Overview

overview

10

Static

static

10

e437647987...d4.exe

windows7_x64

10

e437647987...d4.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-12-2020 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e437647987807d34da932489603025d4.exe

  • Size

    945KB

  • MD5

    e437647987807d34da932489603025d4

  • SHA1

    d1129315116b9c041942df9d9fa49323a416125b

  • SHA256

    550c64585f830c9ab794ad1f9e9df78ecf9b2dc8580038532e9b9033118186a1

  • SHA512

    24c4021a81cccf1b99d3795e50aee0524910735a5446ef7d8f012b16139767a4c169d51ce0473f4eb7c56380d48fb1deb6b005a63cd74f1eaade3e40a09d0676

Score
10/10
darkcometguestevasionrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

guest

C2

127.0.0.1:1604

Mutex

DC_MUTEX-1JZLPXV

Attributes
  • gencode

    9npjPzJ7GsSo

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e437647987807d34da932489603025d4.exe
    "C:\Users\Admin\AppData\Local\Temp\e437647987807d34da932489603025d4.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe
      "C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2752
    • C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe
      "C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe"
      2⤵
      • Modifies firewall policy service
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3444
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:184
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe" +s +h
          4⤵
          • Views/modifies file attributes
          PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Views/modifies file attributes
          PID:1308
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2364

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Hidden Files and Directories

    2
    T1158

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Hidden Files and Directories

    2
    T1158

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe
      MD5

      d53c04debe6a797614e81d0c619db0aa

      SHA1

      50b44416059ef0ee0890f58729471e6f898dcc36

      SHA256

      030ba12e3c65d93c775d6d75e72fbc462cd59eba6325a6a0a4f98fea5b36077a

      SHA512

      d81d1cad85fb7378cf2911541ebf7eaaed8f072aab87d3dc0acaf84491fb51033fac53b79b7eb133a13172f17e75795bd2e840d939824af2e33d8a668078f7e1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\KU 1.0.0.exe
      MD5

      d53c04debe6a797614e81d0c619db0aa

      SHA1

      50b44416059ef0ee0890f58729471e6f898dcc36

      SHA256

      030ba12e3c65d93c775d6d75e72fbc462cd59eba6325a6a0a4f98fea5b36077a

      SHA512

      d81d1cad85fb7378cf2911541ebf7eaaed8f072aab87d3dc0acaf84491fb51033fac53b79b7eb133a13172f17e75795bd2e840d939824af2e33d8a668078f7e1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe
      MD5

      4451d6d00bf3bb253bc1d32ca3c5b9d0

      SHA1

      c3db3028f2ca98dd419e26f4d3507fab8c881ef8

      SHA256

      3272964edf0e3fca43515decdb5aa5efda73f985c248afc96ea88ad31c9bbdd5

      SHA512

      1ca6f759fdc65c8319a52735ff046cc3725a4676c0239e466f58f8dcee34c4a071066932ab015fb61f0b48b225f95345d4b085fa20803a7cbfa6173fd262b0cc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\utorrent.1.8.2.exe
      MD5

      4451d6d00bf3bb253bc1d32ca3c5b9d0

      SHA1

      c3db3028f2ca98dd419e26f4d3507fab8c881ef8

      SHA256

      3272964edf0e3fca43515decdb5aa5efda73f985c248afc96ea88ad31c9bbdd5

      SHA512

      1ca6f759fdc65c8319a52735ff046cc3725a4676c0239e466f58f8dcee34c4a071066932ab015fb61f0b48b225f95345d4b085fa20803a7cbfa6173fd262b0cc

      Download Submit
    • memory/184-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1132-14-0x0000000000000000-mapping.dmp
      Download
    • memory/1308-13-0x0000000000000000-mapping.dmp
      Download
    • memory/2364-11-0x0000000000B60000-0x0000000000B61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2364-10-0x0000000000000000-mapping.dmp
      Download
    • memory/2364-12-0x0000000000000000-mapping.dmp
      Download
    • memory/2752-2-0x0000000000000000-mapping.dmp
      Download
    • memory/3032-9-0x0000000000000000-mapping.dmp
      Download
    • memory/3444-5-0x0000000000000000-mapping.dmp
      Download