Overview

overview

10

Static

static

F-Launcher.exe

windows7_x64

10

F-Launcher.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-07-2021 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F-Launcher.exe

  • Size

    1.1MB

  • MD5

    6c592736cf6ae24c1d7e5d051234fdbd

  • SHA1

    dcfddb9aed55a79e38287ddd4e849728d61b67c7

  • SHA256

    846d82f6f9d6b965ef683cd91724d72917263cf21e9f0f7e4ed2cb4f1ceacce8

  • SHA512

    e5d7692eec1fbdf05c87164951d93a911c0c2308e700d5b7543852c98d31fddfc2c2ed043a514def3a1d9e5fe7317b3771f148dad2c900a3e58e3454e1e6fad1

Score
10/10
darkcometnjratggnyan catevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

GG

C2

secret92.ddns.net:82

Mutex

DC_MUTEX-A6ET8RQ

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    oqyLUmi211Cb

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

secret92.ddns.net:8082

Mutex

0c3398f1458

Attributes
  • reg_key

    0c3398f1458

  • splitter

    @!#&^%$

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 4 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\F-Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\F-Launcher.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Users\Admin\AppData\Local\Temp\darknj.exe
      "C:\Users\Admin\AppData\Local\Temp\darknj.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3224
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h
          4⤵
          • Views/modifies file attributes
          PID:2988
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3464
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Views/modifies file attributes
          PID:2836
      • C:\Users\Admin\AppData\Local\Temp\NJ.EXE
        "C:\Users\Admin\AppData\Local\Temp\NJ.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:200
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:3612
        • C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
          "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
          3⤵
          • Modifies security service
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3312
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            4⤵
              PID:1308
        • C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe
          "C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
            "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe"
            3⤵
              PID:3248
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 3248 -s 360
                4⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2576
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DenyUndo.mpe"
          1⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:1296

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Modify Existing Service

        1
        T1031

        Hidden Files and Directories

        2
        T1158

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        6
        T1112

        Disabling Security Tools

        2
        T1089

        Hidden Files and Directories

        2
        T1158

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
          MD5

          2308cedb77f66e4a821d57e8ee1e08a5

          SHA1

          42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

          SHA256

          8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

          SHA512

          ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

          Download Submit
        • C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
          MD5

          2308cedb77f66e4a821d57e8ee1e08a5

          SHA1

          42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

          SHA256

          8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

          SHA512

          ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\NJ.EXE
          MD5

          7033b44842fd35925e857497f9cb1653

          SHA1

          0db1543f4af1b37e9d3d93b75f5d8329d6337b3f

          SHA256

          381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f

          SHA512

          f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\NJ.EXE
          MD5

          7033b44842fd35925e857497f9cb1653

          SHA1

          0db1543f4af1b37e9d3d93b75f5d8329d6337b3f

          SHA256

          381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f

          SHA512

          f74abf39181aa65068740d99968d503ce96bd2dc3c2a0a7251422204c7cda0aa54bc20edce2b37b264348cf97594ed3f99a31028a1eb9e17fd81b4ba4453de0f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe
          MD5

          f09f583748cb26682f60279b8bba14c8

          SHA1

          caf750a85d3abd708c080ebfa995bc2cc0b4cafd

          SHA256

          7f5b29de3370f01b63bcdf4fc7939728f2b11428462d0e2ba77a2bb62b7698dc

          SHA512

          cf8c278f297e250966ce2302191718dae3e7b09f5f9e2da2efb2bfe87ba87196f69be5c0fe52bf7048230ce616bee76d005a11fa646986fa8b33688d95861ae9

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe
          MD5

          f09f583748cb26682f60279b8bba14c8

          SHA1

          caf750a85d3abd708c080ebfa995bc2cc0b4cafd

          SHA256

          7f5b29de3370f01b63bcdf4fc7939728f2b11428462d0e2ba77a2bb62b7698dc

          SHA512

          cf8c278f297e250966ce2302191718dae3e7b09f5f9e2da2efb2bfe87ba87196f69be5c0fe52bf7048230ce616bee76d005a11fa646986fa8b33688d95861ae9

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\darknj.exe
          MD5

          2308cedb77f66e4a821d57e8ee1e08a5

          SHA1

          42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

          SHA256

          8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

          SHA512

          ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\darknj.exe
          MD5

          2308cedb77f66e4a821d57e8ee1e08a5

          SHA1

          42ddaf9aef498e366fecdad6b2acbbe9d9d0d47c

          SHA256

          8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b

          SHA512

          ad91461e7e5747a8815015c910f84720bd90cf520a39dcc01cd75c5a8840a8beda9969de2c5e8778cac5d863bf11fcb6c0c946c81b4a3ed43792ca0202264f77

          Download Submit
        • memory/200-130-0x0000000000E90000-0x0000000000E91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/200-123-0x0000000000000000-mapping.dmp
          Download
        • memory/1308-137-0x0000000001090000-0x0000000001091000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1308-136-0x0000000000000000-mapping.dmp
          Download
        • memory/2524-125-0x00000000008D0000-0x00000000008D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2524-114-0x0000000000000000-mapping.dmp
          Download
        • memory/2660-117-0x0000000000000000-mapping.dmp
          Download
        • memory/2836-127-0x0000000000000000-mapping.dmp
          Download
        • memory/2988-128-0x0000000000000000-mapping.dmp
          Download
        • memory/3224-121-0x0000000000000000-mapping.dmp
          Download
        • memory/3248-120-0x0000000000000000-mapping.dmp
          Download
        • memory/3312-132-0x0000000000000000-mapping.dmp
          Download
        • memory/3312-135-0x0000000002240000-0x0000000002241000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3464-122-0x0000000000000000-mapping.dmp
          Download
        • memory/3612-131-0x00000000006F0000-0x000000000079E000-memory.dmp
          Filesize

          696KB

          Download
        • memory/3612-129-0x0000000000000000-mapping.dmp
          Download