General
-
Target
8d73ac73eba45b1db3a844ab6422a62cde5df9b50b8341a8b1f1890306df8170N.exe
-
Size
1.1MB
-
Sample
241216-g32nkayrgp
-
MD5
f3edc773c01fb12320894e8a2ad77a60
-
SHA1
3d86b6de4f4f1b923e279701d754d049642930f2
-
SHA256
8d73ac73eba45b1db3a844ab6422a62cde5df9b50b8341a8b1f1890306df8170
-
SHA512
1433d224bf7906af0d1212497fe44851d158cab1fe9f17cef54ccde33798d8f959d210a7f02f387ddae6e28f1a2d2f1b28421271d82b28fb82ccb9c009e68e71
-
SSDEEP
24576:cxmevFZfsrcTxNUlZIVVa5ILh9Rhw6us5Tev:Ome9JpNUlyVa5I0s2
Static task
static1
Behavioral task
behavioral1
Sample
8d73ac73eba45b1db3a844ab6422a62cde5df9b50b8341a8b1f1890306df8170N.exe
Resource
win7-20240903-en
Malware Config
Extracted
darkcomet
HACKER3
192.168.50.131:1604
DC_MUTEX-3NPS047
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Y1vgLbKRvW3j
-
install
true
-
offline_keylogger
true
-
password
WELCOME3
-
persistence
false
-
reg_key
MicroUpdate
Targets
-
-
Target
8d73ac73eba45b1db3a844ab6422a62cde5df9b50b8341a8b1f1890306df8170N.exe
-
Size
1.1MB
-
MD5
f3edc773c01fb12320894e8a2ad77a60
-
SHA1
3d86b6de4f4f1b923e279701d754d049642930f2
-
SHA256
8d73ac73eba45b1db3a844ab6422a62cde5df9b50b8341a8b1f1890306df8170
-
SHA512
1433d224bf7906af0d1212497fe44851d158cab1fe9f17cef54ccde33798d8f959d210a7f02f387ddae6e28f1a2d2f1b28421271d82b28fb82ccb9c009e68e71
-
SSDEEP
24576:cxmevFZfsrcTxNUlZIVVa5ILh9Rhw6us5Tev:Ome9JpNUlyVa5I0s2
-
Darkcomet family
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1