Overview

overview

10

Static

static

F-Launcher.exe

windows7_x64

10

F-Launcher.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    196s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    21-07-2021 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F-Launcher.exe

  • Size

    1.1MB

  • MD5

    6c592736cf6ae24c1d7e5d051234fdbd

  • SHA1

    dcfddb9aed55a79e38287ddd4e849728d61b67c7

  • SHA256

    846d82f6f9d6b965ef683cd91724d72917263cf21e9f0f7e4ed2cb4f1ceacce8

  • SHA512

    e5d7692eec1fbdf05c87164951d93a911c0c2308e700d5b7543852c98d31fddfc2c2ed043a514def3a1d9e5fe7317b3771f148dad2c900a3e58e3454e1e6fad1

Score
10/10
darkcometnjratggnyan catevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

GG

C2

secret92.ddns.net:82

Mutex

DC_MUTEX-A6ET8RQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    oqyLUmi211Cb

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

secret92.ddns.net:8082

Mutex

0c3398f1458

Attributes
  • reg_key

    0c3398f1458

  • splitter

    @!#&^%$

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 4 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\F-Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\F-Launcher.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Users\Admin\AppData\Local\Temp\darknj.exe
      "C:\Users\Admin\AppData\Local\Temp\darknj.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h
          4⤵
          • Views/modifies file attributes
          PID:836
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Views/modifies file attributes
          PID:616
      • C:\Users\Admin\AppData\Local\Temp\NJ.EXE
        "C:\Users\Admin\AppData\Local\Temp\NJ.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1744
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1608
        • C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
          "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
          3⤵
          • Modifies security service
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:524
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            4⤵
              PID:1108
        • C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe
          "C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe"
          2⤵
          • Executes dropped EXE
          PID:1964
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:456
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:456 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1788

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Modify Existing Service

      1
      T1031

      Hidden Files and Directories

      2
      T1158

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      7
      T1112

      Disabling Security Tools

      2
      T1089

      Hidden Files and Directories

      2
      T1158

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
        MD5

        2308cedb77f66e4a821d57e8ee1e08a5

        SHA1

        42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

        SHA256

        8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

        SHA512

        ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        MD5

        2902de11e30dcc620b184e3bb0f0c1cb

        SHA1

        5d11d14a2558801a2688dc2d6dfad39ac294f222

        SHA256

        e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

        SHA512

        efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        62bf1ec27c9b69d45e5caae254ab74c7

        SHA1

        23b9b49d78afd7a39805aa22fa2f86fc5177d2de

        SHA256

        eff71dd8709d3a4d287802fd6f6b76083decec34e430edccd817bd4df4bbdc3f

        SHA512

        6dedda398bb0c92220c6804f3753b6458d4a648dd642a2230324a456464c41342fb62bc56cd63ae7ce110772f78cbc38cacf3d0b98d26258867377abba3de528

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        83701674f83f693a3f31227009ac6ae6

        SHA1

        566372993e29950bf10022abfc9dfc8a65082103

        SHA256

        37922e1301130061fe58f3b17fb0064a177149115c9453bd28e0d36a7b8e99c0

        SHA512

        c8d13e540cf9aa5b6dceefac61524143a70bbe219b868d083c6dc4ef71845102b2c2c1700205c17f7a54bcf398bcb3a9e73a89b31e20edbb3270e8626b6b9cea

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
        MD5

        e446bed674e49c7434578d241160403c

        SHA1

        196d7693c7fa401392e4f9249b4bb7093799d131

        SHA256

        d3043ea905fb370f278018bcb16c3721f278acf73ac2a67b3293bbf6a21e1524

        SHA512

        f924f99acc3214a86414e21993f01f20c93084a1ae7308aa85c39b268049e89ab8d9fd39ccd317157165bb4c245d24e9efd9f75dfd2d89570dff32de7fd965f1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\NJ.EXE
        MD5

        7033b44842fd35925e857497f9cb1653

        SHA1

        0db1543f4af1b37e9d3d93b75f5d8329d6337b3f

        SHA256

        381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f

        SHA512

        f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\NJ.EXE
        MD5

        7033b44842fd35925e857497f9cb1653

        SHA1

        0db1543f4af1b37e9d3d93b75f5d8329d6337b3f

        SHA256

        381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f

        SHA512

        f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe
        MD5

        f09f583748cb26682f60279b8bba14c8

        SHA1

        caf750a85d3abd708c080ebfa995bc2cc0b4cafd

        SHA256

        7f5b29de3370f01b63bcdf4fc7939728f2b11428462d0e2ba77a2bb62b7698dc

        SHA512

        cf8c278f297e250966ce2302191718dae3e7b09f5f9e2da2efb2bfe87ba87196f69be5c0fe52bf7048230ce616bee76d005a11fa646986fa8b33688d95861ae9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\darknj.exe
        MD5

        2308cedb77f66e4a821d57e8ee1e08a5

        SHA1

        42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

        SHA256

        8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

        SHA512

        ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\darknj.exe
        MD5

        2308cedb77f66e4a821d57e8ee1e08a5

        SHA1

        42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

        SHA256

        8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

        SHA512

        ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NZYHIVLP.txt
        MD5

        b00b1c32b40e838e143628dcc9736e17

        SHA1

        62cb52ec8fbae413a8f22d4469590f246763cd44

        SHA256

        178a9ef5b97e26c98671e252eafb39dad2de00a2290530d30ff3220fc2c12223

        SHA512

        367cbed15baf8c0c47e9b4c3f48d75919bbec5fbd04327b286ab38bf7aacfcd17354e7d3ec7238c6d4937ff8fd3b9cc7227a151ffc2b412e2addc326a0612358

        Download Submit
      • \ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
        MD5

        2308cedb77f66e4a821d57e8ee1e08a5

        SHA1

        42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

        SHA256

        8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

        SHA512

        ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

        Download Submit
      • \ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
        MD5

        2308cedb77f66e4a821d57e8ee1e08a5

        SHA1

        42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

        SHA256

        8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

        SHA512

        ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

        Download Submit
      • \Users\Admin\AppData\Local\Temp\NJ.EXE
        MD5

        7033b44842fd35925e857497f9cb1653

        SHA1

        0db1543f4af1b37e9d3d93b75f5d8329d6337b3f

        SHA256

        381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f

        SHA512

        f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f

        Download Submit
      • \Users\Admin\AppData\Local\Temp\NJ.EXE
        MD5

        7033b44842fd35925e857497f9cb1653

        SHA1

        0db1543f4af1b37e9d3d93b75f5d8329d6337b3f

        SHA256

        381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f

        SHA512

        f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f

        Download Submit
      • \Users\Admin\AppData\Local\Temp\R-Launcher.exe
        MD5

        f09f583748cb26682f60279b8bba14c8

        SHA1

        caf750a85d3abd708c080ebfa995bc2cc0b4cafd

        SHA256

        7f5b29de3370f01b63bcdf4fc7939728f2b11428462d0e2ba77a2bb62b7698dc

        SHA512

        cf8c278f297e250966ce2302191718dae3e7b09f5f9e2da2efb2bfe87ba87196f69be5c0fe52bf7048230ce616bee76d005a11fa646986fa8b33688d95861ae9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\R-Launcher.exe
        MD5

        f09f583748cb26682f60279b8bba14c8

        SHA1

        caf750a85d3abd708c080ebfa995bc2cc0b4cafd

        SHA256

        7f5b29de3370f01b63bcdf4fc7939728f2b11428462d0e2ba77a2bb62b7698dc

        SHA512

        cf8c278f297e250966ce2302191718dae3e7b09f5f9e2da2efb2bfe87ba87196f69be5c0fe52bf7048230ce616bee76d005a11fa646986fa8b33688d95861ae9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\darknj.exe
        MD5

        2308cedb77f66e4a821d57e8ee1e08a5

        SHA1

        42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

        SHA256

        8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

        SHA512

        ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

        Download Submit
      • \Users\Admin\AppData\Local\Temp\darknj.exe
        MD5

        2308cedb77f66e4a821d57e8ee1e08a5

        SHA1

        42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

        SHA256

        8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

        SHA512

        ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

        Download Submit
      • memory/456-100-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/456-99-0x0000000000000000-mapping.dmp
        Download
      • memory/524-92-0x0000000000000000-mapping.dmp
        Download
      • memory/524-97-0x0000000000250000-0x0000000000251000-memory.dmp
        Filesize

        4KB

        Download
      • memory/616-82-0x0000000000000000-mapping.dmp
        Download
      • memory/836-81-0x0000000000000000-mapping.dmp
        Download
      • memory/1108-98-0x0000000000250000-0x0000000000251000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1108-95-0x0000000000000000-mapping.dmp
        Download
      • memory/1160-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1160-76-0x0000000000250000-0x0000000000251000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1608-86-0x0000000000000000-mapping.dmp
        Download
      • memory/1608-89-0x0000000000180000-0x0000000000181000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1644-59-0x00000000766D1000-0x00000000766D3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1700-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1720-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1744-88-0x0000000000750000-0x0000000000751000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1744-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1788-101-0x0000000000000000-mapping.dmp
        Download
      • memory/1964-67-0x0000000000000000-mapping.dmp
        Download