Overview

overview

10

Static

static

10

ZulaHax.exe

windows7_x64

10

ZulaHax.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-06-2022 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZulaHax.exe

  • Size

    659KB

  • MD5

    949573ea355757e37f217798fd335478

  • SHA1

    ba103d18dd84409cd2cba837ae64d42ec75613e7

  • SHA256

    222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3

  • SHA512

    ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881

Score
10/10
darkcometsazanevasionpersistenceratsuricatatrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

sussysdfffdfff343.duckdns.org:1604

Mutex

DC_MUTEX-5BJ61CT

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    hSQMSMbHss9o

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • suricata: ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful

    suricata: ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful

    suricata
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe
    "C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
            PID:892
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:1676
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              4⤵
                PID:1740
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe"
                4⤵
                  PID:1352
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe"
                  4⤵
                    PID:1620
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe"
                    4⤵
                      PID:1948
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe"
                      4⤵
                        PID:1156
                      • C:\Windows\SysWOW64\taskmgr.exe
                        "C:\Windows\System32\taskmgr.exe"
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:616
                      • C:\Windows\SysWOW64\taskmgr.exe
                        "C:\Windows\System32\taskmgr.exe"
                        4⤵
                          PID:1636
                        • C:\Windows\SysWOW64\taskmgr.exe
                          "C:\Windows\System32\taskmgr.exe"
                          4⤵
                            PID:1632
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe"
                            4⤵
                              PID:2044
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe"
                              4⤵
                                PID:1640

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Persistence

                        Winlogon Helper DLL

                        1
                        T1004

                        Modify Existing Service

                        2
                        T1031

                        Registry Run Keys / Startup Folder

                        1
                        T1060

                        Privilege Escalation

                        Defense Evasion

                        Modify Registry

                        6
                        T1112

                        Disabling Security Tools

                        2
                        T1089

                        Credential Access

                        Discovery

                        System Information Discovery

                        1
                        T1082

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                          Filesize

                          659KB

                          MD5

                          949573ea355757e37f217798fd335478

                          SHA1

                          ba103d18dd84409cd2cba837ae64d42ec75613e7

                          SHA256

                          222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3

                          SHA512

                          ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881

                          Download Submit
                        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
                          Filesize

                          659KB

                          MD5

                          949573ea355757e37f217798fd335478

                          SHA1

                          ba103d18dd84409cd2cba837ae64d42ec75613e7

                          SHA256

                          222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3

                          SHA512

                          ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881

                          Download Submit
                        • \Users\Admin\Documents\MSDCSC\msdcsc.exe
                          Filesize

                          659KB

                          MD5

                          949573ea355757e37f217798fd335478

                          SHA1

                          ba103d18dd84409cd2cba837ae64d42ec75613e7

                          SHA256

                          222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3

                          SHA512

                          ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881

                          Download Submit
                        • \Users\Admin\Documents\MSDCSC\msdcsc.exe
                          Filesize

                          659KB

                          MD5

                          949573ea355757e37f217798fd335478

                          SHA1

                          ba103d18dd84409cd2cba837ae64d42ec75613e7

                          SHA256

                          222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3

                          SHA512

                          ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881

                          Download Submit
                        • memory/616-69-0x0000000000000000-mapping.dmp
                          Download
                        • memory/836-57-0x0000000000000000-mapping.dmp
                          Download
                        • memory/892-61-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1156-68-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1352-65-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1620-66-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1632-73-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1636-71-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1640-76-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1676-63-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1740-64-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1948-67-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1976-54-0x00000000757C1000-0x00000000757C3000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/2044-75-0x0000000000000000-mapping.dmp
                          Download