Overview

overview

10

Static

static

d2bbd75bfc...90.exe

windows7_x64

10

d2bbd75bfc...90.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590.exe

  • Size

    1.5MB

  • MD5

    2060cf6432b646182580e06af0a94b86

  • SHA1

    971ae2293c426fbd7ed0808e7ba5de2c2f461cde

  • SHA256

    d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590

  • SHA512

    d063087f676452574a6e9e989fc8227fe8ec1ddac3da991802e16fb730b5fae174b92be04aba9a92d56ffb1449093097570a9d451a8c105bfd4360b9b89372a8

Score
10/10
darkcometrunescapepersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

C2

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes
  • gencode

    uNwew4gojxtu

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590.exe
    "C:\Users\Admin\AppData\Local\Temp\d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
        PID:3520
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 92
          3⤵
          • Program crash
          PID:3628
      • C:\Users\Admin\AppData\Local\Temp\d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590.exe
        "C:\Users\Admin\AppData\Local\Temp\d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SPDPA.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f
            4⤵
            • Adds Run key to start application
            PID:3168
        • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
          "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:516
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\system32\svchost.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1044
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1176
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1344

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SPDPA.bat
      MD5

      92353035f01403e26aa2ff51c3963238

      SHA1

      d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

      SHA256

      2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

      SHA512

      74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      2060cf6432b646182580e06af0a94b86

      SHA1

      971ae2293c426fbd7ed0808e7ba5de2c2f461cde

      SHA256

      d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590

      SHA512

      d063087f676452574a6e9e989fc8227fe8ec1ddac3da991802e16fb730b5fae174b92be04aba9a92d56ffb1449093097570a9d451a8c105bfd4360b9b89372a8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      2060cf6432b646182580e06af0a94b86

      SHA1

      971ae2293c426fbd7ed0808e7ba5de2c2f461cde

      SHA256

      d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590

      SHA512

      d063087f676452574a6e9e989fc8227fe8ec1ddac3da991802e16fb730b5fae174b92be04aba9a92d56ffb1449093097570a9d451a8c105bfd4360b9b89372a8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      2060cf6432b646182580e06af0a94b86

      SHA1

      971ae2293c426fbd7ed0808e7ba5de2c2f461cde

      SHA256

      d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590

      SHA512

      d063087f676452574a6e9e989fc8227fe8ec1ddac3da991802e16fb730b5fae174b92be04aba9a92d56ffb1449093097570a9d451a8c105bfd4360b9b89372a8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      2060cf6432b646182580e06af0a94b86

      SHA1

      971ae2293c426fbd7ed0808e7ba5de2c2f461cde

      SHA256

      d2bbd75bfc9a75f864ffcae530f8a791cd24a06208765190ae674a6038c05590

      SHA512

      d063087f676452574a6e9e989fc8227fe8ec1ddac3da991802e16fb730b5fae174b92be04aba9a92d56ffb1449093097570a9d451a8c105bfd4360b9b89372a8

      Download Submit
    • memory/516-17-0x00000000738F0000-0x0000000073983000-memory.dmp
      Filesize

      588KB

      Download
    • memory/516-14-0x0000000000000000-mapping.dmp
      Download
    • memory/1044-22-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1044-23-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1044-21-0x000000000040B000-mapping.dmp
      Download
    • memory/1044-20-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1176-29-0x00000000738F0000-0x0000000073983000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1176-27-0x00000000004085D0-mapping.dmp
      Download
    • memory/1344-31-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1344-39-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1344-37-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1344-35-0x00000000738F0000-0x0000000073983000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1344-33-0x00000000004B5210-mapping.dmp
      Download
    • memory/2808-11-0x0000000000000000-mapping.dmp
      Download
    • memory/3168-13-0x0000000000000000-mapping.dmp
      Download
    • memory/3520-3-0x000000000040B000-mapping.dmp
      Download
    • memory/3628-9-0x0000000004780000-0x0000000004781000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3708-5-0x00000000004085D0-mapping.dmp
      Download
    • memory/3708-4-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3708-6-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3708-7-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download