Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 13:53

General

  • Target

    eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe

  • Size

    350KB

  • MD5

    220fd88ed61a81dd7238c8385fc8c5f7

  • SHA1

    b4c6ea98e705912f38816bd4aff085871b1bae80

  • SHA256

    eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816

  • SHA512

    355aad3cc89c3d6acaf53a7091903d6b0b4092e1f4c7bc6c41255a7aafce00d3807ddad4b5c027a0437938e17278f7a8d591a085b4e014fff8d6165fdeb6838f

  • SSDEEP

    6144:hSncRldcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37wxM:Q4jcW7KEZlPzCy37

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

sussynv83dj893.duckdns.org:1604

Mutex

DC_MUTEX-RU83HNV

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    MFz6heXQQ4jP

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe
    "C:\Users\Admin\AppData\Local\Temp\eddb245a5dc0d8f70ffb66c033cbaa38ea4639d900739c5580bc37d86f258816.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE
      "C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:492
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3196
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:2732
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3856
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
            PID:3360
      • C:\Users\Admin\AppData\Local\Temp\ZBYTE2.0.EXE
        "C:\Users\Admin\AppData\Local\Temp\ZBYTE2.0.EXE"
        2⤵
        • Executes dropped EXE
        PID:2176
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2448

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Modify Registry

      2
      T1112

      Hide Artifacts

      2
      T1564

      Hidden Files and Directories

      2
      T1564.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\ASDKODGS.EXE
        Filesize

        251KB

        MD5

        0055ec3943749262735d79fcb4f04119

        SHA1

        b2c2dce19536c945785534f9fa4b5062ec43d541

        SHA256

        85bfcf8f009f442c997e9aa5ddb9430fd8e55b98c1c6108e248d9aa901f15c0b

        SHA512

        72b1873565f9fe8c8ae273df2805f2f1a126581f67bdead56c6818637c9026d6ff7f36bc4280de58b18e9670b209006db404ee7122cd5fd830e6464590f3b807

      • C:\Users\Admin\AppData\Local\Temp\ZBYTE2.0.EXE
        Filesize

        46KB

        MD5

        fc90c2fb06b099a072bd23f4722c591d

        SHA1

        69c2f9af2391b3311ce344a922ac650b0f3456b9

        SHA256

        e0df4445f3486b15b57da921ddc15b3137a5f2eb035f34130bc51f6be16d747e

        SHA512

        c3e87df8217d421abe951492809c7a89a5aaae341242c03428731362cb4907801e21da4bc6271d455ca7280131c59f2cb0137b829556d9c2f2a944be471cd619

      • memory/2176-51-0x0000000005730000-0x0000000005740000-memory.dmp
        Filesize

        64KB

      • memory/2176-47-0x00000000056D0000-0x00000000056DA000-memory.dmp
        Filesize

        40KB

      • memory/2176-36-0x0000000073150000-0x0000000073900000-memory.dmp
        Filesize

        7.7MB

      • memory/2176-44-0x0000000005800000-0x0000000005892000-memory.dmp
        Filesize

        584KB

      • memory/2176-56-0x0000000005730000-0x0000000005740000-memory.dmp
        Filesize

        64KB

      • memory/2176-40-0x0000000000CC0000-0x0000000000CD4000-memory.dmp
        Filesize

        80KB

      • memory/2176-53-0x0000000005730000-0x0000000005740000-memory.dmp
        Filesize

        64KB

      • memory/2176-42-0x0000000005760000-0x00000000057FC000-memory.dmp
        Filesize

        624KB

      • memory/2176-43-0x0000000005DB0000-0x0000000006354000-memory.dmp
        Filesize

        5.6MB

      • memory/2176-49-0x0000000073150000-0x0000000073900000-memory.dmp
        Filesize

        7.7MB

      • memory/2176-46-0x0000000005730000-0x0000000005740000-memory.dmp
        Filesize

        64KB

      • memory/2176-48-0x0000000005A10000-0x0000000005A66000-memory.dmp
        Filesize

        344KB

      • memory/3360-39-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
        Filesize

        4KB

      • memory/3856-58-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

      • memory/3856-62-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

      • memory/3856-52-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

      • memory/3856-55-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

      • memory/3856-38-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

      • memory/3856-45-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

      • memory/3856-60-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

      • memory/3856-37-0x00000000009E0000-0x00000000009E1000-memory.dmp
        Filesize

        4KB

      • memory/4632-23-0x0000000002500000-0x0000000002501000-memory.dmp
        Filesize

        4KB

      • memory/4632-11-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

      • memory/4632-41-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB