File name:	6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe
Full analysis:	https://app.any.run/tasks/c25d5534-305c-40b8-9182-91d8cd17d2fc
Verdict:	Malicious activity
Threats:	DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim. Malware Trends Tracker >>>
Analysis date:	December 13, 2024, 13:21:20
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	darkcomet
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:	F6351DA84168D40FAE8DA0C156FBAB0F
SHA1:	1A2283C85BC5C655F5F2F77F27EC3A9412E8DB7E
SHA256:	6D34DED00C0DA9887BA752872093F59C649DE72A1F629A32014F5ED8BE509363
SSDEEP:	12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hn:qZ1xuVVjfFoynPaVBUR8f+kN10EBV

.exe	\|	Win32 Executable Delphi generic (31.9)
.scr	\|	Windows screen saver (29.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.8)
.exe	\|	Win32 Executable (generic) (10.1)
.exe	\|	Win16/32 Executable Delphi generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:06:07 15:59:53+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	586752
InitializedDataSize:	86528
UninitializedDataSize:	-
EntryPoint:	0x8f888
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	4.0.0.0
ProductVersionNumber:	4.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	Remote Service Application
CompanyName:	Microsoft Corp.
FileDescription:	Remote Service Application
FileVersion:	1, 0, 0, 1
InternalName:	MSRSAAPP
LegalCopyright:	Copyright (C) 1999
OriginalFileName:	MSRSAAP.EXE
ProductName:	Remote Service Application
ProductVersion:	4, 0, 0, 0


(PID) Process:	(6412) 6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	MicroUpdate
Value: C:\Users\admin\AppData\Local\Temp\MSDCSC\runddl32.exe
(PID) Process:	(6412) 6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	UserInit
Value: C:\Windows\system32\userinit.exe,C:\Users\admin\AppData\Local\Temp\MSDCSC\runddl32.exe
(PID) Process:	(6412) 6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6628) runddl32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	MicroUpdate
Value: C:\Users\admin\AppData\Local\Temp\MSDCSC\runddl32.exe

PID	Process	Filename		Type
6412	6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe	C:\Users\admin\AppData\Local\Temp\MSDCSC\runddl32.exe		executable
		MD5:F6351DA84168D40FAE8DA0C156FBAB0F	SHA256:6D34DED00C0DA9887BA752872093F59C649DE72A1F629A32014F5ED8BE509363

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
488	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
488	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
488	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
488	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
488	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
488	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
google.com	142.250.186.110	whitelisted
test213.no-ip.info	—	unknown
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	40.79.197.34	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain

General Info

6d34ded00c0da9887ba752872093f59c649de72a1f629a32014f5ed8be509363.exe

F6351DA84168D40FAE8DA0C156FBAB0F

1A2283C85BC5C655F5F2F77F27EC3A9412E8DB7E

6D34DED00C0DA9887BA752872093F59C649DE72A1F629A32014F5ED8BE509363

12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hn:qZ1xuVVjfFoynPaVBUR8f+kN10EBV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Changes the login/logoff helper path in the registry

DARKCOMET has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Uses ATTRIB.EXE to modify file attributes

Starts itself from another location

Start notepad (likely ransomware note)

There is functionality for taking screenshot (YARA)

There is functionality for communication over UDP network (YARA)

INFO

Create files in a temporary directory

Reads the computer name

Checks supported languages

The sample compiled with english language support

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings