Overview

overview

10

Static

static

c6f88f6e99...91.exe

windows7-x64

10

c6f88f6e99...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6f88f6e9970a9e687ed73f78ef0a6b9f840d03d06b85db94ac8aba694a93391.exe

  • Size

    348KB

  • MD5

    654018f6195e1af931a8ab88de19b441

  • SHA1

    8749ed2f3d89011379877b237403f5e6c7a0a9ef

  • SHA256

    c6f88f6e9970a9e687ed73f78ef0a6b9f840d03d06b85db94ac8aba694a93391

  • SHA512

    7caaaff38f8219a1088648c1933f1b5c4c1930cfdadd28d71588d4fa3a5aa4a47dc9da6c85965649a9ad54a944280e6cb2aaa793399595048eb0ef1dc08d2227

  • SSDEEP

    6144:6CF0tb8Dbqz3MN2lLa5ntDgcHE6ek//Td/dn4wGup5A22wz/Pv:6PtQDbEPlLWntMcxZlLHA0z/Pv

Score
10/10
darkcometguest16_minpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

useles.no-ip.org:400

Mutex

DCMIN_MUTEX-RAVA06T

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    CCiMGGm9PEke

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 7 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6f88f6e9970a9e687ed73f78ef0a6b9f840d03d06b85db94ac8aba694a93391.exe
    "C:\Users\Admin\AppData\Local\Temp\c6f88f6e9970a9e687ed73f78ef0a6b9f840d03d06b85db94ac8aba694a93391.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
        "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
        3⤵
        • Executes dropped EXE
        PID:3764
    • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
      "C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Users\Admin\AppData\Roaming\Skype\bridgemigplugin.exe
        C:\Users\Admin\AppData\Roaming\Skype\bridgemigplugin.exe
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3548
        • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
          "C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe"
          4⤵
          • Executes dropped EXE
          PID:4592
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cscservice.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
      • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
        "C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2356
        • C:\Users\Admin\AppData\Roaming\Skype\bridgemigplugin.exe
          C:\Users\Admin\AppData\Roaming\Skype\bridgemigplugin.exe
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3384
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            5⤵
              PID:2248
            • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
              "C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              PID:1580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bridgemigplugin.exe.log
      Filesize

      319B

      MD5

      824ba7b7eed8b900a98dd25129c4cd83

      SHA1

      54478770b2158000ef365591d42977cb854453a1

      SHA256

      d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03

      SHA512

      ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\vrfauto.exe.log
      Filesize

      224B

      MD5

      c19eb8c8e7a40e6b987f9d2ee952996e

      SHA1

      6fc3049855bc9100643e162511673c6df0f28bfb

      SHA256

      677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a

      SHA512

      860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\bridgemigplugin.exe
      Filesize

      348KB

      MD5

      654018f6195e1af931a8ab88de19b441

      SHA1

      8749ed2f3d89011379877b237403f5e6c7a0a9ef

      SHA256

      c6f88f6e9970a9e687ed73f78ef0a6b9f840d03d06b85db94ac8aba694a93391

      SHA512

      7caaaff38f8219a1088648c1933f1b5c4c1930cfdadd28d71588d4fa3a5aa4a47dc9da6c85965649a9ad54a944280e6cb2aaa793399595048eb0ef1dc08d2227

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\bridgemigplugin.exe
      Filesize

      348KB

      MD5

      654018f6195e1af931a8ab88de19b441

      SHA1

      8749ed2f3d89011379877b237403f5e6c7a0a9ef

      SHA256

      c6f88f6e9970a9e687ed73f78ef0a6b9f840d03d06b85db94ac8aba694a93391

      SHA512

      7caaaff38f8219a1088648c1933f1b5c4c1930cfdadd28d71588d4fa3a5aa4a47dc9da6c85965649a9ad54a944280e6cb2aaa793399595048eb0ef1dc08d2227

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\bridgemigplugin.exe
      Filesize

      348KB

      MD5

      654018f6195e1af931a8ab88de19b441

      SHA1

      8749ed2f3d89011379877b237403f5e6c7a0a9ef

      SHA256

      c6f88f6e9970a9e687ed73f78ef0a6b9f840d03d06b85db94ac8aba694a93391

      SHA512

      7caaaff38f8219a1088648c1933f1b5c4c1930cfdadd28d71588d4fa3a5aa4a47dc9da6c85965649a9ad54a944280e6cb2aaa793399595048eb0ef1dc08d2227

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\bridgemigplugin.exe
      Filesize

      348KB

      MD5

      654018f6195e1af931a8ab88de19b441

      SHA1

      8749ed2f3d89011379877b237403f5e6c7a0a9ef

      SHA256

      c6f88f6e9970a9e687ed73f78ef0a6b9f840d03d06b85db94ac8aba694a93391

      SHA512

      7caaaff38f8219a1088648c1933f1b5c4c1930cfdadd28d71588d4fa3a5aa4a47dc9da6c85965649a9ad54a944280e6cb2aaa793399595048eb0ef1dc08d2227

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
      Filesize

      22KB

      MD5

      b04d351044c855fcf49ece553f8fdc0e

      SHA1

      4461b34b469d1c7e7738136b41fcf334301f6cab

      SHA256

      eb0751bd2857fd287d5e9ec59b100cfa8fec37c2d0c62ed22e07711b4cc84301

      SHA512

      f9a17b8d071d28713a114158ed9eb626e162d651a006618876d598ad9fb49bc6d0f0c429964b7a33f8be97dc5ebbc4503505cb143a97fe1d1a87ab3b1676c2ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
      Filesize

      22KB

      MD5

      b04d351044c855fcf49ece553f8fdc0e

      SHA1

      4461b34b469d1c7e7738136b41fcf334301f6cab

      SHA256

      eb0751bd2857fd287d5e9ec59b100cfa8fec37c2d0c62ed22e07711b4cc84301

      SHA512

      f9a17b8d071d28713a114158ed9eb626e162d651a006618876d598ad9fb49bc6d0f0c429964b7a33f8be97dc5ebbc4503505cb143a97fe1d1a87ab3b1676c2ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
      Filesize

      22KB

      MD5

      b04d351044c855fcf49ece553f8fdc0e

      SHA1

      4461b34b469d1c7e7738136b41fcf334301f6cab

      SHA256

      eb0751bd2857fd287d5e9ec59b100cfa8fec37c2d0c62ed22e07711b4cc84301

      SHA512

      f9a17b8d071d28713a114158ed9eb626e162d651a006618876d598ad9fb49bc6d0f0c429964b7a33f8be97dc5ebbc4503505cb143a97fe1d1a87ab3b1676c2ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
      Filesize

      22KB

      MD5

      b04d351044c855fcf49ece553f8fdc0e

      SHA1

      4461b34b469d1c7e7738136b41fcf334301f6cab

      SHA256

      eb0751bd2857fd287d5e9ec59b100cfa8fec37c2d0c62ed22e07711b4cc84301

      SHA512

      f9a17b8d071d28713a114158ed9eb626e162d651a006618876d598ad9fb49bc6d0f0c429964b7a33f8be97dc5ebbc4503505cb143a97fe1d1a87ab3b1676c2ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
      Filesize

      22KB

      MD5

      b04d351044c855fcf49ece553f8fdc0e

      SHA1

      4461b34b469d1c7e7738136b41fcf334301f6cab

      SHA256

      eb0751bd2857fd287d5e9ec59b100cfa8fec37c2d0c62ed22e07711b4cc84301

      SHA512

      f9a17b8d071d28713a114158ed9eb626e162d651a006618876d598ad9fb49bc6d0f0c429964b7a33f8be97dc5ebbc4503505cb143a97fe1d1a87ab3b1676c2ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
      Filesize

      22KB

      MD5

      b04d351044c855fcf49ece553f8fdc0e

      SHA1

      4461b34b469d1c7e7738136b41fcf334301f6cab

      SHA256

      eb0751bd2857fd287d5e9ec59b100cfa8fec37c2d0c62ed22e07711b4cc84301

      SHA512

      f9a17b8d071d28713a114158ed9eb626e162d651a006618876d598ad9fb49bc6d0f0c429964b7a33f8be97dc5ebbc4503505cb143a97fe1d1a87ab3b1676c2ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
      Filesize

      22KB

      MD5

      b04d351044c855fcf49ece553f8fdc0e

      SHA1

      4461b34b469d1c7e7738136b41fcf334301f6cab

      SHA256

      eb0751bd2857fd287d5e9ec59b100cfa8fec37c2d0c62ed22e07711b4cc84301

      SHA512

      f9a17b8d071d28713a114158ed9eb626e162d651a006618876d598ad9fb49bc6d0f0c429964b7a33f8be97dc5ebbc4503505cb143a97fe1d1a87ab3b1676c2ed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Skype\vrfauto.exe
      Filesize

      22KB

      MD5

      b04d351044c855fcf49ece553f8fdc0e

      SHA1

      4461b34b469d1c7e7738136b41fcf334301f6cab

      SHA256

      eb0751bd2857fd287d5e9ec59b100cfa8fec37c2d0c62ed22e07711b4cc84301

      SHA512

      f9a17b8d071d28713a114158ed9eb626e162d651a006618876d598ad9fb49bc6d0f0c429964b7a33f8be97dc5ebbc4503505cb143a97fe1d1a87ab3b1676c2ed

      Download Submit
    • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
      Filesize

      57KB

      MD5

      454501a66ad6e85175a6757573d79f8b

      SHA1

      8ca96c61f26a640a5b1b1152d055260b9d43e308

      SHA256

      7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

      SHA512

      9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

      Download Submit
    • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
      Filesize

      57KB

      MD5

      454501a66ad6e85175a6757573d79f8b

      SHA1

      8ca96c61f26a640a5b1b1152d055260b9d43e308

      SHA256

      7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

      SHA512

      9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

      Download Submit
    • memory/896-146-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/896-148-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/896-140-0x0000000000000000-mapping.dmp
      Download
    • memory/896-155-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1580-202-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1580-201-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1580-197-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-137-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1732-138-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1732-136-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1732-135-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1732-134-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-139-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1732-147-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/1788-152-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1788-170-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1788-153-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1788-149-0x0000000000000000-mapping.dmp
      Download
    • memory/2080-173-0x0000000000000000-mapping.dmp
      Download
    • memory/2080-178-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2248-192-0x0000000000000000-mapping.dmp
      Download
    • memory/2248-200-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2312-190-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2312-157-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2312-169-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2312-154-0x0000000000000000-mapping.dmp
      Download
    • memory/2356-183-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2356-191-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2356-182-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2356-179-0x0000000000000000-mapping.dmp
      Download
    • memory/2496-132-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2496-133-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2496-156-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3384-184-0x0000000000000000-mapping.dmp
      Download
    • memory/3384-188-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3384-189-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3548-163-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/3548-162-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/3548-161-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/3548-158-0x0000000000000000-mapping.dmp
      Download
    • memory/3548-171-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/3764-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4592-164-0x0000000000000000-mapping.dmp
      Download
    • memory/4592-168-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4592-172-0x00000000754F0000-0x0000000075AA1000-memory.dmp
      Filesize

      5.7MB

      Download