Overview

overview

10

Static

static

74556POZ_pdf.exe

windows7_x64

10

74556POZ_pdf.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    15-08-2020 06:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74556POZ_pdf.exe

  • Size

    749KB

  • MD5

    8c783ee344384ce8f3282675e961c3c0

  • SHA1

    eb699861cb2ec0fdc2fb736c6f4eba93133f2100

  • SHA256

    bbc8f1873aefb2518b9675fdda8446a2ba7dc159bab9bfd08b40e19b654ea8bb

  • SHA512

    ed6ab8e3d8cc3a6cbbadd944d59f8112d9bb4fba2c73d9d476be4e2a9ab929e4836626e113efb72d184b275ea5c8653494fe6e8834571f0bd89f24b83d913aec

Score
10/10
darkcometgood newsrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Good News

C2

boki.zapto.org:1905

Mutex

DCMIN_MUTEX-ZAT3FJZ

Attributes
  • gencode

    BrxJcaQU7jzd

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\igDEjuKnNuUIk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3532.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1856
    • C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"
      2⤵
        PID:1908
      • C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"
        2⤵
          PID:1736
        • C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe
          "C:\Users\Admin\AppData\Local\Temp\74556POZ_pdf.exe"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1840

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp3532.tmp
        MD5

        972e63a309fae6b004778ee8d896b768

        SHA1

        42e855adc0977d4debe959d48f99acb71d71f66f

        SHA256

        d63bfdfae8b8be990220b702b50f9443a956da501b1d182f6c6bf5264b9372be

        SHA512

        ea2b6e3a3068e5a9a7590066c67e7027f14b9bffd2ec1efb1c9a2607959e56b6c0a7ff65495c9d6a4282731113c7a6907ae6f88dd713d777913ec3029023f31f

        Download Submit
      • memory/1840-2-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/1840-3-0x00000000004B5000-mapping.dmp
        Download
      • memory/1840-4-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/1840-5-0x0000000000400000-0x00000000004B7000-memory.dmp
        Filesize

        732KB

        Download
      • memory/1856-0-0x0000000000000000-mapping.dmp
        Download