Overview

overview

10

Static

static

2702fe34d5...a2.exe

windows7-x64

10

2702fe34d5...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

  • Size

    452KB

  • MD5

    7de9787876d0ecb71648f25bd1e5fc51

  • SHA1

    2bc2b1a2977b64eb22d069941a45abfe04d44622

  • SHA256

    2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2

  • SHA512

    347a214a9cfbbd799e1a0f11568959884909d9dbd9bafd8302859af9ab7c5a2bb5328a1f28260b1839f1dd6952197e02bd75cd5a09dec4026181857d8b2b4bc9

  • SSDEEP

    12288:6M5tnmfeuL8U3yoWwYLtfCgaNiAY8lIkd+:6M5p2nL8A8wYLgFNfj

Score
10/10
darkcometsureteypersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

suretey

C2

kaspanet.jed-group.com:1660

Mutex

DC_MUTEX-DW9F7R5

Attributes
  • gencode

    gagSQD1wwynQ

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
    "C:\Users\Admin\AppData\Local\Temp\2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
      "C:\Users\Admin\AppData\Local\Temp\2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1204
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\SunJava\JavaUpdata.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\SunJava\JavaUpdata.exe"
          3⤵
          • Modifies WinLogon for persistence
          PID:1156

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/948-63-0x00000000004B5670-mapping.dmp

      Download

    • memory/948-75-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/948-64-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/948-74-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/948-58-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/948-59-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/948-61-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/948-62-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/948-66-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/948-67-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/1156-71-0x0000000000000000-mapping.dmp

      Download

    • memory/1204-68-0x0000000000000000-mapping.dmp

      Download

    • memory/1988-55-0x0000000074270000-0x000000007481B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1988-56-0x00000000001B5000-0x00000000001C6000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1988-72-0x0000000074270000-0x000000007481B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1988-73-0x00000000001B5000-0x00000000001C6000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1988-57-0x0000000074270000-0x000000007481B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1988-54-0x0000000075281000-0x0000000075283000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2032-70-0x0000000000000000-mapping.dmp

      Download