Overview

overview

10

Static

static

5593d25697...11.exe

windows7-x64

10

5593d25697...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    171s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5593d25697e1ca127dd3ea72ef86a1df14ebcef6dab7f06da9ed3c8104c4db11.exe

  • Size

    1.1MB

  • MD5

    a69d7489bf86c0bcc6bf5b8a084ae781

  • SHA1

    89bd2b4f2aa013c7babcaf0fa35991cefd81b8da

  • SHA256

    5593d25697e1ca127dd3ea72ef86a1df14ebcef6dab7f06da9ed3c8104c4db11

  • SHA512

    937532d1018aa37e5c512067b3a52ddf3c6ff6f3f6ec883866e3a32b1615d9cbbc34483107d5db17f441454d15fcd9f4aa2ac4c17b3cfc58eecd2a9d6b8efb8b

  • SSDEEP

    12288:YNazwlQZGxtBB5rnYOvhzmT9venv4Fiq271BQ6qG/31kfVvU+42j8j9:YNqMQZI6Ove4nBBj1QP4g49

Score
10/10
darkcometnewest11persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Newest11

C2

numberoneminecraft.serveminecraft.net:9001

Mutex

DC_MUTEX-NU7E6HS

Attributes
  • gencode

    tlNkFNx3gjhk

  • install

    false

  • offline_keylogger

    false

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5593d25697e1ca127dd3ea72ef86a1df14ebcef6dab7f06da9ed3c8104c4db11.exe
    "C:\Users\Admin\AppData\Local\Temp\5593d25697e1ca127dd3ea72ef86a1df14ebcef6dab7f06da9ed3c8104c4db11.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/764-132-0x0000000075580000-0x0000000075B31000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/764-138-0x0000000075580000-0x0000000075B31000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2164-133-0x0000000000000000-mapping.dmp
    Download
  • memory/2164-134-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/2164-135-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/2164-136-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/2164-137-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/2164-139-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

    Download