Overview

overview

10

Static

static

5

9402ae09e1...02.exe

windows7-x64

10

9402ae09e1...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    188s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 00:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9402ae09e16f32bf1e5fba3779badda2684f3987630d3502bd621fddbab2c102.exe

  • Size

    959KB

  • MD5

    2dcc4af23724792f0dc84360e39d53de

  • SHA1

    ca0d6bd307d29cdf522082d8eba3f154293ce2c8

  • SHA256

    9402ae09e16f32bf1e5fba3779badda2684f3987630d3502bd621fddbab2c102

  • SHA512

    9b61a50d09e7c10840952675ba1050700c8d0c5caeaed35f03099393666c7f5bdb9730724033a50a4243666edc4aab2ac2eb2e4a50fc98116fa1ceb5fc043250

  • SSDEEP

    24576:JRmJkcoQricOIQxiZY1iaJ6SZmMcxVZRHARCT:GJZoQrbTFZY1iaJ6SUBD3ARCT

Score
10/10
darkcometbot's3215evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Bot's3215

C2

minibooba33250.no-ip.biz:1604

192.168.0.8:1604
Mutex

DC_MUTEX-V2WN5HL

Attributes
  • gencode

    Szv7dymDokVR

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9402ae09e16f32bf1e5fba3779badda2684f3987630d3502bd621fddbab2c102.exe
    "C:\Users\Admin\AppData\Local\Temp\9402ae09e16f32bf1e5fba3779badda2684f3987630d3502bd621fddbab2c102.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:468
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\SysWOW64\svchost.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:1508
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\SysWOW64" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:1484
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1892

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/316-64-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/316-69-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/316-56-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/316-58-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/316-59-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/316-55-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/316-61-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/316-72-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/316-63-0x0000000000400000-0x00000000004B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/936-54-0x0000000076941000-0x0000000076943000-memory.dmp

            Filesize

            8KB

            Download