Overview

overview

10

Static

static

5e7890cdd8...89.exe

windows7-x64

10

5e7890cdd8...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe

  • Size

    831KB

  • MD5

    8c47d220c6f5462e850bc975b7b3250a

  • SHA1

    be17048d36e5759ac477c48bcc00834f987daf0c

  • SHA256

    5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989

  • SHA512

    f913467a56df8ad018b86f113b4d0da5d51bcc3c4337b2cfad6afd2091dc8f096225284f46f1f8373e22be7ecaf1063f5ea8bdcc109a9f14e42691c29392bd87

Score
10/10
darkcometcryptpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Crypt

C2

BiNC.no-ip.biz:1604

Mutex

DC_MUTEX-0GJMXZ4

Attributes
  • gencode

    MALR2k7k9YBe

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe
    "C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe
      "C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe
        "C:\Users\Admin\AppData\Local\Temp\5e7890cdd80b87072615fe92c2d46af7b8a3f15e81310e13678f2cd78530f989.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/820-81-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-82-0x000000000048F888-mapping.dmp
    Download
  • memory/820-70-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-88-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-72-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-87-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-86-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-74-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-84-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-79-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-67-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-68-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-77-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/820-76-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/1932-63-0x0000000000401110-mapping.dmp
    Download
  • memory/1932-59-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1932-57-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1932-65-0x0000000075741000-0x0000000075743000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1932-54-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1932-55-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1932-83-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1932-66-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1932-62-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1932-60-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/1932-58-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download