Overview

overview

10

Static

static

3a33bcbef5...5d.exe

windows7_x64

10

3a33bcbef5...5d.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a33bcbef59011becd7de5bcc3f0cea7bd19ad899c536ea483aa22ca081a135d.exe

  • Size

    1.5MB

  • MD5

    a8d87f85abebd106b6c3fc3a340931c5

  • SHA1

    b35b4b1c4a9c4729f021a1c7fbdeb1909eb5d84d

  • SHA256

    3a33bcbef59011becd7de5bcc3f0cea7bd19ad899c536ea483aa22ca081a135d

  • SHA512

    7d3b846b3481f31072c198e90c80f8957a4dd67834a125da12e21198bc58823e0da5e5114404c783bd7cae642ee31c187571fa1a1c337633219a91d249aade01

Score
10/10
darkcometrunescapepersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

C2

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes
  • gencode

    uNwew4gojxtu

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a33bcbef59011becd7de5bcc3f0cea7bd19ad899c536ea483aa22ca081a135d.exe
    "C:\Users\Admin\AppData\Local\Temp\3a33bcbef59011becd7de5bcc3f0cea7bd19ad899c536ea483aa22ca081a135d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
        PID:416
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 92
          3⤵
          • Program crash
          PID:3180
      • C:\Users\Admin\AppData\Local\Temp\3a33bcbef59011becd7de5bcc3f0cea7bd19ad899c536ea483aa22ca081a135d.exe
        "C:\Users\Admin\AppData\Local\Temp\3a33bcbef59011becd7de5bcc3f0cea7bd19ad899c536ea483aa22ca081a135d.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWVHP.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4064
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f
            4⤵
            • Adds Run key to start application
            PID:792
        • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
          "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:996
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\system32\svchost.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1412
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1588
          • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
            "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1784

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IWVHP.bat
      MD5

      92353035f01403e26aa2ff51c3963238

      SHA1

      d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

      SHA256

      2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

      SHA512

      74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      68547414de4e743f5baceab3c30b0d36

      SHA1

      f9636cff8fa406af07b066bec0a978e7f52aaaa5

      SHA256

      3dceef401bded638c3425cf10a50d329b0dfe4755b9156d47ac78f24ec356213

      SHA512

      76dd8269ad935871918ecbb091944ead95bf0b6dbc58a3643a5618d8689a2a5e403388dc079420858a019b3d2b8a25dc1466ef9968e7747cf813ccd9fc1c4796

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      68547414de4e743f5baceab3c30b0d36

      SHA1

      f9636cff8fa406af07b066bec0a978e7f52aaaa5

      SHA256

      3dceef401bded638c3425cf10a50d329b0dfe4755b9156d47ac78f24ec356213

      SHA512

      76dd8269ad935871918ecbb091944ead95bf0b6dbc58a3643a5618d8689a2a5e403388dc079420858a019b3d2b8a25dc1466ef9968e7747cf813ccd9fc1c4796

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      68547414de4e743f5baceab3c30b0d36

      SHA1

      f9636cff8fa406af07b066bec0a978e7f52aaaa5

      SHA256

      3dceef401bded638c3425cf10a50d329b0dfe4755b9156d47ac78f24ec356213

      SHA512

      76dd8269ad935871918ecbb091944ead95bf0b6dbc58a3643a5618d8689a2a5e403388dc079420858a019b3d2b8a25dc1466ef9968e7747cf813ccd9fc1c4796

      Download Submit
    • C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
      MD5

      68547414de4e743f5baceab3c30b0d36

      SHA1

      f9636cff8fa406af07b066bec0a978e7f52aaaa5

      SHA256

      3dceef401bded638c3425cf10a50d329b0dfe4755b9156d47ac78f24ec356213

      SHA512

      76dd8269ad935871918ecbb091944ead95bf0b6dbc58a3643a5618d8689a2a5e403388dc079420858a019b3d2b8a25dc1466ef9968e7747cf813ccd9fc1c4796

      Download Submit
    • memory/416-3-0x000000000040B000-mapping.dmp
      Download
    • memory/792-13-0x0000000000000000-mapping.dmp
      Download
    • memory/996-14-0x0000000000000000-mapping.dmp
      Download
    • memory/996-17-0x0000000072F70000-0x0000000073003000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1412-21-0x000000000040B000-mapping.dmp
      Download
    • memory/1412-22-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1412-23-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1412-20-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1588-26-0x00000000004085D0-mapping.dmp
      Download
    • memory/1588-29-0x0000000072F70000-0x0000000073003000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1784-30-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1784-31-0x00000000004B5210-mapping.dmp
      Download
    • memory/1784-35-0x0000000072F70000-0x0000000073003000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1784-38-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1784-39-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/3180-10-0x0000000004C70000-0x0000000004C71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4064-11-0x0000000000000000-mapping.dmp
      Download
    • memory/4084-7-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4084-6-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4084-4-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4084-5-0x00000000004085D0-mapping.dmp
      Download