Overview

overview

10

Static

static

8a7df8323d...50.exe

windows7_x64

1

8a7df8323d...50.exe

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a7df8323dc4eee4c43a0e0fa761af9ed98274b0923066aa82dbfa977c1e4f50.exe

  • Size

    1.5MB

  • MD5

    f7f98f7827a8eee2a8eba4542f6c4ff8

  • SHA1

    f504d82d6826cf7d8defa916f71be01a46c6db09

  • SHA256

    8a7df8323dc4eee4c43a0e0fa761af9ed98274b0923066aa82dbfa977c1e4f50

  • SHA512

    b6fe1a75af8bb1818ec7af6d7f98288e09466d7b7deabdd015b312c0b94942badcbd554a52042e1d2b737525b501673f5b776d0b68fb8c245730a65c3f7b5ef1

Score
10/10
darkcometrunescapepersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

C2

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes
  • gencode

    uNwew4gojxtu

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a7df8323dc4eee4c43a0e0fa761af9ed98274b0923066aa82dbfa977c1e4f50.exe
    "C:\Users\Admin\AppData\Local\Temp\8a7df8323dc4eee4c43a0e0fa761af9ed98274b0923066aa82dbfa977c1e4f50.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
        PID:3148
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 100
          3⤵
          • Program crash
          PID:852
      • C:\Users\Admin\AppData\Local\Temp\8a7df8323dc4eee4c43a0e0fa761af9ed98274b0923066aa82dbfa977c1e4f50.exe
        "C:\Users\Admin\AppData\Local\Temp\8a7df8323dc4eee4c43a0e0fa761af9ed98274b0923066aa82dbfa977c1e4f50.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOMRE.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:668
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f
            4⤵
            • Adds Run key to start application
            PID:3796
        • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
          "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2116
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\system32\svchost.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:2140
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2084
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:636

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\QOMRE.bat
      MD5

      92353035f01403e26aa2ff51c3963238

      SHA1

      d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

      SHA256

      2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

      SHA512

      74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      188354ea53b4a68a5842676461f7d30c

      SHA1

      9543729c1516f6c4572e59f6d190705dee8c964c

      SHA256

      71e003fade1c08b8957e5d003c47734d0242e49cd7f7f157de49d7b88e9b0c01

      SHA512

      2e2a48e55d561b9c5a44d646ff1422660dc1158cd227be2ceaceaa6428e2f45b46efdd20f063df51e23609648c4319e9f331ffe72cc83136083841b76e80949d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      188354ea53b4a68a5842676461f7d30c

      SHA1

      9543729c1516f6c4572e59f6d190705dee8c964c

      SHA256

      71e003fade1c08b8957e5d003c47734d0242e49cd7f7f157de49d7b88e9b0c01

      SHA512

      2e2a48e55d561b9c5a44d646ff1422660dc1158cd227be2ceaceaa6428e2f45b46efdd20f063df51e23609648c4319e9f331ffe72cc83136083841b76e80949d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      188354ea53b4a68a5842676461f7d30c

      SHA1

      9543729c1516f6c4572e59f6d190705dee8c964c

      SHA256

      71e003fade1c08b8957e5d003c47734d0242e49cd7f7f157de49d7b88e9b0c01

      SHA512

      2e2a48e55d561b9c5a44d646ff1422660dc1158cd227be2ceaceaa6428e2f45b46efdd20f063df51e23609648c4319e9f331ffe72cc83136083841b76e80949d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      188354ea53b4a68a5842676461f7d30c

      SHA1

      9543729c1516f6c4572e59f6d190705dee8c964c

      SHA256

      71e003fade1c08b8957e5d003c47734d0242e49cd7f7f157de49d7b88e9b0c01

      SHA512

      2e2a48e55d561b9c5a44d646ff1422660dc1158cd227be2ceaceaa6428e2f45b46efdd20f063df51e23609648c4319e9f331ffe72cc83136083841b76e80949d

      Download Submit
    • memory/636-39-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/636-38-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/636-33-0x0000000072FA0000-0x0000000073033000-memory.dmp
      Filesize

      588KB

      Download
    • memory/636-29-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/636-31-0x00000000004B5210-mapping.dmp
      Download
    • memory/668-11-0x0000000000000000-mapping.dmp
      Download
    • memory/852-10-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2084-30-0x0000000072FA0000-0x0000000073033000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2084-26-0x00000000004085D0-mapping.dmp
      Download
    • memory/2116-14-0x0000000000000000-mapping.dmp
      Download
    • memory/2116-17-0x0000000072FA0000-0x0000000073033000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2140-20-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2140-22-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2140-23-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2140-21-0x000000000040B000-mapping.dmp
      Download
    • memory/2796-7-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2796-6-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2796-5-0x00000000004085D0-mapping.dmp
      Download
    • memory/2796-4-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3148-3-0x000000000040B000-mapping.dmp
      Download
    • memory/3796-13-0x0000000000000000-mapping.dmp
      Download