Overview

overview

10

Static

static

d372fce4dc...cb.exe

windows7_x64

10

d372fce4dc...cb.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d372fce4dc8842dc2295d9464600f1450d90fa5554a13b1b7183cb3dba0aa0cb.exe

  • Size

    1.5MB

  • MD5

    f781984780ee83c5d8997f283b53ada0

  • SHA1

    cc49354a74005d5c6e19bbd0b7628d563211638e

  • SHA256

    d372fce4dc8842dc2295d9464600f1450d90fa5554a13b1b7183cb3dba0aa0cb

  • SHA512

    e598a6745b4d3a85a828c2090e1f706ed692b2b7545e2781243512f0963cfe2f337efe4c456ab42a2e421b9a49dd30014324014d1af54bd30cc7e817d7ff0d23

Score
10/10
darkcometrunescapepersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

C2

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes
  • gencode

    uNwew4gojxtu

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d372fce4dc8842dc2295d9464600f1450d90fa5554a13b1b7183cb3dba0aa0cb.exe
    "C:\Users\Admin\AppData\Local\Temp\d372fce4dc8842dc2295d9464600f1450d90fa5554a13b1b7183cb3dba0aa0cb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1764
    • C:\Users\Admin\AppData\Local\Temp\d372fce4dc8842dc2295d9464600f1450d90fa5554a13b1b7183cb3dba0aa0cb.exe
      "C:\Users\Admin\AppData\Local\Temp\d372fce4dc8842dc2295d9464600f1450d90fa5554a13b1b7183cb3dba0aa0cb.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WMNKT.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:648
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2392
      • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
        "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          4⤵
            PID:2820
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 100
              5⤵
              • Program crash
              PID:2108
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1324
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2072

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\WMNKT.bat
      MD5

      92353035f01403e26aa2ff51c3963238

      SHA1

      d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

      SHA256

      2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

      SHA512

      74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      9a750543dd75dca1b2e023eacf4d0712

      SHA1

      56e7cdef7a2a686e15966d46247af6ac031927a8

      SHA256

      e033dfbf7996e4f6829ee70fc335902cf9fcbcf1c2c239f229fb58b67f7b7820

      SHA512

      40474a48eb0ce981f8790ddb0941c9b141979ffbf153c38d02a076418a66dfdb0ee8e35f1fdd55312245805af39b3f8d6e65d060ef052448f2d795229845d883

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      9a750543dd75dca1b2e023eacf4d0712

      SHA1

      56e7cdef7a2a686e15966d46247af6ac031927a8

      SHA256

      e033dfbf7996e4f6829ee70fc335902cf9fcbcf1c2c239f229fb58b67f7b7820

      SHA512

      40474a48eb0ce981f8790ddb0941c9b141979ffbf153c38d02a076418a66dfdb0ee8e35f1fdd55312245805af39b3f8d6e65d060ef052448f2d795229845d883

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      9a750543dd75dca1b2e023eacf4d0712

      SHA1

      56e7cdef7a2a686e15966d46247af6ac031927a8

      SHA256

      e033dfbf7996e4f6829ee70fc335902cf9fcbcf1c2c239f229fb58b67f7b7820

      SHA512

      40474a48eb0ce981f8790ddb0941c9b141979ffbf153c38d02a076418a66dfdb0ee8e35f1fdd55312245805af39b3f8d6e65d060ef052448f2d795229845d883

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      9a750543dd75dca1b2e023eacf4d0712

      SHA1

      56e7cdef7a2a686e15966d46247af6ac031927a8

      SHA256

      e033dfbf7996e4f6829ee70fc335902cf9fcbcf1c2c239f229fb58b67f7b7820

      SHA512

      40474a48eb0ce981f8790ddb0941c9b141979ffbf153c38d02a076418a66dfdb0ee8e35f1fdd55312245805af39b3f8d6e65d060ef052448f2d795229845d883

      Download Submit
    • memory/648-14-0x0000000000000000-mapping.dmp
      Download
    • memory/940-20-0x0000000073B80000-0x0000000073C13000-memory.dmp
      Filesize

      588KB

      Download
    • memory/940-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1324-28-0x0000000073B80000-0x0000000073C13000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1324-26-0x00000000004085D0-mapping.dmp
      Download
    • memory/1764-4-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1764-2-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1764-3-0x000000000040B000-mapping.dmp
      Download
    • memory/1764-5-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2072-31-0x00000000004B5210-mapping.dmp
      Download
    • memory/2072-29-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2072-34-0x0000000073B80000-0x0000000073C13000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2072-37-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2072-39-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2108-36-0x0000000004930000-0x0000000004931000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2392-16-0x0000000000000000-mapping.dmp
      Download
    • memory/2820-24-0x000000000040B000-mapping.dmp
      Download
    • memory/3196-10-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3196-6-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3196-11-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3196-8-0x00000000004085D0-mapping.dmp
      Download