Overview

overview

10

Static

static

5

7ce12277d8...7b.exe

windows7-x64

10

7ce12277d8...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 20:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe

  • Size

    1.7MB

  • MD5

    4d1ae7a48b2d7d91f73660ff0e674e28

  • SHA1

    6e19115fec75bd5ea27d40a9c05158975c91d276

  • SHA256

    7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b

  • SHA512

    ce03d22a14e83a3c5aac63c4823ec3b2f6e7c5ef24fefcd3a21edfb785db3ce3ec207dffa0478292581f42e6cc4c03fcb0457bd6c3b9b6006bb0f1c0870d7943

  • SSDEEP

    49152:Kkwkn9IMHea+Wbpq0aPCS+88RQUF0sQEEfGTeB:ZdnVWWbgLPCEJlNnGeB

Score
10/10
darkcomet3009persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

3009

C2

31.34.123.97:1604

Mutex

DC_MUTEX-AG0Z6VK

Attributes
  • InstallPath

    My picture\windll.exe

  • gencode

    KzwgPdBPhgWX

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    svchost

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe
    "C:\Users\Admin\AppData\Local\Temp\7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\SysWOW64\notepad.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1556
        • C:\Users\Admin\Documents\My picture\windll.exe
          "C:\Users\Admin\Documents\My picture\windll.exe"
          3⤵
          • Executes dropped EXE
          PID:1408

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\My picture\windll.exe
      Filesize

      175KB

      MD5

      d378bffb70923139d6a4f546864aa61c

      SHA1

      f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

      SHA256

      c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

      SHA512

      7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

      Download Submit

    • \Users\Admin\Documents\My picture\windll.exe
      Filesize

      175KB

      MD5

      d378bffb70923139d6a4f546864aa61c

      SHA1

      f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

      SHA256

      c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

      SHA512

      7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

      Download Submit

    • memory/848-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1236-67-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-70-0x000000000048F888-mapping.dmp

      Download

    • memory/1236-62-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-64-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-65-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-58-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-69-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-60-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-71-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-73-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-55-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-76-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1236-56-0x0000000000400000-0x00000000004BA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/1408-78-0x0000000000000000-mapping.dmp

      Download

    • memory/1556-74-0x0000000000000000-mapping.dmp

      Download