Analysis

  • max time kernel
    151s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 16:21

General

  • Target

    8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe

  • Size

    349KB

  • MD5

    a18f9185d5ebc3a0aa7806b19e7ff6c0

  • SHA1

    c06b84b749a8e6c57651060c9f19572f4d9f5875

  • SHA256

    8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134

  • SHA512

    98ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee

  • SSDEEP

    6144:CqLzGyzpKalLBQmByTIRb5K+WrxJA6AIsPSBD3FvbXB7oOdvkoOgVQKMkXIzcQj:RphltQEI+Gc6ANP0d7bv65k4zcQj

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-YTGAJF9

Attributes
  • InstallPath

    steam.exe

  • gencode

    nTQWxdykrfam

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    steam

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe
    "C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe
      C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4716
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2040
        • C:\Windows\SysWOW64\steam.exe
          "C:\Windows\system32\steam.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:932
          • C:\Windows\SysWOW64\steam.exe
            C:\Windows\SysWOW64\steam.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2208
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              5⤵
                PID:404

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\steam.exe

              Filesize

              349KB

              MD5

              a18f9185d5ebc3a0aa7806b19e7ff6c0

              SHA1

              c06b84b749a8e6c57651060c9f19572f4d9f5875

              SHA256

              8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134

              SHA512

              98ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee

            • C:\Windows\SysWOW64\steam.exe

              Filesize

              349KB

              MD5

              a18f9185d5ebc3a0aa7806b19e7ff6c0

              SHA1

              c06b84b749a8e6c57651060c9f19572f4d9f5875

              SHA256

              8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134

              SHA512

              98ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee

            • C:\Windows\SysWOW64\steam.exe

              Filesize

              349KB

              MD5

              a18f9185d5ebc3a0aa7806b19e7ff6c0

              SHA1

              c06b84b749a8e6c57651060c9f19572f4d9f5875

              SHA256

              8097556e0e17051497344454aea95ab1570c5c32a0947e05add17aee36411134

              SHA512

              98ca350ab40187bd6c764cb7a9a9e18e30a56196d0f2be1f57ca417b1b8b865fd71fbc7150933a5ddb7069f969c8c5c1861d1d8225cfb7eef27ab5eeddc16eee

            • memory/2056-135-0x0000000000600000-0x0000000000604000-memory.dmp

              Filesize

              16KB

            • memory/2208-157-0x0000000000400000-0x00000000004B7000-memory.dmp

              Filesize

              732KB

            • memory/2208-155-0x0000000000400000-0x00000000004B7000-memory.dmp

              Filesize

              732KB

            • memory/4824-133-0x0000000000400000-0x00000000004B7000-memory.dmp

              Filesize

              732KB

            • memory/4824-138-0x0000000000400000-0x00000000004B7000-memory.dmp

              Filesize

              732KB

            • memory/4824-137-0x0000000000400000-0x00000000004B7000-memory.dmp

              Filesize

              732KB

            • memory/4824-136-0x0000000000400000-0x00000000004B7000-memory.dmp

              Filesize

              732KB

            • memory/4824-156-0x0000000000400000-0x00000000004B7000-memory.dmp

              Filesize

              732KB

            • memory/4824-134-0x0000000000400000-0x00000000004B7000-memory.dmp

              Filesize

              732KB