Analysis

  • max time kernel
    151s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 13:59

General

  • Target

    b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe

  • Size

    982KB

  • MD5

    a0c1fbfec528254387068c5a471c78c0

  • SHA1

    7a63a729e66f99cecf03a325574730a6e0f04ea9

  • SHA256

    b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc

  • SHA512

    34702fa5bcc0f96da787e2afb28379fbe96aa2aba824d15c9d0b5737acb7d9e2e42c96cd3df5c77c0c28fe63d5adb287b3030234580e7a64adca3a70534be31b

  • SSDEEP

    24576:LF0YIvvlHlnU6QBDB1FNYV/rO7h5lz+wKJ:GYUzmvYV/rUf6wU

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-J6W1DYN

Attributes
  • gencode

    aCvj1G0UCC75

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Suspicious use of SetThreadContext 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe
    "C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4644
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MpsSvc
          4⤵
            PID:5032
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2332
      • C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe
        C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5092

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1368-133-0x0000000002340000-0x0000000002344000-memory.dmp

            Filesize

            16KB

          • memory/5092-135-0x0000000000400000-0x00000000004CA000-memory.dmp

            Filesize

            808KB

          • memory/5092-136-0x0000000000400000-0x00000000004CA000-memory.dmp

            Filesize

            808KB

          • memory/5092-137-0x0000000000400000-0x00000000004CA000-memory.dmp

            Filesize

            808KB

          • memory/5092-139-0x0000000000400000-0x00000000004CA000-memory.dmp

            Filesize

            808KB

          • memory/5092-141-0x0000000000400000-0x00000000004CA000-memory.dmp

            Filesize

            808KB