Overview

overview

10

Static

static

e82aee5ef0...c9.exe

windows7-x64

10

e82aee5ef0...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2022, 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe

  • Size

    927KB

  • MD5

    6d5416776bd0f3854a271722098d719e

  • SHA1

    ff6876a938916d3010963136ef8b084f0d703b5d

  • SHA256

    e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

  • SHA512

    3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

  • SSDEEP

    24576:NZPMSPOdEDGD8Xa6x4LqKMg1tXykjBUyNts4cPq:DOv8XFKLx1tisNFh

Score
10/10
darkcometcryptserviceguest16evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

109.104.87.142:2039

Mutex

DC_MUTEX-X2C2Y2U

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    FcUN6bdTNYgc

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Botnet

CryptService

C2

bezerkmedia.no-ip.biz:1606

Mutex

DCMIN_MUTEX-97A2GT7

Attributes
  • gencode

    0n1bb6xQeSjV

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 5 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe
    "C:\Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\G9hdquLc\VHExTPh.exe,explorer.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\G9hdquLc\VHExTPh.exe,explorer.exe"
        3⤵
        • Modifies WinLogon for persistence
        PID:956
    • C:\Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe
      "C:\Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1940
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:672
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        PID:616
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\G9hdquLc\VHExTPh.exe,explorer.exe"
          4⤵
            PID:1392
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\G9hdquLc\VHExTPh.exe,explorer.exe"
              5⤵
              • Modifies WinLogon for persistence
              PID:1912
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            4⤵
            • Executes dropped EXE
            PID:1992
          • C:\Users\Admin\AppData\Local\Temp\CryptService.exe.exe
            "C:\Users\Admin\AppData\Local\Temp\CryptService.exe.exe"
            4⤵
            • Executes dropped EXE
            PID:1188
      • C:\Users\Admin\AppData\Local\Temp\CryptService.exe.exe
        "C:\Users\Admin\AppData\Local\Temp\CryptService.exe.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1916
      • C:\Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe
        "C:\Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe"
        2⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1920
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
            PID:1564

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\CryptService.exe.exe
        Filesize

        232KB

        MD5

        b8c99b673301955465e5e7169dba945c

        SHA1

        541f4719f945d9091ef5d24268c0642efa110759

        SHA256

        1fdc072a210cf84642dfa0cc670820d5b11d060783f8c714a284f4c79d01dda4

        SHA512

        65323893af70c369866ab4a8b5fb735cb8297648354bd93fbd1e2b713cfb1119fc37860634907f2e2e0b0f570d2d160ddb1e03c2462439b1471488151eb07ced

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CryptService.exe.exe
        Filesize

        232KB

        MD5

        b8c99b673301955465e5e7169dba945c

        SHA1

        541f4719f945d9091ef5d24268c0642efa110759

        SHA256

        1fdc072a210cf84642dfa0cc670820d5b11d060783f8c714a284f4c79d01dda4

        SHA512

        65323893af70c369866ab4a8b5fb735cb8297648354bd93fbd1e2b713cfb1119fc37860634907f2e2e0b0f570d2d160ddb1e03c2462439b1471488151eb07ced

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CryptService.exe.exe
        Filesize

        232KB

        MD5

        b8c99b673301955465e5e7169dba945c

        SHA1

        541f4719f945d9091ef5d24268c0642efa110759

        SHA256

        1fdc072a210cf84642dfa0cc670820d5b11d060783f8c714a284f4c79d01dda4

        SHA512

        65323893af70c369866ab4a8b5fb735cb8297648354bd93fbd1e2b713cfb1119fc37860634907f2e2e0b0f570d2d160ddb1e03c2462439b1471488151eb07ced

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe
        Filesize

        927KB

        MD5

        6d5416776bd0f3854a271722098d719e

        SHA1

        ff6876a938916d3010963136ef8b084f0d703b5d

        SHA256

        e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

        SHA512

        3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\G9hdquLc\VHExTPh.exe
        Filesize

        927KB

        MD5

        6d5416776bd0f3854a271722098d719e

        SHA1

        ff6876a938916d3010963136ef8b084f0d703b5d

        SHA256

        e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

        SHA512

        3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\G9hdquLc\VHExTPh.exe.lnk
        Filesize

        843B

        MD5

        21888d502380704efffe88156af979d3

        SHA1

        0070405f49b681624f58f36393c370af2e79635d

        SHA256

        419472d79bd02747e84f4c7df22dacc29c53a7c0759b4fde9ed7abe131e3d610

        SHA512

        c48362dcc7e46886399dfb255b50a4e07b6022c7d9f7011c253d3bb8c0d524b78d10ef41c87e76d04c5d4114468a5e0bc6a27a116f49b82726a6b10f796b1dc7

        Download Submit

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        927KB

        MD5

        6d5416776bd0f3854a271722098d719e

        SHA1

        ff6876a938916d3010963136ef8b084f0d703b5d

        SHA256

        e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

        SHA512

        3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

        Download Submit

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        927KB

        MD5

        6d5416776bd0f3854a271722098d719e

        SHA1

        ff6876a938916d3010963136ef8b084f0d703b5d

        SHA256

        e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

        SHA512

        3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

        Download Submit

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        927KB

        MD5

        6d5416776bd0f3854a271722098d719e

        SHA1

        ff6876a938916d3010963136ef8b084f0d703b5d

        SHA256

        e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

        SHA512

        3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

        Download Submit

      • \Users\Admin\AppData\Local\Temp\CryptService.exe.exe
        Filesize

        232KB

        MD5

        b8c99b673301955465e5e7169dba945c

        SHA1

        541f4719f945d9091ef5d24268c0642efa110759

        SHA256

        1fdc072a210cf84642dfa0cc670820d5b11d060783f8c714a284f4c79d01dda4

        SHA512

        65323893af70c369866ab4a8b5fb735cb8297648354bd93fbd1e2b713cfb1119fc37860634907f2e2e0b0f570d2d160ddb1e03c2462439b1471488151eb07ced

        Download Submit

      • \Users\Admin\AppData\Local\Temp\CryptService.exe.exe
        Filesize

        232KB

        MD5

        b8c99b673301955465e5e7169dba945c

        SHA1

        541f4719f945d9091ef5d24268c0642efa110759

        SHA256

        1fdc072a210cf84642dfa0cc670820d5b11d060783f8c714a284f4c79d01dda4

        SHA512

        65323893af70c369866ab4a8b5fb735cb8297648354bd93fbd1e2b713cfb1119fc37860634907f2e2e0b0f570d2d160ddb1e03c2462439b1471488151eb07ced

        Download Submit

      • \Users\Admin\AppData\Local\Temp\CryptService.exe.exe
        Filesize

        232KB

        MD5

        b8c99b673301955465e5e7169dba945c

        SHA1

        541f4719f945d9091ef5d24268c0642efa110759

        SHA256

        1fdc072a210cf84642dfa0cc670820d5b11d060783f8c714a284f4c79d01dda4

        SHA512

        65323893af70c369866ab4a8b5fb735cb8297648354bd93fbd1e2b713cfb1119fc37860634907f2e2e0b0f570d2d160ddb1e03c2462439b1471488151eb07ced

        Download Submit

      • \Users\Admin\AppData\Local\Temp\CryptService.exe.exe
        Filesize

        232KB

        MD5

        b8c99b673301955465e5e7169dba945c

        SHA1

        541f4719f945d9091ef5d24268c0642efa110759

        SHA256

        1fdc072a210cf84642dfa0cc670820d5b11d060783f8c714a284f4c79d01dda4

        SHA512

        65323893af70c369866ab4a8b5fb735cb8297648354bd93fbd1e2b713cfb1119fc37860634907f2e2e0b0f570d2d160ddb1e03c2462439b1471488151eb07ced

        Download Submit

      • \Users\Admin\AppData\Local\Temp\e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9.exe
        Filesize

        927KB

        MD5

        6d5416776bd0f3854a271722098d719e

        SHA1

        ff6876a938916d3010963136ef8b084f0d703b5d

        SHA256

        e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

        SHA512

        3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

        Download Submit

      • \Users\Admin\AppData\Roaming\G9hdquLc\VHExTPh.exe
        Filesize

        927KB

        MD5

        6d5416776bd0f3854a271722098d719e

        SHA1

        ff6876a938916d3010963136ef8b084f0d703b5d

        SHA256

        e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

        SHA512

        3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

        Download Submit

      • \Users\Admin\AppData\Roaming\G9hdquLc\VHExTPh.exe
        Filesize

        927KB

        MD5

        6d5416776bd0f3854a271722098d719e

        SHA1

        ff6876a938916d3010963136ef8b084f0d703b5d

        SHA256

        e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

        SHA512

        3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

        Download Submit

      • \Users\Admin\Documents\MSDCSC\msdcsc.exe
        Filesize

        927KB

        MD5

        6d5416776bd0f3854a271722098d719e

        SHA1

        ff6876a938916d3010963136ef8b084f0d703b5d

        SHA256

        e82aee5ef07a580114f739b15249703f2147dbc05fa03ba55b5a0abd3e15c9c9

        SHA512

        3fb3335b5f22bd29373d83bede4fb9764f7f3699d43f9339ec4f24e25e07dfdb7b8666fcd223a8ac0bc11b56219c933a29db6a50f9a5105cdb229fb3a0ffd3fb

        Download Submit

      • memory/616-98-0x0000000074740000-0x0000000074CEB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/616-126-0x0000000074740000-0x0000000074CEB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/616-160-0x0000000007BA0000-0x0000000007C57000-memory.dmp

        Filesize

        732KB

        Download

      • memory/616-159-0x0000000007BA0000-0x0000000007C57000-memory.dmp

        Filesize

        732KB

        Download

      • memory/616-161-0x0000000007BA0000-0x0000000007C57000-memory.dmp

        Filesize

        732KB

        Download

      • memory/988-74-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-70-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-60-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-69-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-61-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-83-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-63-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-97-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-72-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-65-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-67-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/988-76-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1188-158-0x0000000000400000-0x00000000004B7000-memory.dmp

        Filesize

        732KB

        Download

      • memory/1668-125-0x00000000099E0000-0x0000000009A97000-memory.dmp

        Filesize

        732KB

        Download

      • memory/1668-90-0x00000000099E0000-0x0000000009A97000-memory.dmp

        Filesize

        732KB

        Download

      • memory/1668-89-0x00000000099E0000-0x0000000009A97000-memory.dmp

        Filesize

        732KB

        Download

      • memory/1668-124-0x00000000099E0000-0x0000000009A97000-memory.dmp

        Filesize

        732KB

        Download

      • memory/1668-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1668-56-0x0000000074740000-0x0000000074CEB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1668-54-0x0000000075241000-0x0000000075243000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1916-123-0x0000000000400000-0x00000000004B7000-memory.dmp

        Filesize

        732KB

        Download

      • memory/1916-93-0x0000000000400000-0x00000000004B7000-memory.dmp

        Filesize

        732KB

        Download

      • memory/1920-122-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1920-127-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

        Download