Overview

overview

10

Static

static

b1418392b5...0f.exe

windows7_x64

10

b1418392b5...0f.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-11-2020 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1418392b544a51ff07f543c3f76030f.exe

  • Size

    1.1MB

  • MD5

    b1418392b544a51ff07f543c3f76030f

  • SHA1

    6fbad484bbfd66afc868c6d1d700aa3eed644e70

  • SHA256

    dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152

  • SHA512

    a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87

Score
10/10
darkcometwinrar 5.0 final 10-10-2013persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Winrar 5.0 final 10-10-2013

C2

rainbowie.no-ip.biz:2302

Mutex

DC_MUTEX-GL3ZW69

Attributes
  • InstallPath

    windirsx.exe

  • gencode

    4EYDgQDgUmXr

  • install

    true

  • offline_keylogger

    true

  • password

    hypethetimet

  • persistence

    true

  • reg_key

    Windows Login System

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe
    "C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe
      "C:\Users\Admin\AppData\Local\Temp\b1418392b544a51ff07f543c3f76030f.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE
        "C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3952
      • C:\Users\Admin\AppData\Roaming\windirsx.exe
        "C:\Users\Admin\AppData\Roaming\windirsx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:196
        • C:\Users\Admin\AppData\Roaming\windirsx.exe
          "C:\Users\Admin\AppData\Roaming\windirsx.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE
    MD5

    ed4bd2fbf1381e22da37c09a935a51ef

    SHA1

    82447f22fa4d3f9de55dabad79f139cad3e6a442

    SHA256

    776303a0a9794f0abc8696c395892d84de37b050c5adb76e2f7fe64f594090e1

    SHA512

    89299332d173f0f6c2f9053c1862b1c101fdd99712e710286d17c2cc094d9701fe6b03aaf6af3e1747b9e817fefd0b8675c322c5675ed1ad5a8bd6694df0ff93

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\KEYGEN.EXE
    MD5

    ed4bd2fbf1381e22da37c09a935a51ef

    SHA1

    82447f22fa4d3f9de55dabad79f139cad3e6a442

    SHA256

    776303a0a9794f0abc8696c395892d84de37b050c5adb76e2f7fe64f594090e1

    SHA512

    89299332d173f0f6c2f9053c1862b1c101fdd99712e710286d17c2cc094d9701fe6b03aaf6af3e1747b9e817fefd0b8675c322c5675ed1ad5a8bd6694df0ff93

    Download Submit
  • C:\Users\Admin\AppData\Roaming\windirsx.exe
    MD5

    b1418392b544a51ff07f543c3f76030f

    SHA1

    6fbad484bbfd66afc868c6d1d700aa3eed644e70

    SHA256

    dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152

    SHA512

    a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87

    Download Submit
  • C:\Users\Admin\AppData\Roaming\windirsx.exe
    MD5

    b1418392b544a51ff07f543c3f76030f

    SHA1

    6fbad484bbfd66afc868c6d1d700aa3eed644e70

    SHA256

    dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152

    SHA512

    a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87

    Download Submit
  • C:\Users\Admin\AppData\Roaming\windirsx.exe
    MD5

    b1418392b544a51ff07f543c3f76030f

    SHA1

    6fbad484bbfd66afc868c6d1d700aa3eed644e70

    SHA256

    dd146247f7cb47a6256829a01089d8e95d67d31d52431eeb0261333615927152

    SHA512

    a14feac08bc7b4da4ccb9ddff8069bee7c2ac125c9128ae773cbf546d0bc03c76ae7b2c292916062fcc691969ef062c008ce578ac69c663c5de0340173364d87

    Download Submit
  • memory/196-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1976-10-0x000000000048F888-mapping.dmp
    Download
  • memory/1976-12-0x0000000000400000-0x00000000004CB000-memory.dmp
    Filesize

    812KB

    Download
  • memory/2804-0-0x0000000000400000-0x00000000004CB000-memory.dmp
    Filesize

    812KB

    Download
  • memory/2804-1-0x000000000048F888-mapping.dmp
    Download
  • memory/2804-2-0x0000000000400000-0x00000000004CB000-memory.dmp
    Filesize

    812KB

    Download
  • memory/3952-3-0x0000000000000000-mapping.dmp
    Download