Overview

overview

10

Static

static

71aea27497...94.exe

windows7-x64

10

71aea27497...94.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 21:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    71aea274979fc1275bacf5bcc1e7da6901171f9d7b695947fed085a553d2d994.exe

  • Size

    1.0MB

  • MD5

    a03ed43ace6d29aaecf9a6c13bdc7b86

  • SHA1

    065ecf33db60b29a7bdd79c216e212a474ea34e5

  • SHA256

    71aea274979fc1275bacf5bcc1e7da6901171f9d7b695947fed085a553d2d994

  • SHA512

    7525501194eeeee98ab0a7e666c076392481692877780bad88a09fdfa5d4937c58faaa299885a1bf6b14d008fc3b9dcddd91ba8ec1747e4e33499ed3ed74cb0b

  • SSDEEP

    24576:6Ljvo3mJoJji1lybDnmHOu5vnp9k0soC+juQAJcC:KjvoR9iDU0t5vIKju1c

Score
10/10
darkcometguest16persistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

cabronez.no-ip.org:1604

Mutex

DC_MUTEX-09463WY

Attributes
  • InstallPath

    Winlogin\Winlogin.exe

  • gencode

    BYJoRgU93ded

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Winlogin

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71aea274979fc1275bacf5bcc1e7da6901171f9d7b695947fed085a553d2d994.exe
    "C:\Users\Admin\AppData\Local\Temp\71aea274979fc1275bacf5bcc1e7da6901171f9d7b695947fed085a553d2d994.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\torrentz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\torrentz.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3500
      • C:\Windows\SysWOW64\Winlogin\Winlogin.exe
        "C:\Windows\system32\Winlogin\Winlogin.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          4⤵
            PID:5016
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICBO~1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICBO~1.EXE
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICBO~1.EXE
          "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICBO~1.EXE" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_32b0130" /pproc="71aea274979fc1275bacf5bcc1e7da6901171f9d7b695947fed085a553d2d994.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4824

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICBO~1.EXE
            Filesize

            1.5MB

            MD5

            1d2465f3281f85b9bc381af61ec5e90c

            SHA1

            ea4dc3045cb82ec2338768a50096b69a59897f2a

            SHA256

            d9e7c18a223f47be40e376ef8024a0ec54e0a55af1c10c24dfe7d6e175bc61de

            SHA512

            12a9679e7aecc8b9f9b313fcf0d198a46b7cc4ea325fd67997c57212b7b6d1c54ecc34e42b647a30ddc4ded9c20a9ee3f254d64af955324bf4e5f129d9830ce0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICBO~1.EXE
            Filesize

            1.5MB

            MD5

            1d2465f3281f85b9bc381af61ec5e90c

            SHA1

            ea4dc3045cb82ec2338768a50096b69a59897f2a

            SHA256

            d9e7c18a223f47be40e376ef8024a0ec54e0a55af1c10c24dfe7d6e175bc61de

            SHA512

            12a9679e7aecc8b9f9b313fcf0d198a46b7cc4ea325fd67997c57212b7b6d1c54ecc34e42b647a30ddc4ded9c20a9ee3f254d64af955324bf4e5f129d9830ce0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EPICBO~1.EXE
            Filesize

            1.5MB

            MD5

            1d2465f3281f85b9bc381af61ec5e90c

            SHA1

            ea4dc3045cb82ec2338768a50096b69a59897f2a

            SHA256

            d9e7c18a223f47be40e376ef8024a0ec54e0a55af1c10c24dfe7d6e175bc61de

            SHA512

            12a9679e7aecc8b9f9b313fcf0d198a46b7cc4ea325fd67997c57212b7b6d1c54ecc34e42b647a30ddc4ded9c20a9ee3f254d64af955324bf4e5f129d9830ce0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\torrentz.exe
            Filesize

            251KB

            MD5

            680618c64c9ee623220dcd327d74714a

            SHA1

            d96aba44d6427b7a875b57e8ac5484c92345f8b3

            SHA256

            c30a8a5ae4681f367e84e9660600dbad9345beef04a73cff210473ca1e30c32e

            SHA512

            353c930b04bb3ec389ef7f5536e63c225cdfdb18d9ef8a76ad7dc29e5e3ee51a0b34e78b977c08ffbebe0a55590f289df9bb0cfd13503f793b7f27a7610b064b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\torrentz.exe
            Filesize

            251KB

            MD5

            680618c64c9ee623220dcd327d74714a

            SHA1

            d96aba44d6427b7a875b57e8ac5484c92345f8b3

            SHA256

            c30a8a5ae4681f367e84e9660600dbad9345beef04a73cff210473ca1e30c32e

            SHA512

            353c930b04bb3ec389ef7f5536e63c225cdfdb18d9ef8a76ad7dc29e5e3ee51a0b34e78b977c08ffbebe0a55590f289df9bb0cfd13503f793b7f27a7610b064b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\pkg_32b0130\autorun.txt
            Filesize

            114B

            MD5

            c819368178ce1e40fd55c813340a597a

            SHA1

            81aef3fd883c52de4fe211f3e43f70137cbccdf6

            SHA256

            1334449583ff7823df9ba97e57bed51eaaba21eed4551e25b07794f1d48c3e31

            SHA512

            753ce58ed7b76de63f8d68bf95949dfd772e805d0ab514f2706d72b2d504fb53e9beadaed0d34d933fee4f98d3ea13172c8b3a0e391bcab639c3d70003ec71a7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\pkg_32b0130\wrapper.xml
            Filesize

            692B

            MD5

            44601e00ff712607d2a0b64de786d843

            SHA1

            5696d1604b564a38669035faf395f78c933d8717

            SHA256

            424ef303f88bcd0c6af1858cdacc0e3225545957fcb6c49110e39ff39b26b7f9

            SHA512

            7328a2db19fc89d43a4c6dac7338ebf71dfe418bf3bd5bf04966afa1cd76cc7c73daeea07496c7df425ad369f6b17ffcbdf3b2d5de7e7d70424621d9375b73d1

            Download Submit

          • C:\Windows\SysWOW64\Winlogin\Winlogin.exe
            Filesize

            251KB

            MD5

            680618c64c9ee623220dcd327d74714a

            SHA1

            d96aba44d6427b7a875b57e8ac5484c92345f8b3

            SHA256

            c30a8a5ae4681f367e84e9660600dbad9345beef04a73cff210473ca1e30c32e

            SHA512

            353c930b04bb3ec389ef7f5536e63c225cdfdb18d9ef8a76ad7dc29e5e3ee51a0b34e78b977c08ffbebe0a55590f289df9bb0cfd13503f793b7f27a7610b064b

            Download Submit

          • C:\Windows\SysWOW64\Winlogin\Winlogin.exe
            Filesize

            251KB

            MD5

            680618c64c9ee623220dcd327d74714a

            SHA1

            d96aba44d6427b7a875b57e8ac5484c92345f8b3

            SHA256

            c30a8a5ae4681f367e84e9660600dbad9345beef04a73cff210473ca1e30c32e

            SHA512

            353c930b04bb3ec389ef7f5536e63c225cdfdb18d9ef8a76ad7dc29e5e3ee51a0b34e78b977c08ffbebe0a55590f289df9bb0cfd13503f793b7f27a7610b064b

            Download Submit

          • memory/3500-135-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/3500-141-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/4612-140-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/4612-149-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download