Overview

overview

10

Static

static

49e75af507...1d.exe

windows7-x64

10

49e75af507...1d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    209s
  • max time network
    216s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49e75af5070d31e6e53a6bf37a509732fd8e61875e80e213704703ea3246171d.exe

  • Size

    2.8MB

  • MD5

    0173cc2be471cac926c6104a2e8b986a

  • SHA1

    ece1bcbb39f75fe8bc71801cca1bb1e6e2f030e5

  • SHA256

    49e75af5070d31e6e53a6bf37a509732fd8e61875e80e213704703ea3246171d

  • SHA512

    f6c6ea986a955390ee3470d8e887b428cb5d2043fd4d33fb24bd165d884e3e9a91c7fd231076225ab45b3ad85c466dca2ee536a0bb0c2804ee19e4aef1cb34ae

  • SSDEEP

    49152:QVjnLacAxQU/a6MWvnUq6hE5k6iBPQ7pGy05Z+sSdSLyXTX9ykYN+EiTAr:8D+cAxQUa6MWvnUq6hgkvBPuYywSXjXW

Score
10/10
darkcometdeforsguest16persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

darkcometratt.no-ip.org:1604

Mutex

DC_MUTEX-WG0MMGJ

Attributes
  • gencode

    Rsl0xg3qg2h8

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

darkcomet

Botnet

DEFORS

C2

rsnoip.ddns.net:1997

Mutex

DCMIN_MUTEX-C5RDYJH

Attributes
  • gencode

    NToT30g4twDC

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49e75af5070d31e6e53a6bf37a509732fd8e61875e80e213704703ea3246171d.exe
    "C:\Users\Admin\AppData\Local\Temp\49e75af5070d31e6e53a6bf37a509732fd8e61875e80e213704703ea3246171d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3852
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Windows\mata.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\Windows\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\Windows\mata2.bat
        3⤵
          PID:3440
      • C:\Users\Admin\AppData\Local\Temp\notepad .exe
        "C:\Users\Admin\AppData\Local\Temp\notepad .exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4036
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Windows\melt.bat
        2⤵
          PID:3724

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\File.exe
        Filesize

        658KB

        MD5

        dc18c395b4bc2ed84c73a92e24ec180f

        SHA1

        000d0ae05deb7cb68619042ef8bdfa2018eb74d0

        SHA256

        164c50a009fac9a4b478a34c06f46bddb707dd9960d7e83a776f29b64e4d8d0c

        SHA512

        a5315d65056c478ac1751b6e0f8f45dcc28912f4c895d91668ab9043d645e5b3037063f8204ff4c1e136689a2274b0d46301e09abd9c060d1d0c10f599c9bde7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\File.exe
        Filesize

        658KB

        MD5

        dc18c395b4bc2ed84c73a92e24ec180f

        SHA1

        000d0ae05deb7cb68619042ef8bdfa2018eb74d0

        SHA256

        164c50a009fac9a4b478a34c06f46bddb707dd9960d7e83a776f29b64e4d8d0c

        SHA512

        a5315d65056c478ac1751b6e0f8f45dcc28912f4c895d91668ab9043d645e5b3037063f8204ff4c1e136689a2274b0d46301e09abd9c060d1d0c10f599c9bde7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Windows\mata.bat
        Filesize

        63B

        MD5

        260efbd339dd3b0ab091d66df5cd3a16

        SHA1

        69d4e59b4e8edc557ee9b9a351576ea61f3092cc

        SHA256

        1d87c3291eda5b1fd8f3ff3fccb7efde33955fea4487369dfa23132f63e3b969

        SHA512

        cad75d955bb4ca61a8d2a9f5fac0c0ddc8fe97d05ad12850b2734efadb237b5310d4264745972f8a78b3918a90e23fba8d540fd64791eac8c3be9a5e50042812

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\notepad .exe
        Filesize

        34KB

        MD5

        e118330b4629b12368d91b9df6488be0

        SHA1

        ce90218c7e3b90df2a3409ec253048bb6472c2fd

        SHA256

        3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

        SHA512

        ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\notepad .exe
        Filesize

        34KB

        MD5

        e118330b4629b12368d91b9df6488be0

        SHA1

        ce90218c7e3b90df2a3409ec253048bb6472c2fd

        SHA256

        3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

        SHA512

        ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

        Download Submit

      • memory/1656-137-0x0000000000000000-mapping.dmp

        Download

      • memory/3416-136-0x0000000074750000-0x0000000074D01000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3416-149-0x0000000074750000-0x0000000074D01000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3416-132-0x0000000074750000-0x0000000074D01000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/3440-142-0x0000000000000000-mapping.dmp

        Download

      • memory/3724-148-0x0000000000000000-mapping.dmp

        Download

      • memory/3852-133-0x0000000000000000-mapping.dmp

        Download

      • memory/4036-140-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/4036-145-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/4036-147-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/4036-144-0x0000000000400000-0x00000000004B5000-memory.dmp

        Filesize

        724KB

        Download

      • memory/4036-139-0x0000000000000000-mapping.dmp

        Download