Analysis

  • max time kernel
    156s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 09:54

General

  • Target

    e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe

  • Size

    834KB

  • MD5

    8063edbb84b65ca71acbdfd396f02ee0

  • SHA1

    f4b71aa3da3109419ea5182aec8e406e4326dbe7

  • SHA256

    e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc

  • SHA512

    52dd4c1a3eb4e34902f81a3fd6438b00a261834608978f16cbe71819e19b47e5903f33b84fc7a90a4d086b565a2f668c1d2fc0f3b93e6e55a8642a8d734d7a3b

  • SSDEEP

    12288:IxDivlXiaS+SKPXBGDWiJDEjL8M847EKdZz+XyiZ5IvyR8/YyBTdMCVInocFtCnY:IwNXpPX8DVDEEMvZzi+VTeDnNtu9+

Malware Config

Extracted

Family

darkcomet

Botnet

deneme

C2

127.0.0.1:6300

Mutex

DC_MUTEX-YMRNXXV

Attributes
  • gencode

    5mfVvT3mRv31

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe
    "C:\Users\Admin\AppData\Local\Temp\e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Users\Admin\AppData\Local\Temp\e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe
      C:\Users\Admin\AppData\Local\Temp\e8d72085c710dfa482c0b2b981a8c5d78fa0b919027624c614c6b45dcc29b4dc.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1164

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1164-135-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/1164-136-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/1164-137-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/1164-139-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/1164-141-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/1164-142-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/1164-143-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/1164-145-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/1164-146-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB