Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 06:14

General

  • Target

    fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe

  • Size

    454KB

  • MD5

    65a87dffa5617ef83fa7e82df1d57e20

  • SHA1

    be61d5cf9783929a606c17c48144b9346c2b2dee

  • SHA256

    fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f

  • SHA512

    0828535c4678922fca86f861ea855efd7f418286d51431184ab1d896800f9f14db5be3058931ab77f182cb5bf77809fbcbe9fe7a7f8a7e246dae3c858bae877b

  • SSDEEP

    6144:Ahu69AOdMTj7ffR+iW9TaR9Do7o4SXqC0WcKk1CTcycicmyCNZQPX:AhnbUjDR+hso8DXqC0WH/TcTi94

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

108.212.228.172:1231

Mutex

DC_MUTEX-Q5TS8CL

Attributes
  • gencode

    fCvTysMgftsM

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe
    "C:\Users\Admin\AppData\Local\Temp\fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Windows\InstallDir\help.exe
      C:\Windows\InstallDir\help.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\Windows\SysWOW64\cmd.exe
        /c net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\net.exe
          net stop MpsSvc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:224
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MpsSvc
            5⤵
              PID:2324
        • C:\Windows\InstallDir\help.exe
          C:\Windows\InstallDir\help.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4944

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\InstallDir\help.exe

            Filesize

            454KB

            MD5

            65a87dffa5617ef83fa7e82df1d57e20

            SHA1

            be61d5cf9783929a606c17c48144b9346c2b2dee

            SHA256

            fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f

            SHA512

            0828535c4678922fca86f861ea855efd7f418286d51431184ab1d896800f9f14db5be3058931ab77f182cb5bf77809fbcbe9fe7a7f8a7e246dae3c858bae877b

          • C:\Windows\InstallDir\help.exe

            Filesize

            454KB

            MD5

            65a87dffa5617ef83fa7e82df1d57e20

            SHA1

            be61d5cf9783929a606c17c48144b9346c2b2dee

            SHA256

            fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f

            SHA512

            0828535c4678922fca86f861ea855efd7f418286d51431184ab1d896800f9f14db5be3058931ab77f182cb5bf77809fbcbe9fe7a7f8a7e246dae3c858bae877b

          • C:\Windows\InstallDir\help.exe

            Filesize

            454KB

            MD5

            65a87dffa5617ef83fa7e82df1d57e20

            SHA1

            be61d5cf9783929a606c17c48144b9346c2b2dee

            SHA256

            fc785230d7610c48808ce0ca635ce4230b20984bb8068bd488b4efdadf40f64f

            SHA512

            0828535c4678922fca86f861ea855efd7f418286d51431184ab1d896800f9f14db5be3058931ab77f182cb5bf77809fbcbe9fe7a7f8a7e246dae3c858bae877b

          • memory/4240-132-0x00000000004C0000-0x00000000004C6000-memory.dmp

            Filesize

            24KB

          • memory/4944-138-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

          • memory/4944-140-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

          • memory/4944-142-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

          • memory/4944-144-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

          • memory/4944-145-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB