Analysis

  • max time kernel
    208s
  • max time network
    218s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 11:34

General

  • Target

    IMG_WA-D0014/IMG_WA-D0014.exe

  • Size

    1.5MB

  • MD5

    f43802841b34045780b19c44f10652aa

  • SHA1

    8395ff25a349459512b81c26eddff2812c486595

  • SHA256

    e771b871b56ae87849d567a693ac3c01c5f57b737dc74435289425869ae17657

  • SHA512

    c50e5a8c76b27bb3bb50761c7f0b9c8b0535bc604a8f687189048bb69cb903d896eb2931ab585d77c1493daec83c8369fc7f1d3ea5c7d5549fb28da2d9fb8eab

Malware Config

Extracted

Family

darkcomet

Botnet

Oct 29 19

C2

bio4kobs.geekgalaxy.com:1609

Mutex

DC_MUTEX-QUS1L2L

Attributes
  • gencode

    sgZH9wbBsjsB

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG_WA-D0014\IMG_WA-D0014.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG_WA-D0014\IMG_WA-D0014.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Roaming\doctbqr.exe
      "C:\Users\Admin\AppData\Roaming\doctbqr.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\TapiUnattend.exe
        "C:\Windows\System32\TapiUnattend.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:32

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\doct.bmp

    Filesize

    1.1MB

    MD5

    3e9f0eb34cd0aa86faadc2c19b1aadc8

    SHA1

    f755c8b082f46c97e9c377e93bacae0a3f5521c1

    SHA256

    5fb71c17a71dcc2dedc9d45c56f5621e9fd5773f8f7b2409fc83a0edf3df8dfa

    SHA512

    b6b337cdbf0a2d5f57edae8781a1745e9784f667cc3922bf576b467c4a5817b41b4aafd5322a0808b377a6407d851998bf84b69384f52266f286be4066c63f85

  • C:\Users\Admin\AppData\Roaming\doctbqr.exe

    Filesize

    891KB

    MD5

    8336ccaea93bd351eca733be59cc95a6

    SHA1

    c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

    SHA256

    a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

    SHA512

    5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

  • C:\Users\Admin\AppData\Roaming\doctbqr.exe

    Filesize

    891KB

    MD5

    8336ccaea93bd351eca733be59cc95a6

    SHA1

    c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

    SHA256

    a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

    SHA512

    5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

  • memory/32-134-0x0000000000000000-mapping.dmp

  • memory/32-135-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/32-136-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/32-137-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/32-138-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/32-139-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/32-140-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2840-130-0x0000000000000000-mapping.dmp