Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
20-05-2024 09:55
General
-
Target
dark.exe
-
Size
658KB
-
MD5
230751a9ef1cdccc11aa40a70a259f22
-
SHA1
84f530c5b6313e9bad82c7d1d0826a3948658149
-
SHA256
bc1ad6c5ba21d4007f5b06b13bd9f1647188fc4605dea8e13a039ce5ec5f7eb2
-
SHA512
31ce9157cdfb89e7f28303c9bcb4c5a10fa1c0a150119d7abfe016858031dc4e9987175139f5768846eeb03cdb93afb8fd46f816f2a286c35eb2d6ac1cba6269
-
SSDEEP
12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hU:eZ1xuVVjfFoynPaVBUR8f+kN10EBm
Malware Config
Extracted
darkcomet
tek
gecce.no-ip.biz:3461
DC_MUTEX-M0JG7NY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Q7wXAkJLgEkp
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dark.exe"C:\Users\Admin\AppData\Local\Temp\dark.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5230751a9ef1cdccc11aa40a70a259f22
SHA184f530c5b6313e9bad82c7d1d0826a3948658149
SHA256bc1ad6c5ba21d4007f5b06b13bd9f1647188fc4605dea8e13a039ce5ec5f7eb2
SHA51231ce9157cdfb89e7f28303c9bcb4c5a10fa1c0a150119d7abfe016858031dc4e9987175139f5768846eeb03cdb93afb8fd46f816f2a286c35eb2d6ac1cba6269
-
memory/1548-0-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1548-55-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-62-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-28-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2576-57-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-58-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-59-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-60-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-61-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-69-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-68-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2576-67-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2720-54-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3024-19-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/3024-3-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB