Overview

overview

10

Static

static

f695eb089d...6c.exe

windows7-x64

10

f695eb089d...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    177s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2022 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c.exe

  • Size

    676KB

  • MD5

    58d950929edcfc0a3f1def7620d62fd0

  • SHA1

    d062ad6abfc4bf4e5491b70b1200ca2ff7922904

  • SHA256

    f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c

  • SHA512

    cf23ac522ef46f3f42be5e79d36e4c189bee8a1d282fdccec12ffb97e7200fcce4f161b17030c8ea5c90d99be7926732b25f4ab25886f8a3e6466021cfec5fb4

  • SSDEEP

    12288:2QMuiMQn3i8BpVCFeKq9Ipo90lbKSpuQO2tW05l6qK8sWg4gPp73:wrBpMMKGIpu/jJ2EYl6qdgjd

Score
10/10
darkcometguest16discoveryevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

79.172.26.136:1604

Mutex

DC_MUTEX-HN17VDB

Attributes
  • InstallPath

    System32\Drivers.exe

  • gencode

    T3NMNGnXGHkl

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 4 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c.exe
    "C:\Users\Admin\AppData\Local\Temp\f695eb089d4a33afab87887b5779fe39c48e13594c6b3d76e01393eb36da886c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe
      "C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5056
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4916
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:400
      • C:\ProgramData\Microsoft\Windows\Start Menu\System32\Drivers.exe
        "C:\ProgramData\Microsoft\Windows\Start Menu\System32\Drivers.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3716
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
            PID:2340
      • C:\Users\Admin\AppData\Local\Temp\result.exe
        "C:\Users\Admin\AppData\Local\Temp\result.exe"
        2⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3996
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe"
          3⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Drops startup file
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:3076

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Modify Existing Service

    2
    T1031

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    7
    T1112

    Disabling Security Tools

    2
    T1089

    Hidden Files and Directories

    2
    T1158

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    4
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\System32\Drivers.exe
      Filesize

      783KB

      MD5

      b8a17bdc154014be41d991204ada6d1d

      SHA1

      9853a2addc170008fccaa6ab7f38583058be3d84

      SHA256

      19477ea50733372be7440943b99e0e70c6235e0d8febffd68c37a167d6febf22

      SHA512

      9831a3b0b7afc44b131bd35c0e0162e07f706f0f0e8c0a6b1355f82817a3d5c829cf6fa313c2fccbedbc7c5ee0a16fd1c112814c4c0b51470cd003d124ca4c60

      Download Submit
    • C:\ProgramData\Microsoft\Windows\Start Menu\System32\Drivers.exe
      Filesize

      783KB

      MD5

      b8a17bdc154014be41d991204ada6d1d

      SHA1

      9853a2addc170008fccaa6ab7f38583058be3d84

      SHA256

      19477ea50733372be7440943b99e0e70c6235e0d8febffd68c37a167d6febf22

      SHA512

      9831a3b0b7afc44b131bd35c0e0162e07f706f0f0e8c0a6b1355f82817a3d5c829cf6fa313c2fccbedbc7c5ee0a16fd1c112814c4c0b51470cd003d124ca4c60

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe
      Filesize

      783KB

      MD5

      b8a17bdc154014be41d991204ada6d1d

      SHA1

      9853a2addc170008fccaa6ab7f38583058be3d84

      SHA256

      19477ea50733372be7440943b99e0e70c6235e0d8febffd68c37a167d6febf22

      SHA512

      9831a3b0b7afc44b131bd35c0e0162e07f706f0f0e8c0a6b1355f82817a3d5c829cf6fa313c2fccbedbc7c5ee0a16fd1c112814c4c0b51470cd003d124ca4c60

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\AdlingV4.6.exe
      Filesize

      783KB

      MD5

      b8a17bdc154014be41d991204ada6d1d

      SHA1

      9853a2addc170008fccaa6ab7f38583058be3d84

      SHA256

      19477ea50733372be7440943b99e0e70c6235e0d8febffd68c37a167d6febf22

      SHA512

      9831a3b0b7afc44b131bd35c0e0162e07f706f0f0e8c0a6b1355f82817a3d5c829cf6fa313c2fccbedbc7c5ee0a16fd1c112814c4c0b51470cd003d124ca4c60

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\result.exe
      Filesize

      35KB

      MD5

      77172f5ce035f0f19f20153fc87fc763

      SHA1

      fc33e0896c8837208b82f0671a2ec20442db17b1

      SHA256

      6e37286d49bd98a5b77a2c52940bb4df50de4debc9dc40fadc1d55a92cb476f8

      SHA512

      5f5f76267047978259458ab323d5bfc124738437e2b3bee224f5d5689d4685305f31015ea2a5f25f779db90bd9ff394d7c11f611b86779de5260c977e0ad172f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\result.exe
      Filesize

      35KB

      MD5

      77172f5ce035f0f19f20153fc87fc763

      SHA1

      fc33e0896c8837208b82f0671a2ec20442db17b1

      SHA256

      6e37286d49bd98a5b77a2c52940bb4df50de4debc9dc40fadc1d55a92cb476f8

      SHA512

      5f5f76267047978259458ab323d5bfc124738437e2b3bee224f5d5689d4685305f31015ea2a5f25f779db90bd9ff394d7c11f611b86779de5260c977e0ad172f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe
      Filesize

      35KB

      MD5

      77172f5ce035f0f19f20153fc87fc763

      SHA1

      fc33e0896c8837208b82f0671a2ec20442db17b1

      SHA256

      6e37286d49bd98a5b77a2c52940bb4df50de4debc9dc40fadc1d55a92cb476f8

      SHA512

      5f5f76267047978259458ab323d5bfc124738437e2b3bee224f5d5689d4685305f31015ea2a5f25f779db90bd9ff394d7c11f611b86779de5260c977e0ad172f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\result.exe
      Filesize

      35KB

      MD5

      77172f5ce035f0f19f20153fc87fc763

      SHA1

      fc33e0896c8837208b82f0671a2ec20442db17b1

      SHA256

      6e37286d49bd98a5b77a2c52940bb4df50de4debc9dc40fadc1d55a92cb476f8

      SHA512

      5f5f76267047978259458ab323d5bfc124738437e2b3bee224f5d5689d4685305f31015ea2a5f25f779db90bd9ff394d7c11f611b86779de5260c977e0ad172f

      Download Submit
    • memory/400-151-0x0000000000000000-mapping.dmp
      Download
    • memory/1496-145-0x0000000000000000-mapping.dmp
      Download
    • memory/2340-152-0x0000000000000000-mapping.dmp
      Download
    • memory/3076-150-0x0000000000400000-0x000000000045D000-memory.dmp
      Filesize

      372KB

      Download
    • memory/3076-143-0x0000000000400000-0x000000000045D000-memory.dmp
      Filesize

      372KB

      Download
    • memory/3076-139-0x0000000000000000-mapping.dmp
      Download
    • memory/3076-153-0x0000000000400000-0x000000000045D000-memory.dmp
      Filesize

      372KB

      Download
    • memory/3716-146-0x0000000000000000-mapping.dmp
      Download
    • memory/3996-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3996-138-0x0000000000400000-0x000000000045D000-memory.dmp
      Filesize

      372KB

      Download
    • memory/3996-141-0x0000000000400000-0x000000000045D000-memory.dmp
      Filesize

      372KB

      Download
    • memory/4004-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4916-149-0x0000000000000000-mapping.dmp
      Download
    • memory/5056-144-0x0000000000000000-mapping.dmp
      Download