Overview

overview

10

Static

static

10

e437647987...d4.exe

windows7_x64

10

e437647987...d4.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-12-2020 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e437647987807d34da932489603025d4.exe

  • Size

    945KB

  • MD5

    e437647987807d34da932489603025d4

  • SHA1

    d1129315116b9c041942df9d9fa49323a416125b

  • SHA256

    550c64585f830c9ab794ad1f9e9df78ecf9b2dc8580038532e9b9033118186a1

  • SHA512

    24c4021a81cccf1b99d3795e50aee0524910735a5446ef7d8f012b16139767a4c169d51ce0473f4eb7c56380d48fb1deb6b005a63cd74f1eaade3e40a09d0676

Score
10/10
darkcometguestevasionrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

guest

C2

127.0.0.1:1604

Mutex

DC_MUTEX-1JZLPXV

Attributes
  • gencode

    9npjPzJ7GsSo

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e437647987807d34da932489603025d4.exe
    "C:\Users\Admin\AppData\Local\Temp\e437647987807d34da932489603025d4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe
      "C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2012
    • C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe
      "C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe"
      2⤵
      • Modifies firewall policy service
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe" +s +h
          4⤵
          • Views/modifies file attributes
          PID:1248
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Views/modifies file attributes
          PID:1180
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1820

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe
      MD5

      d53c04debe6a797614e81d0c619db0aa

      SHA1

      50b44416059ef0ee0890f58729471e6f898dcc36

      SHA256

      030ba12e3c65d93c775d6d75e72fbc462cd59eba6325a6a0a4f98fea5b36077a

      SHA512

      d81d1cad85fb7378cf2911541ebf7eaaed8f072aab87d3dc0acaf84491fb51033fac53b79b7eb133a13172f17e75795bd2e840d939824af2e33d8a668078f7e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe
      MD5

      d53c04debe6a797614e81d0c619db0aa

      SHA1

      50b44416059ef0ee0890f58729471e6f898dcc36

      SHA256

      030ba12e3c65d93c775d6d75e72fbc462cd59eba6325a6a0a4f98fea5b36077a

      SHA512

      d81d1cad85fb7378cf2911541ebf7eaaed8f072aab87d3dc0acaf84491fb51033fac53b79b7eb133a13172f17e75795bd2e840d939824af2e33d8a668078f7e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe
      MD5

      4451d6d00bf3bb253bc1d32ca3c5b9d0

      SHA1

      c3db3028f2ca98dd419e26f4d3507fab8c881ef8

      SHA256

      3272964edf0e3fca43515decdb5aa5efda73f985c248afc96ea88ad31c9bbdd5

      SHA512

      1ca6f759fdc65c8319a52735ff046cc3725a4676c0239e466f58f8dcee34c4a071066932ab015fb61f0b48b225f95345d4b085fa20803a7cbfa6173fd262b0cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe
      MD5

      4451d6d00bf3bb253bc1d32ca3c5b9d0

      SHA1

      c3db3028f2ca98dd419e26f4d3507fab8c881ef8

      SHA256

      3272964edf0e3fca43515decdb5aa5efda73f985c248afc96ea88ad31c9bbdd5

      SHA512

      1ca6f759fdc65c8319a52735ff046cc3725a4676c0239e466f58f8dcee34c4a071066932ab015fb61f0b48b225f95345d4b085fa20803a7cbfa6173fd262b0cc

      Download Submit

    • \Users\Admin\AppData\Local\Temp\KU 1.0.0.exe
      MD5

      d53c04debe6a797614e81d0c619db0aa

      SHA1

      50b44416059ef0ee0890f58729471e6f898dcc36

      SHA256

      030ba12e3c65d93c775d6d75e72fbc462cd59eba6325a6a0a4f98fea5b36077a

      SHA512

      d81d1cad85fb7378cf2911541ebf7eaaed8f072aab87d3dc0acaf84491fb51033fac53b79b7eb133a13172f17e75795bd2e840d939824af2e33d8a668078f7e1

      Download Submit

    • \Users\Admin\AppData\Local\Temp\KU 1.0.0.exe
      MD5

      d53c04debe6a797614e81d0c619db0aa

      SHA1

      50b44416059ef0ee0890f58729471e6f898dcc36

      SHA256

      030ba12e3c65d93c775d6d75e72fbc462cd59eba6325a6a0a4f98fea5b36077a

      SHA512

      d81d1cad85fb7378cf2911541ebf7eaaed8f072aab87d3dc0acaf84491fb51033fac53b79b7eb133a13172f17e75795bd2e840d939824af2e33d8a668078f7e1

      Download Submit

    • \Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe
      MD5

      4451d6d00bf3bb253bc1d32ca3c5b9d0

      SHA1

      c3db3028f2ca98dd419e26f4d3507fab8c881ef8

      SHA256

      3272964edf0e3fca43515decdb5aa5efda73f985c248afc96ea88ad31c9bbdd5

      SHA512

      1ca6f759fdc65c8319a52735ff046cc3725a4676c0239e466f58f8dcee34c4a071066932ab015fb61f0b48b225f95345d4b085fa20803a7cbfa6173fd262b0cc

      Download Submit

    • memory/1180-16-0x0000000000000000-mapping.dmp

      Download

    • memory/1248-17-0x0000000000000000-mapping.dmp

      Download

    • memory/1736-12-0x0000000000000000-mapping.dmp

      Download

    • memory/1740-11-0x0000000000000000-mapping.dmp

      Download

    • memory/1820-14-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1820-15-0x0000000000000000-mapping.dmp

      Download

    • memory/1820-13-0x0000000000000000-mapping.dmp

      Download

    • memory/1828-18-0x000007FEF62A0000-0x000007FEF651A000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2012-3-0x0000000000000000-mapping.dmp

      Download

    • memory/2032-7-0x0000000000000000-mapping.dmp

      Download