Overview

overview

10

Static

static

7e5ee35cbb...d2.exe

windows7_x64

8

7e5ee35cbb...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    06-07-2020 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe

  • Size

    1.5MB

  • MD5

    49b156bbea23cd6434d7829ed25b051a

  • SHA1

    075007dabafb065909e0d7d1cb4a1ec05724e9ec

  • SHA256

    7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2

  • SHA512

    19dcbb72d9c3b065587731066bc4ad50968978c1569ae7aad8680722333555926a7977762674ec8d5d98add1c06b6e265b80687528b9689940dfc5c3f4c8460b

Score
10/10
darkcometrunescapepersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

C2

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes
  • gencode

    uNwew4gojxtu

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
    "C:\Users\Admin\AppData\Local\Temp\7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1888
    • C:\Users\Admin\AppData\Local\Temp\7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
      "C:\Users\Admin\AppData\Local\Temp\7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VBTXS.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3808
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1628
      • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
        "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3356
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          4⤵
            PID:3160
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 24
              5⤵
              • Program crash
              PID:3188
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 36
              5⤵
              • Suspicious use of NtCreateProcessExOtherParentProcess
              • Program crash
              PID:2208
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3348
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1796

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\VBTXS.bat
      MD5

      92353035f01403e26aa2ff51c3963238

      SHA1

      d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

      SHA256

      2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

      SHA512

      74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      3deadfc5801062ac047053b5926ad532

      SHA1

      5c288a870ad622e7d1d32a54238533b66957268d

      SHA256

      7c8a4eced281f9c13e916780de459e812e214625bcd5078741e477fc1b13bb80

      SHA512

      b8dce85f7653a7ff320bfc0c08534f28777635e1a3e625e837597aa33c3975fcc03db4323ec99f376dc873e951012be652971b07a3a2fd56f6d16247fddee626

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      3deadfc5801062ac047053b5926ad532

      SHA1

      5c288a870ad622e7d1d32a54238533b66957268d

      SHA256

      7c8a4eced281f9c13e916780de459e812e214625bcd5078741e477fc1b13bb80

      SHA512

      b8dce85f7653a7ff320bfc0c08534f28777635e1a3e625e837597aa33c3975fcc03db4323ec99f376dc873e951012be652971b07a3a2fd56f6d16247fddee626

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      3deadfc5801062ac047053b5926ad532

      SHA1

      5c288a870ad622e7d1d32a54238533b66957268d

      SHA256

      7c8a4eced281f9c13e916780de459e812e214625bcd5078741e477fc1b13bb80

      SHA512

      b8dce85f7653a7ff320bfc0c08534f28777635e1a3e625e837597aa33c3975fcc03db4323ec99f376dc873e951012be652971b07a3a2fd56f6d16247fddee626

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      3deadfc5801062ac047053b5926ad532

      SHA1

      5c288a870ad622e7d1d32a54238533b66957268d

      SHA256

      7c8a4eced281f9c13e916780de459e812e214625bcd5078741e477fc1b13bb80

      SHA512

      b8dce85f7653a7ff320bfc0c08534f28777635e1a3e625e837597aa33c3975fcc03db4323ec99f376dc873e951012be652971b07a3a2fd56f6d16247fddee626

      Download Submit
    • memory/1628-16-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-28-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1796-36-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1796-34-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1796-30-0x00000000004B5210-mapping.dmp
      Download
    • memory/1888-4-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1888-3-0x000000000040B000-mapping.dmp
      Download
    • memory/1888-5-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1888-2-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2208-37-0x0000000004510000-0x0000000004511000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3160-23-0x000000000040B000-mapping.dmp
      Download
    • memory/3160-22-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3188-33-0x0000000004B90000-0x0000000004B91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3348-25-0x00000000004085D0-mapping.dmp
      Download
    • memory/3356-17-0x0000000000000000-mapping.dmp
      Download
    • memory/3528-11-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3528-6-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3528-8-0x00000000004085D0-mapping.dmp
      Download
    • memory/3528-10-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3808-14-0x0000000000000000-mapping.dmp
      Download