General
-
Target
https://files.catbox.moe/u6ag3a.rar
-
Sample
250415-rzbm3swjs7
Malware Config
Extracted
darkcomet
Guest16
jvjv2044duck33.duckdns.org:1604
DC_MUTEX-XRPJ1DD
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
pTznB8ghEqA5
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
https://files.catbox.moe/u6ag3a.rar
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
-
Infinitylock family
-
Modifies WinLogon for persistence
-
Modifies visibility of file extensions in Explorer
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
UAC bypass
-
Renames multiple (4310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
3Hidden Files and Directories
3Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
8Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1