Overview

overview

10

Static

static

10

ad4b63444e...66.exe

windows7-x64

10

ad4b63444e...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 12:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe

  • Size

    1.1MB

  • MD5

    647c5dde7a82629ee388904031bfa96b

  • SHA1

    c73b8e712703e770d36b301fcf725fd0e6cb88f2

  • SHA256

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66

  • SHA512

    0bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a

  • SSDEEP

    24576:QUKoN0bUxgGa/pfBHDb+y1LXPeCXuLKdsOT:TK1A6ze/KdX

Score
10/10
darkcometisrstealerevasionpersistenceratspywarestealertrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 13 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe
    "C:\Users\Admin\AppData\Local\Temp\ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:584
    • C:\Users\Admin\AppData\Local\Temp\ST.EXE
      "C:\Users\Admin\AppData\Local\Temp\ST.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Users\Admin\AppData\Local\Temp\ST.EXE
        /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
        3⤵
        • Executes dropped EXE
        PID:916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 4
        3⤵
        • Runs ping.exe
        PID:1076
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe
      "C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe"
      2⤵
      • Modifies security service
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies security service
        • Windows security bypass
        • Suspicious use of AdjustPrivilegeToken
        PID:1016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe
    Filesize

    1.1MB

    MD5

    647c5dde7a82629ee388904031bfa96b

    SHA1

    c73b8e712703e770d36b301fcf725fd0e6cb88f2

    SHA256

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66

    SHA512

    0bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe
    Filesize

    1.1MB

    MD5

    647c5dde7a82629ee388904031bfa96b

    SHA1

    c73b8e712703e770d36b301fcf725fd0e6cb88f2

    SHA256

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66

    SHA512

    0bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ST.EXE
    Filesize

    196KB

    MD5

    dc5705be7750d65884d7635861f9cb7d

    SHA1

    98d13661de10e746c3abf2758a61f363168f3b09

    SHA256

    413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f

    SHA512

    daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ST.EXE
    Filesize

    196KB

    MD5

    dc5705be7750d65884d7635861f9cb7d

    SHA1

    98d13661de10e746c3abf2758a61f363168f3b09

    SHA256

    413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f

    SHA512

    daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ST.EXE
    Filesize

    196KB

    MD5

    dc5705be7750d65884d7635861f9cb7d

    SHA1

    98d13661de10e746c3abf2758a61f363168f3b09

    SHA256

    413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f

    SHA512

    daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe
    Filesize

    1.1MB

    MD5

    647c5dde7a82629ee388904031bfa96b

    SHA1

    c73b8e712703e770d36b301fcf725fd0e6cb88f2

    SHA256

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66

    SHA512

    0bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe
    Filesize

    1.1MB

    MD5

    647c5dde7a82629ee388904031bfa96b

    SHA1

    c73b8e712703e770d36b301fcf725fd0e6cb88f2

    SHA256

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66

    SHA512

    0bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ST.EXE
    Filesize

    196KB

    MD5

    dc5705be7750d65884d7635861f9cb7d

    SHA1

    98d13661de10e746c3abf2758a61f363168f3b09

    SHA256

    413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f

    SHA512

    daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ST.EXE
    Filesize

    196KB

    MD5

    dc5705be7750d65884d7635861f9cb7d

    SHA1

    98d13661de10e746c3abf2758a61f363168f3b09

    SHA256

    413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f

    SHA512

    daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ST.EXE
    Filesize

    196KB

    MD5

    dc5705be7750d65884d7635861f9cb7d

    SHA1

    98d13661de10e746c3abf2758a61f363168f3b09

    SHA256

    413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f

    SHA512

    daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf

    Download Submit

  • memory/584-78-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/584-55-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/584-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/916-70-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/916-71-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/916-69-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/916-64-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/916-82-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1508-81-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.