnvironmentPrivilege 3572 HELLO.unp.exe Token: SeChangeNotifyPrivilege 3572 HELLO.unp.exe Token: SeRemoteShutdownPrivilege 3572 HELLO.unp.exe Token: SeUndockPrivilege 3572 HELLO.unp.exe Token: SeManageVolumePrivilege 3572 HELLO.unp.exe Token: SeImpersonatePrivilege 3572 HELLO.unp.exe Token: SeCreateGlobalPrivilege 3572 HELLO.unp.exe Token: 33 3572 HELLO.unp.exe Token: 34 3572 HELLO.unp.exe Token: 35 3572 HELLO.unp.exe Token: 36 3572 HELLO.unp.exe Token: SeIncreaseQuotaPrivilege 992 IMDCSC.exe Token: SeSecurityPrivilege 992 IMDCSC.exe Token: SeTakeOwnershipPrivilege 992 IMDCSC.exe Token: SeLoadDriverPrivilege 992 IMDCSC.exe Token: SeSystemProfilePrivilege 992 IMDCSC.exe Token: SeSystemtimePrivilege 992 IMDCSC.exe Token: SeProfSingleProcessPrivilege 992 IMDCSC.exe Token: SeIncBasePriorityPrivilege 992 IMDCSC.exe Token: SeCreatePagefilePrivilege 992 IMDCSC.exe Token: SeBackupPrivilege 992 IMDCSC.exe Token: SeRestorePrivilege 992 IMDCSC.exe Token: SeShutdownPrivilege 992 IMDCSC.exe Token: SeDebugPrivilege 992 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 992 IMDCSC.exe Token: SeChangeNotifyPrivilege 992 IMDCSC.exe Token: SeRemoteShutdownPrivilege 992 IMDCSC.exe Token: SeUndockPrivilege 992 IMDCSC.exe Token: SeManageVolumePrivilege 992 IMDCSC.exe Token: SeImpersonatePrivilege 992 IMDCSC.exe Token: SeCreateGlobalPrivilege 992 IMDCSC.exe Token: 33 992 IMDCSC.exe Token: 34 992 IMDCSC.exe Token: 35 992 IMDCSC.exe Token: 36 992 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IMDCSC.exepid process 992 IMDCSC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
HELLO.unp.exedescription pid process target process PID 3572 wrote to memory of 992 3572 HELLO.unp.exe IMDCSC.exe PID 3572 wrote to memory of 992 3572 HELLO.unp.exe IMDCSC.exe PID 3572 wrote to memory of 992 3572 HELLO.unp.exe IMDCSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HELLO.unp.exe"C:\Users\Admin\AppData\Local\Temp\HELLO.unp.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe"C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2132,i,4018525042804461719,1997165676266557055,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exeFilesize
658KB
MD5267094ebf6a54d3d49f534edae1cd2dc
SHA1c160f42f2c8797f091e5ca82d81381f532b22587
SHA2566cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f
SHA51204ce86f361b48d820b1f45942c8d440597dafe1fe7cebca0f9a7a5689050ce7278ac0cd5c3f0f4a309d2e2f344d58c1976345308617bc89ac1ddbce63348e623
-
memory/992-12-0x0000000002080000-0x0000000002081000-memory.dmpFilesize
4KB
-
memory/992-14-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/992-16-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3572-0-0x00000000023F0000-0x00000000023F1000-memory.dmpFilesize
4KB
-
memory/3572-13-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB