Overview

overview

10

Static

static

10

2b959cad11...46.exe

windows7_x64

10

2b959cad11...46.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    10s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe

  • Size

    1.6MB

  • MD5

    e85965a416297e42529e543082e768db

  • SHA1

    63183601121650f80f85cbaf6c561c68613a5001

  • SHA256

    2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446

  • SHA512

    b6783897b060391c256a82ceac32e88bff83c2dc0faafff2c1cda83311af4b031c0921df8b6702ce2e22b9569812b635913070dde75cd823450fec056e93ee78

Score
10/10
darkcometsazanpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

127.0.0.1:1604

Mutex

DC_MUTEX-U4PFWCK

Attributes
  • gencode

    Ne7VJi8yzj7V

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe
    "C:\Users\Admin\AppData\Local\Temp\2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3004
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      PID:4864
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
      PID:4000

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      939KB

      MD5

      4431d23847904ab8bd03aa6505ef9012

      SHA1

      983f6c25926404cb1b8183e8977464f4fed722f0

      SHA256

      6dc69ae06ba3401d0bc3ebd18f7bc30b9e4f796d1dca85443aeb34c3ac719bbc

      SHA512

      8de3c5215a16d524221fe5c466b16cc1eadce200f910d2c891611b5a8fdeea963f5134fe918aaa2c9582ff02e2ab39dc7d3b93f87aa5b3724df9dafcb442ae1c

      Download Submit
    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      939KB

      MD5

      4431d23847904ab8bd03aa6505ef9012

      SHA1

      983f6c25926404cb1b8183e8977464f4fed722f0

      SHA256

      6dc69ae06ba3401d0bc3ebd18f7bc30b9e4f796d1dca85443aeb34c3ac719bbc

      SHA512

      8de3c5215a16d524221fe5c466b16cc1eadce200f910d2c891611b5a8fdeea963f5134fe918aaa2c9582ff02e2ab39dc7d3b93f87aa5b3724df9dafcb442ae1c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe
      Filesize

      658KB

      MD5

      44293d6792c2ecf5470b9c69b15e8811

      SHA1

      48df36cb442c7984c2391e5d072e5d2606854332

      SHA256

      4dc4c3ffed634fad94c878d2683d2716b21da62655f7fe188c8f35dcdeda4337

      SHA512

      812325043852f11dc3d36e9799fa41b5bb2449fb33fb7bd68f835ce7ebf83d4b00a251b103ef0b691a3fdaccc07e733071b7f92d54c882d5b8abb332cb4ca340

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\._cache_2b959cad110bb477bfa1cfae45927c3d02fe5eab7043d8d67f71e2d5d054c446.exe
      Filesize

      658KB

      MD5

      44293d6792c2ecf5470b9c69b15e8811

      SHA1

      48df36cb442c7984c2391e5d072e5d2606854332

      SHA256

      4dc4c3ffed634fad94c878d2683d2716b21da62655f7fe188c8f35dcdeda4337

      SHA512

      812325043852f11dc3d36e9799fa41b5bb2449fb33fb7bd68f835ce7ebf83d4b00a251b103ef0b691a3fdaccc07e733071b7f92d54c882d5b8abb332cb4ca340

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HPJT6hAM.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit
    • memory/1600-130-0x0000000000000000-mapping.dmp
      Download
    • memory/4000-136-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4000-140-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4000-139-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4000-138-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4000-137-0x00007FFF77E70000-0x00007FFF77E80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4000-141-0x00007FFF75DE0000-0x00007FFF75DF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4000-142-0x00007FFF75DE0000-0x00007FFF75DF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4864-133-0x0000000000000000-mapping.dmp
      Download