Overview

overview

10

Static

static

3365215f2c...89.exe

windows7-x64

10

3365215f2c...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3365215f2c625fd51504e0e51d3aa5c2452b72089e0981dad1025569e868a889.exe

  • Size

    3.1MB

  • MD5

    6b84b35b9b5f1f1b43c4499457adda4b

  • SHA1

    cabe5899b9bc1dfcc9e122692b3ec81bd405a92a

  • SHA256

    3365215f2c625fd51504e0e51d3aa5c2452b72089e0981dad1025569e868a889

  • SHA512

    153393e95357b0bde6f18f5fb92df38123c127b54c4f4eea6cfc76e7e6bbcf563a5cdb9dc8e798891dbb95ed22c3c9dea726f18452c77b246ff9bfd7220e9064

  • SSDEEP

    49152:Xr2KxuLaFzf5zmce0Z9jpVyd4fdBOdygokagOJFwtPLxx8MiGrlZ0iiQF5JxRQcs:b2AJFhmQZ9FVyd6+dytRJF2PyG3r3Q1

Score
10/10
darkcometvirpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

VIR

C2

msdsl.sytes.net:1605

Mutex

TEXBWH3YU5

Attributes
  • gencode

    lHZkfrNRLD6o

  • install

    false

  • offline_keylogger

    true

  • password

    darkcomet

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3365215f2c625fd51504e0e51d3aa5c2452b72089e0981dad1025569e868a889.exe
    "C:\Users\Admin\AppData\Local\Temp\3365215f2c625fd51504e0e51d3aa5c2452b72089e0981dad1025569e868a889.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Users\Admin\AppData\Roaming\WerFault.exe
      "C:\Users\Admin\AppData\Roaming\WerFault.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4868
    • C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
      "C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Users\Admin\AppData\Local\Temp\is-KO6FL.tmp\SecurityKISSsetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-KO6FL.tmp\SecurityKISSsetup.tmp" /SL5="$901C6,2459544,54272,C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe"
        3⤵
        • Executes dropped EXE
        PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\f96d9b93-f8a2-44fc-9ad3-79676c20c57d\CliSecureRT.dll
    Filesize

    109KB

    MD5

    46092bbddb5bdf775f67a341d2b03ad7

    SHA1

    5645a2b182986d0278c862390014e20cc501d996

    SHA256

    a9f6783f2864f4532db011c8fccb41fa3732148a810084c7efa8dddbd5ae6324

    SHA512

    5b6cdae42a17aad74500a0ec7c1c4c6d6f0a2a28a43e6620eb26bbf2fe0e0f6adf1836317a33e0e720c70909405c74b3e95df1cb7011732a97f723edb5d250d5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-KO6FL.tmp\SecurityKISSsetup.tmp
    Filesize

    695KB

    MD5

    620f32e56b46e90e8aee43febc59f6e3

    SHA1

    d5edd63dd1390a1420b85f746e12a66625ae9354

    SHA256

    bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

    SHA512

    8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-KO6FL.tmp\SecurityKISSsetup.tmp
    Filesize

    695KB

    MD5

    620f32e56b46e90e8aee43febc59f6e3

    SHA1

    d5edd63dd1390a1420b85f746e12a66625ae9354

    SHA256

    bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

    SHA512

    8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
    Filesize

    2.6MB

    MD5

    071de1dd132af35ccc4d6f307515399e

    SHA1

    f3969738e5e9c3d7c1bace0942eca56439e33a21

    SHA256

    525ff2b201e1017939d4397986d3c3157c371974632588c048d8f11e6c4c20b5

    SHA512

    31abe5fa2ee3379fb9df2ce3ff34793f640207b8acb0a6e2b4feeb193c7333d8771825a88fa86c7cdf476e728d3c0498d1687ed74dbf04e95600edd09491d738

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SecurityKISSsetup.exe
    Filesize

    2.6MB

    MD5

    071de1dd132af35ccc4d6f307515399e

    SHA1

    f3969738e5e9c3d7c1bace0942eca56439e33a21

    SHA256

    525ff2b201e1017939d4397986d3c3157c371974632588c048d8f11e6c4c20b5

    SHA512

    31abe5fa2ee3379fb9df2ce3ff34793f640207b8acb0a6e2b4feeb193c7333d8771825a88fa86c7cdf476e728d3c0498d1687ed74dbf04e95600edd09491d738

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WerFault.exe
    Filesize

    521KB

    MD5

    b8d8d7412f11e238d7777bbd5f2b550a

    SHA1

    051f4bb6c860bbdac9ef6323bdea1671e6100ac1

    SHA256

    23e5cceb37c1733c92f387bc9a4ae492fbb80d8b41a5bc1a4634b4b9586be710

    SHA512

    2ae83c636dd13d2eae9f8112d03847aafdcf076c07b318898c16a060cbb16b44dbdbfbbf59e616479600aeb1cc2e24e80d1cfa4ce335912806e16d1901338643

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WerFault.exe
    Filesize

    521KB

    MD5

    b8d8d7412f11e238d7777bbd5f2b550a

    SHA1

    051f4bb6c860bbdac9ef6323bdea1671e6100ac1

    SHA256

    23e5cceb37c1733c92f387bc9a4ae492fbb80d8b41a5bc1a4634b4b9586be710

    SHA512

    2ae83c636dd13d2eae9f8112d03847aafdcf076c07b318898c16a060cbb16b44dbdbfbbf59e616479600aeb1cc2e24e80d1cfa4ce335912806e16d1901338643

    Download Submit
  • memory/2184-150-0x0000000010000000-0x000000001002C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2184-153-0x0000000072FC0000-0x0000000073571000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2184-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2184-144-0x0000000074EB0000-0x0000000074F0B000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2184-147-0x0000000010000000-0x000000001002C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2184-145-0x0000000072FC0000-0x0000000073571000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2392-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2392-146-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2392-138-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4332-140-0x0000000000000000-mapping.dmp
    Download
  • memory/4868-148-0x0000000000000000-mapping.dmp
    Download
  • memory/4868-151-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/4868-152-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/4868-154-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/4868-149-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/4868-155-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/4868-156-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download