Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-04-2024 02:45

General

  • Target

    e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe

  • Size

    1.1MB

  • MD5

    e88bab5d7caf5f30f87e56fce21b8eb4

  • SHA1

    32bf71fcec9a64e9d8adf36201b15803a9d5812d

  • SHA256

    e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca

  • SHA512

    7cff1f10c83247257d30508ac9d8aa6a12bd1f536bcc3aee95b61144584d839e350d38f3fc1cf11b4b1da6530e5191291af1bfdbf8c906e124b7abcf14e5f3e1

  • SSDEEP

    24576:mJwXnr79xF09allHpm/rhUZqACJy5aGU:mu3rl7PmThVAOycGU

Malware Config

Extracted

Family

darkcomet

Botnet

crypter

C2

184.144.223.8:51800

overcrash.no-ip.biz:51800

Mutex

DC_MUTEX-E5P79CY

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    7LSrP3sXvcog

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe
    "C:\Users\Admin\AppData\Local\Temp\e78da21d88d678da382cf9f10be55d75ce6f5d438fc2bb6471f82a51575ae1ca.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      C:\Users\Admin\AppData\Local\Temp\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\vbc.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\vbc.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:2168
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4828
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:220
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          3⤵
          • Executes dropped EXE
          PID:1776
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1156

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\vbc.exe

        Filesize

        1.1MB

        MD5

        d881de17aa8f2e2c08cbb7b265f928f9

        SHA1

        08936aebc87decf0af6e8eada191062b5e65ac2a

        SHA256

        b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

        SHA512

        5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

      • memory/220-18-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

      • memory/3968-0-0x0000000075120000-0x00000000756D1000-memory.dmp

        Filesize

        5.7MB

      • memory/3968-1-0x0000000075120000-0x00000000756D1000-memory.dmp

        Filesize

        5.7MB

      • memory/3968-2-0x0000000000D50000-0x0000000000D60000-memory.dmp

        Filesize

        64KB

      • memory/3968-11-0x0000000075120000-0x00000000756D1000-memory.dmp

        Filesize

        5.7MB

      • memory/4856-5-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

      • memory/4856-9-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

      • memory/4856-10-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

      • memory/4856-13-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB

      • memory/4856-14-0x0000000000A40000-0x0000000000A41000-memory.dmp

        Filesize

        4KB

      • memory/4856-77-0x0000000000400000-0x00000000004BA000-memory.dmp

        Filesize

        744KB