Overview

overview

10

Static

static

DAZ Studio...4c.exe

windows7_x64

10

DAZ Studio...4c.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    02-12-2021 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DAZ Studio Professional 4.15.0.30 x64c.exe

  • Size

    536KB

  • MD5

    6485a104cfdf2d8e847f3116347736a6

  • SHA1

    17d5e7d32055ed9c98de05b9f14c9ae2cb573fcc

  • SHA256

    43017a60a99ab0a9ac4ac4087b4d25ff4263e5bae796f4979d777395ae09e67b

  • SHA512

    0ff04031a776e5beb8062bc6483f265f5e043b44d760320b2052a7ce98d6b3181cd7e1f4c69374e9af4a9397a48c83c95d61aee733c03a8d2ef1acafe454ac8c

Score
10/10
darkcometdaz studio professional 4.15.0.30 x64persistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

DAZ Studio Professional 4.15.0.30 x64

C2

clientts.ddns.net:1604

Mutex

DCMIN_MUTEX-7VA997K

Attributes
  • gencode

    iVpp885bSBQY

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DAZ Studio Professional 4.15.0.30 x64c.exe
    "C:\Users\Admin\AppData\Local\Temp\DAZ Studio Professional 4.15.0.30 x64c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Scripting

1
T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2500-115-0x0000000002720000-0x0000000002721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3708-116-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/3708-117-0x00000000004B5020-mapping.dmp
    Download
  • memory/3708-118-0x00000000008A1000-0x00000000008A2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3708-119-0x00000000008A1000-0x00000000008A2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3708-120-0x00000000008A2000-0x00000000008A4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3708-121-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/3708-123-0x0000000002410000-0x0000000002411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3708-122-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download