Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 04:45

General

  • Target

    fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe

  • Size

    759KB

  • MD5

    4e58165e216a9be463352e13034e58c0

  • SHA1

    b48e3c4958f83798a4dcbf96a793fbb2a5960d8f

  • SHA256

    fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f

  • SHA512

    c09b3bc0cd586a3327e0f2732a11d5dbb60b9007234066677fa496f54057bb0d19e86f378a472e50ae00aae2ccd755fa5f468947c94667fd65ea413f165078d8

  • SSDEEP

    12288:SphltQO6QBtpRgvCUBv40cbBcHEihhcmN2FanJTz7nRcsC2wgWiVWLfq1b:SLWvCUBA0cbFihBX9msC2wgbYLSb

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

enrispony.no-ip.biz:1604

Mutex

DC_MUTEX-2VS027H

Attributes
  • gencode

    y1yFesyf2sa7

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe
    "C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MpsSvc
          4⤵
            PID:4636
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3428
      • C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe
        C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe
        2⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Checks computer location settings
        • Windows security modification
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4644
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe" +s +h
          3⤵
            PID:4400
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe" +s +h
              4⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2204
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            3⤵
              PID:4772
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:3100
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              3⤵
                PID:2320

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f.exe

                  Filesize

                  759KB

                  MD5

                  4e58165e216a9be463352e13034e58c0

                  SHA1

                  b48e3c4958f83798a4dcbf96a793fbb2a5960d8f

                  SHA256

                  fa464cefaa570096e5217b8a6b16e0f183d59c12333773b5433397628c87011f

                  SHA512

                  c09b3bc0cd586a3327e0f2732a11d5dbb60b9007234066677fa496f54057bb0d19e86f378a472e50ae00aae2ccd755fa5f468947c94667fd65ea413f165078d8

                • memory/4172-132-0x0000000000670000-0x0000000000674000-memory.dmp

                  Filesize

                  16KB

                • memory/4644-135-0x0000000000400000-0x00000000004B5000-memory.dmp

                  Filesize

                  724KB

                • memory/4644-137-0x0000000000400000-0x00000000004B5000-memory.dmp

                  Filesize

                  724KB

                • memory/4644-140-0x0000000000400000-0x00000000004B5000-memory.dmp

                  Filesize

                  724KB

                • memory/4644-141-0x0000000000400000-0x00000000004B5000-memory.dmp

                  Filesize

                  724KB

                • memory/4644-147-0x0000000000400000-0x00000000004B5000-memory.dmp

                  Filesize

                  724KB