Overview

overview

10

Static

static

10

53633b7a42...4N.exe

windows7-x64

10

53633b7a42...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2024 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53633b7a4243d0b9668ed02310ec0fe2841fc35b024770df0a0ff56e01c956e4N.exe

  • Size

    659KB

  • MD5

    a7a5110423e033baaf3cf86ca69ab630

  • SHA1

    40fcdc432ea715ee418761b83c409cd3c9942a6b

  • SHA256

    53633b7a4243d0b9668ed02310ec0fe2841fc35b024770df0a0ff56e01c956e4

  • SHA512

    59a32aa912fe3fa35a15980b542fc8fd2b327e11286a01f6285844fa4e1bab298e723fc9bc2d95832f8ab001d2b5a804b3ceef28b276774959c5d15b68061536

  • SSDEEP

    12288:G9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/he:iZ1xuVVjfFoynPaVBUR8f+kN10EBM

Score
10/10
darkcometserverdiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

server

C2

sgdy.ddns.net:1122

Mutex

DC_MUTEX-309Q75Q

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    S89mQro8dxG3

  • install

    true

  • offline_keylogger

    true

  • password

    December2oo2

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\53633b7a4243d0b9668ed02310ec0fe2841fc35b024770df0a0ff56e01c956e4N.exe
    "C:\Users\Admin\AppData\Local\Temp\53633b7a4243d0b9668ed02310ec0fe2841fc35b024770df0a0ff56e01c956e4N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\53633b7a4243d0b9668ed02310ec0fe2841fc35b024770df0a0ff56e01c956e4N.exe" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\53633b7a4243d0b9668ed02310ec0fe2841fc35b024770df0a0ff56e01c956e4N.exe" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2252
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2420
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
      "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
      2⤵
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    Filesize

    659KB

    MD5

    a7a5110423e033baaf3cf86ca69ab630

    SHA1

    40fcdc432ea715ee418761b83c409cd3c9942a6b

    SHA256

    53633b7a4243d0b9668ed02310ec0fe2841fc35b024770df0a0ff56e01c956e4

    SHA512

    59a32aa912fe3fa35a15980b542fc8fd2b327e11286a01f6285844fa4e1bab298e723fc9bc2d95832f8ab001d2b5a804b3ceef28b276774959c5d15b68061536

    Download Submit

  • memory/1584-52-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1584-0-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2008-57-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-59-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-66-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-53-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-54-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-55-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-56-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-11-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2008-58-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-65-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-60-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-61-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-62-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-63-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2008-64-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2808-51-0x00000000001A0000-0x00000000001A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-13-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download