Overview

overview

10

Static

static

3365215f2c...89.exe

windows7-x64

10

3365215f2c...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3365215f2c625fd51504e0e51d3aa5c2452b72089e0981dad1025569e868a889.exe

  • Size

    3.1MB

  • MD5

    6b84b35b9b5f1f1b43c4499457adda4b

  • SHA1

    cabe5899b9bc1dfcc9e122692b3ec81bd405a92a

  • SHA256

    3365215f2c625fd51504e0e51d3aa5c2452b72089e0981dad1025569e868a889

  • SHA512

    153393e95357b0bde6f18f5fb92df38123c127b54c4f4eea6cfc76e7e6bbcf563a5cdb9dc8e798891dbb95ed22c3c9dea726f18452c77b246ff9bfd7220e9064

  • SSDEEP

    49152:Xr2KxuLaFzf5zmce0Z9jpVyd4fdBOdygokagOJFwtPLxx8MiGrlZ0iiQF5JxRQcs:b2AJFhmQZ9FVyd6+dytRJF2PyG3r3Q1

Score
10/10
darkcometvirpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

VIR

C2

msdsl.sytes.net:1605

Mutex

TEXBWH3YU5

Attributes
  • gencode

    lHZkfrNRLD6o

  • install

    false

  • offline_keylogger

    true

  • password

    darkcomet

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 13 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3365215f2c625fd51504e0e51d3aa5c2452b72089e0981dad1025569e868a889.exe
    "C:\Users\Admin\AppData\Local\Temp\3365215f2c625fd51504e0e51d3aa5c2452b72089e0981dad1025569e868a889.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Roaming\WerFault.exe
      "C:\Users\Admin\AppData\Roaming\WerFault.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:876
    • C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
      "C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\AppData\Local\Temp\is-BS3SP.tmp\SecurityKISSsetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-BS3SP.tmp\SecurityKISSsetup.tmp" /SL5="$80022,2459544,54272,C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-BS3SP.tmp\SecurityKISSsetup.tmp
    Filesize

    695KB

    MD5

    620f32e56b46e90e8aee43febc59f6e3

    SHA1

    d5edd63dd1390a1420b85f746e12a66625ae9354

    SHA256

    bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

    SHA512

    8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
    Filesize

    2.6MB

    MD5

    071de1dd132af35ccc4d6f307515399e

    SHA1

    f3969738e5e9c3d7c1bace0942eca56439e33a21

    SHA256

    525ff2b201e1017939d4397986d3c3157c371974632588c048d8f11e6c4c20b5

    SHA512

    31abe5fa2ee3379fb9df2ce3ff34793f640207b8acb0a6e2b4feeb193c7333d8771825a88fa86c7cdf476e728d3c0498d1687ed74dbf04e95600edd09491d738

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
    Filesize

    2.6MB

    MD5

    071de1dd132af35ccc4d6f307515399e

    SHA1

    f3969738e5e9c3d7c1bace0942eca56439e33a21

    SHA256

    525ff2b201e1017939d4397986d3c3157c371974632588c048d8f11e6c4c20b5

    SHA512

    31abe5fa2ee3379fb9df2ce3ff34793f640207b8acb0a6e2b4feeb193c7333d8771825a88fa86c7cdf476e728d3c0498d1687ed74dbf04e95600edd09491d738

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WerFault.exe
    Filesize

    521KB

    MD5

    b8d8d7412f11e238d7777bbd5f2b550a

    SHA1

    051f4bb6c860bbdac9ef6323bdea1671e6100ac1

    SHA256

    23e5cceb37c1733c92f387bc9a4ae492fbb80d8b41a5bc1a4634b4b9586be710

    SHA512

    2ae83c636dd13d2eae9f8112d03847aafdcf076c07b318898c16a060cbb16b44dbdbfbbf59e616479600aeb1cc2e24e80d1cfa4ce335912806e16d1901338643

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WerFault.exe
    Filesize

    521KB

    MD5

    b8d8d7412f11e238d7777bbd5f2b550a

    SHA1

    051f4bb6c860bbdac9ef6323bdea1671e6100ac1

    SHA256

    23e5cceb37c1733c92f387bc9a4ae492fbb80d8b41a5bc1a4634b4b9586be710

    SHA512

    2ae83c636dd13d2eae9f8112d03847aafdcf076c07b318898c16a060cbb16b44dbdbfbbf59e616479600aeb1cc2e24e80d1cfa4ce335912806e16d1901338643

    Download Submit
  • \Users\Admin\AppData\Local\Temp\f96d9b93-f8a2-44fc-9ad3-79676c20c57d\CliSecureRT.dll
    Filesize

    109KB

    MD5

    46092bbddb5bdf775f67a341d2b03ad7

    SHA1

    5645a2b182986d0278c862390014e20cc501d996

    SHA256

    a9f6783f2864f4532db011c8fccb41fa3732148a810084c7efa8dddbd5ae6324

    SHA512

    5b6cdae42a17aad74500a0ec7c1c4c6d6f0a2a28a43e6620eb26bbf2fe0e0f6adf1836317a33e0e720c70909405c74b3e95df1cb7011732a97f723edb5d250d5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-61GBC.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-61GBC.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-BS3SP.tmp\SecurityKISSsetup.tmp
    Filesize

    695KB

    MD5

    620f32e56b46e90e8aee43febc59f6e3

    SHA1

    d5edd63dd1390a1420b85f746e12a66625ae9354

    SHA256

    bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

    SHA512

    8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

    Download Submit
  • \Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
    Filesize

    2.6MB

    MD5

    071de1dd132af35ccc4d6f307515399e

    SHA1

    f3969738e5e9c3d7c1bace0942eca56439e33a21

    SHA256

    525ff2b201e1017939d4397986d3c3157c371974632588c048d8f11e6c4c20b5

    SHA512

    31abe5fa2ee3379fb9df2ce3ff34793f640207b8acb0a6e2b4feeb193c7333d8771825a88fa86c7cdf476e728d3c0498d1687ed74dbf04e95600edd09491d738

    Download Submit
  • \Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
    Filesize

    2.6MB

    MD5

    071de1dd132af35ccc4d6f307515399e

    SHA1

    f3969738e5e9c3d7c1bace0942eca56439e33a21

    SHA256

    525ff2b201e1017939d4397986d3c3157c371974632588c048d8f11e6c4c20b5

    SHA512

    31abe5fa2ee3379fb9df2ce3ff34793f640207b8acb0a6e2b4feeb193c7333d8771825a88fa86c7cdf476e728d3c0498d1687ed74dbf04e95600edd09491d738

    Download Submit
  • \Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
    Filesize

    2.6MB

    MD5

    071de1dd132af35ccc4d6f307515399e

    SHA1

    f3969738e5e9c3d7c1bace0942eca56439e33a21

    SHA256

    525ff2b201e1017939d4397986d3c3157c371974632588c048d8f11e6c4c20b5

    SHA512

    31abe5fa2ee3379fb9df2ce3ff34793f640207b8acb0a6e2b4feeb193c7333d8771825a88fa86c7cdf476e728d3c0498d1687ed74dbf04e95600edd09491d738

    Download Submit
  • \Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
    Filesize

    2.6MB

    MD5

    071de1dd132af35ccc4d6f307515399e

    SHA1

    f3969738e5e9c3d7c1bace0942eca56439e33a21

    SHA256

    525ff2b201e1017939d4397986d3c3157c371974632588c048d8f11e6c4c20b5

    SHA512

    31abe5fa2ee3379fb9df2ce3ff34793f640207b8acb0a6e2b4feeb193c7333d8771825a88fa86c7cdf476e728d3c0498d1687ed74dbf04e95600edd09491d738

    Download Submit
  • \Users\Admin\AppData\Roaming\WerFault.exe
    Filesize

    521KB

    MD5

    b8d8d7412f11e238d7777bbd5f2b550a

    SHA1

    051f4bb6c860bbdac9ef6323bdea1671e6100ac1

    SHA256

    23e5cceb37c1733c92f387bc9a4ae492fbb80d8b41a5bc1a4634b4b9586be710

    SHA512

    2ae83c636dd13d2eae9f8112d03847aafdcf076c07b318898c16a060cbb16b44dbdbfbbf59e616479600aeb1cc2e24e80d1cfa4ce335912806e16d1901338643

    Download Submit
  • \Users\Admin\AppData\Roaming\WerFault.exe
    Filesize

    521KB

    MD5

    b8d8d7412f11e238d7777bbd5f2b550a

    SHA1

    051f4bb6c860bbdac9ef6323bdea1671e6100ac1

    SHA256

    23e5cceb37c1733c92f387bc9a4ae492fbb80d8b41a5bc1a4634b4b9586be710

    SHA512

    2ae83c636dd13d2eae9f8112d03847aafdcf076c07b318898c16a060cbb16b44dbdbfbbf59e616479600aeb1cc2e24e80d1cfa4ce335912806e16d1901338643

    Download Submit
  • \Users\Admin\AppData\Roaming\WerFault.exe
    Filesize

    521KB

    MD5

    b8d8d7412f11e238d7777bbd5f2b550a

    SHA1

    051f4bb6c860bbdac9ef6323bdea1671e6100ac1

    SHA256

    23e5cceb37c1733c92f387bc9a4ae492fbb80d8b41a5bc1a4634b4b9586be710

    SHA512

    2ae83c636dd13d2eae9f8112d03847aafdcf076c07b318898c16a060cbb16b44dbdbfbbf59e616479600aeb1cc2e24e80d1cfa4ce335912806e16d1901338643

    Download Submit
  • \Users\Admin\AppData\Roaming\WerFault.exe
    Filesize

    521KB

    MD5

    b8d8d7412f11e238d7777bbd5f2b550a

    SHA1

    051f4bb6c860bbdac9ef6323bdea1671e6100ac1

    SHA256

    23e5cceb37c1733c92f387bc9a4ae492fbb80d8b41a5bc1a4634b4b9586be710

    SHA512

    2ae83c636dd13d2eae9f8112d03847aafdcf076c07b318898c16a060cbb16b44dbdbfbbf59e616479600aeb1cc2e24e80d1cfa4ce335912806e16d1901338643

    Download Submit
  • \Users\Admin\AppData\Roaming\WerFault.exe
    Filesize

    521KB

    MD5

    b8d8d7412f11e238d7777bbd5f2b550a

    SHA1

    051f4bb6c860bbdac9ef6323bdea1671e6100ac1

    SHA256

    23e5cceb37c1733c92f387bc9a4ae492fbb80d8b41a5bc1a4634b4b9586be710

    SHA512

    2ae83c636dd13d2eae9f8112d03847aafdcf076c07b318898c16a060cbb16b44dbdbfbbf59e616479600aeb1cc2e24e80d1cfa4ce335912806e16d1901338643

    Download Submit
  • memory/876-85-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/876-93-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/876-99-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/876-98-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/876-97-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/876-96-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/876-87-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/876-88-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/876-84-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/876-89-0x00000000004B5660-mapping.dmp
    Download
  • memory/876-90-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/1204-83-0x0000000074810000-0x000000007486B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1204-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1204-92-0x0000000074020000-0x00000000745CB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1204-94-0x0000000010000000-0x000000001002C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/1204-81-0x0000000074020000-0x00000000745CB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1588-54-0x0000000075661000-0x0000000075663000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2020-75-0x0000000000000000-mapping.dmp
    Download
  • memory/2040-80-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2040-67-0x0000000000000000-mapping.dmp
    Download
  • memory/2040-71-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download