Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 04:16
Static task
static1
Behavioral task
behavioral1
Sample
3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
Resource
win7-20240903-en
General
-
Target
3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe
-
Size
929KB
-
MD5
92ff8539eb093582609a7a8083f38930
-
SHA1
fde8cc65fdd5ab825f1be7daa9c9e422d32a3c7f
-
SHA256
3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafde
-
SHA512
bd3303b7b73b0e2460db1cbd2428b3e55ed56d8c6258d016613c762190a3196ecfade2c98ba59a23e207a67c9efa67b3e0da880bc299020eb4130a6092a024fd
-
SSDEEP
24576:I+QawCFbpfu2X0UOkcBk8NPktcNrUBC0lyE:YjupvOzpZSrX
Malware Config
Extracted
darkcomet
TP
eviloton.no-ip.biz:1604
DCMIN_MUTEX-QZP3U75
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
hrLBKzjjkYGB
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe -
Executes dropped EXE 11 IoCs
pid Process 2128 IMDCSC.exe 2248 IMDCSC.exe 1876 IMDCSC.exe 1628 IMDCSC.exe 2300 IMDCSC.exe 684 IMDCSC.exe 2736 IMDCSC.exe 2752 IMDCSC.exe 2828 IMDCSC.exe 2860 IMDCSC.exe 2868 IMDCSC.exe -
Loads dropped DLL 1 IoCs
pid Process 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartupProgram = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe" 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartupProgram = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" IMDCSC.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2256 set thread context of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeSecurityPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeTakeOwnershipPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeLoadDriverPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeSystemProfilePrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeSystemtimePrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeProfSingleProcessPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeIncBasePriorityPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeCreatePagefilePrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeBackupPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeRestorePrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeShutdownPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeDebugPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeSystemEnvironmentPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeChangeNotifyPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeRemoteShutdownPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeUndockPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeManageVolumePrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeImpersonatePrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: SeCreateGlobalPrivilege 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: 33 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: 34 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe Token: 35 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2256 wrote to memory of 2936 2256 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 30 PID 2936 wrote to memory of 2128 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 31 PID 2936 wrote to memory of 2128 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 31 PID 2936 wrote to memory of 2128 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 31 PID 2936 wrote to memory of 2128 2936 3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe 31 PID 2128 wrote to memory of 2248 2128 IMDCSC.exe 32 PID 2128 wrote to memory of 2248 2128 IMDCSC.exe 32 PID 2128 wrote to memory of 2248 2128 IMDCSC.exe 32 PID 2128 wrote to memory of 2248 2128 IMDCSC.exe 32 PID 2128 wrote to memory of 1876 2128 IMDCSC.exe 33 PID 2128 wrote to memory of 1876 2128 IMDCSC.exe 33 PID 2128 wrote to memory of 1876 2128 IMDCSC.exe 33 PID 2128 wrote to memory of 1876 2128 IMDCSC.exe 33 PID 2128 wrote to memory of 2300 2128 IMDCSC.exe 34 PID 2128 wrote to memory of 2300 2128 IMDCSC.exe 34 PID 2128 wrote to memory of 2300 2128 IMDCSC.exe 34 PID 2128 wrote to memory of 2300 2128 IMDCSC.exe 34 PID 2128 wrote to memory of 1628 2128 IMDCSC.exe 35 PID 2128 wrote to memory of 1628 2128 IMDCSC.exe 35 PID 2128 wrote to memory of 1628 2128 IMDCSC.exe 35 PID 2128 wrote to memory of 1628 2128 IMDCSC.exe 35 PID 2128 wrote to memory of 684 2128 IMDCSC.exe 36 PID 2128 wrote to memory of 684 2128 IMDCSC.exe 36 PID 2128 wrote to memory of 684 2128 IMDCSC.exe 36 PID 2128 wrote to memory of 684 2128 IMDCSC.exe 36 PID 2128 wrote to memory of 2736 2128 IMDCSC.exe 37 PID 2128 wrote to memory of 2736 2128 IMDCSC.exe 37 PID 2128 wrote to memory of 2736 2128 IMDCSC.exe 37 PID 2128 wrote to memory of 2736 2128 IMDCSC.exe 37 PID 2128 wrote to memory of 2752 2128 IMDCSC.exe 38 PID 2128 wrote to memory of 2752 2128 IMDCSC.exe 38 PID 2128 wrote to memory of 2752 2128 IMDCSC.exe 38 PID 2128 wrote to memory of 2752 2128 IMDCSC.exe 38 PID 2128 wrote to memory of 2828 2128 IMDCSC.exe 39 PID 2128 wrote to memory of 2828 2128 IMDCSC.exe 39 PID 2128 wrote to memory of 2828 2128 IMDCSC.exe 39 PID 2128 wrote to memory of 2828 2128 IMDCSC.exe 39 PID 2128 wrote to memory of 2860 2128 IMDCSC.exe 40 PID 2128 wrote to memory of 2860 2128 IMDCSC.exe 40 PID 2128 wrote to memory of 2860 2128 IMDCSC.exe 40 PID 2128 wrote to memory of 2860 2128 IMDCSC.exe 40 PID 2128 wrote to memory of 2868 2128 IMDCSC.exe 41 PID 2128 wrote to memory of 2868 2128 IMDCSC.exe 41 PID 2128 wrote to memory of 2868 2128 IMDCSC.exe 41 PID 2128 wrote to memory of 2868 2128 IMDCSC.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe"C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe"C:\Users\Admin\AppData\Local\Temp\3d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafdeN.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:2248
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:1876
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:2300
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:1628
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:684
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:2736
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:2752
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:2828
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:2860
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"4⤵
- Executes dropped EXE
PID:2868
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
929KB
MD592ff8539eb093582609a7a8083f38930
SHA1fde8cc65fdd5ab825f1be7daa9c9e422d32a3c7f
SHA2563d0e1f7330885586e1cdeeeee34a224ace2c9ffadbbcad2aa7d15caf637eafde
SHA512bd3303b7b73b0e2460db1cbd2428b3e55ed56d8c6258d016613c762190a3196ecfade2c98ba59a23e207a67c9efa67b3e0da880bc299020eb4130a6092a024fd