Overview

overview

10

Static

static

10

5b91f5cb29...ec.exe

windows7-x64

10

5b91f5cb29...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 09:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec.exe

  • Size

    854KB

  • MD5

    4c8396f8db1a485dc0b93651d8f7dbd0

  • SHA1

    ed5b2b872399519287c2a33f54ecd31337116711

  • SHA256

    5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec

  • SHA512

    3d690b7664d6bb5d9c0c5fe17a02cd7450d717065e11a67cf4e13ffc5e3a0fe2a9836db48dfe8562eb83731c002f5fdc7882c9f1d73484da04496db9ce4f7f99

  • SSDEEP

    24576:OZ1xuVVjfFoynPaVBUR8f+kN10EBKACG9egjT+:uQDgok30B7ojT+

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

badzo.no-ip.org:80

Mutex

DC_MUTEX-82MKNGT

Attributes
  • InstallPath

    system32\wuapp.exe

  • gencode

    Gr6dTPRj3EsY

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    Microsoft Windows Update

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec.exe
    "C:\Users\Admin\AppData\Local\Temp\5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:976
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1464
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1460
    • C:\Windows\SysWOW64\Gr6dTPRj3EsY\wuapp.exe
      "C:\Windows\system32\Gr6dTPRj3EsY\wuapp.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1152
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1644
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1144

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\430041_10200579200140787_172179998_N.JPG
            Filesize

            113KB

            MD5

            f5f03b370c669d5a70a059be0cf0d258

            SHA1

            b4c8a8f90fe2a580f87ba3196090b2a85445dda0

            SHA256

            b60eb8e1c771a685bba857e8022e0ab6d2796ad0bd8379ffbd2fa4190e21aa44

            SHA512

            018853b47dfb1805baf4e0efe0f293e626e4e2695e5776b62836157c293ba133814c50f387d748dfa1b2aaf8acb3abb9c9adc0efee37d8cf529c4a0a4ae63a52

            Download Submit

          • C:\Windows\SysWOW64\Gr6dTPRj3EsY\wuapp.exe
            Filesize

            854KB

            MD5

            4c8396f8db1a485dc0b93651d8f7dbd0

            SHA1

            ed5b2b872399519287c2a33f54ecd31337116711

            SHA256

            5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec

            SHA512

            3d690b7664d6bb5d9c0c5fe17a02cd7450d717065e11a67cf4e13ffc5e3a0fe2a9836db48dfe8562eb83731c002f5fdc7882c9f1d73484da04496db9ce4f7f99

            Download Submit

          • C:\Windows\SysWOW64\Gr6dTPRj3EsY\wuapp.exe
            Filesize

            854KB

            MD5

            4c8396f8db1a485dc0b93651d8f7dbd0

            SHA1

            ed5b2b872399519287c2a33f54ecd31337116711

            SHA256

            5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec

            SHA512

            3d690b7664d6bb5d9c0c5fe17a02cd7450d717065e11a67cf4e13ffc5e3a0fe2a9836db48dfe8562eb83731c002f5fdc7882c9f1d73484da04496db9ce4f7f99

            Download Submit

          • \Windows\SysWOW64\Gr6dTPRj3EsY\wuapp.exe
            Filesize

            854KB

            MD5

            4c8396f8db1a485dc0b93651d8f7dbd0

            SHA1

            ed5b2b872399519287c2a33f54ecd31337116711

            SHA256

            5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec

            SHA512

            3d690b7664d6bb5d9c0c5fe17a02cd7450d717065e11a67cf4e13ffc5e3a0fe2a9836db48dfe8562eb83731c002f5fdc7882c9f1d73484da04496db9ce4f7f99

            Download Submit

          • \Windows\SysWOW64\Gr6dTPRj3EsY\wuapp.exe
            Filesize

            854KB

            MD5

            4c8396f8db1a485dc0b93651d8f7dbd0

            SHA1

            ed5b2b872399519287c2a33f54ecd31337116711

            SHA256

            5b91f5cb294f987aeeb2f60fbaf7a59b637ac9190b68d838de46dd56ee13c0ec

            SHA512

            3d690b7664d6bb5d9c0c5fe17a02cd7450d717065e11a67cf4e13ffc5e3a0fe2a9836db48dfe8562eb83731c002f5fdc7882c9f1d73484da04496db9ce4f7f99

            Download Submit

          • memory/1080-54-0x0000000076411000-0x0000000076413000-memory.dmp

            Filesize

            8KB

            Download