Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
05-12-2024 13:34
General
-
Target
xray.exe
-
Size
658KB
-
MD5
d10c9632d629e612688f4d899adad7ac
-
SHA1
23b80255a664d7218c388c0e4e4b059c37ea09af
-
SHA256
8cec15a4d96162345b86b2dc2219f182c194e5860febfbc698cf23eac91dcc72
-
SHA512
eb4a370049f00ef00296403c3028fcd7f472f34f1d07df02c28512c17ac5b18cbebc02024ad4a0849490cb5c085613fd0640b6a28cf3db4b2623cfca9afb5dec
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hj:KZ1xuVVjfFoynPaVBUR8f+kN10EBh
Malware Config
Extracted
darkcomet
Guest16
192.168.1.122:1604
DC_MUTEX-20997BK
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
LEeu9F65GHcF
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\xray.exe"C:\Users\Admin\AppData\Local\Temp\xray.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD5d10c9632d629e612688f4d899adad7ac
SHA123b80255a664d7218c388c0e4e4b059c37ea09af
SHA2568cec15a4d96162345b86b2dc2219f182c194e5860febfbc698cf23eac91dcc72
SHA512eb4a370049f00ef00296403c3028fcd7f472f34f1d07df02c28512c17ac5b18cbebc02024ad4a0849490cb5c085613fd0640b6a28cf3db4b2623cfca9afb5dec
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
4KB
-
Filesize
712KB