Overview

overview

10

Static

static

b9b9f2edb6...5e.exe

windows7-x64

10

b9b9f2edb6...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 03:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b9b9f2edb60ab5c21008910b03de4afe5337d5291ff7a18afff372968831ee5e.exe

  • Size

    1.0MB

  • MD5

    bb09720fe59805b07b4298fccae0ec26

  • SHA1

    69753eb1361c1408073658ddc88182c43dadcd1b

  • SHA256

    b9b9f2edb60ab5c21008910b03de4afe5337d5291ff7a18afff372968831ee5e

  • SHA512

    d48595b54d2864d2cb1ca29d23a67135af708f51f89f3441f30778b824d39dbe22387b65d8275346a8c806667701803bf82853b00ad81167b71a6c949489a72c

  • SSDEEP

    24576:2fna/BVJIRZ+9zlmSzFpIS+1AhQwhJ+BHJyco9M/eVAyG:2fudmKzlmSzFWS+1JiJ4pyNWUtG

Score
10/10
darkcometnewspreadrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

NewSpread

C2

shqipe1.no-ip.info:1604

Mutex

DC_MUTEX-2F2DLGK

Attributes
  • gencode

    H59pxRy6hhJ5

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 1 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9b9f2edb60ab5c21008910b03de4afe5337d5291ff7a18afff372968831ee5e.exe
    "C:\Users\Admin\AppData\Local\Temp\b9b9f2edb60ab5c21008910b03de4afe5337d5291ff7a18afff372968831ee5e.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\UDsUGb.exe VSdfdu
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Users\Admin\AppData\Local\Temp\UDsUGb.exe
        C:\Users\Admin\AppData\Local\Temp\UDsUGb.exe VSdfdu
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1004
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\System32\svchost.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1364
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\SysWOW64\svchost.exe"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1432
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\SysWOW64\svchost.exe"
            5⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1096
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
                PID:428
            • C:\Windows\SysWOW64\svchost.exe
              "C:\Windows\SysWOW64\svchost.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1912

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\UDsUGb.exe
            Filesize

            510KB

            MD5

            01d151ccd2a75bd713b8ce81d6509eb8

            SHA1

            c751680d504bece45dc84e363e9e976fe77a8eac

            SHA256

            a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

            SHA512

            8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\UDsUGb.exe
            Filesize

            510KB

            MD5

            01d151ccd2a75bd713b8ce81d6509eb8

            SHA1

            c751680d504bece45dc84e363e9e976fe77a8eac

            SHA256

            a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

            SHA512

            8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\VSdfdu
            Filesize

            10KB

            MD5

            89aa4f76a4ed978d2860f9c703e44995

            SHA1

            66f00e888bee9f6602c09f6fff7ef71b0d4fb514

            SHA256

            1f1212abc7cb895eb0c0ca5572ca6fe8830ffa659f6b3aad7bfcae2ca6d9ea90

            SHA512

            80fd0b97df29e60ca5c5281a6ba22684a6131f6d1c2d24f6eb6b660d6be2bd7d26cb5375aa30adb65ee247f5a85fc2b6424656f970bf4cff28ddadd18609be94

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\whnqBO.txt
            Filesize

            737KB

            MD5

            28c8e67b72b7fba7a03c6aea5afe96c0

            SHA1

            f121a85533727b63da713e7b656dd6801d0e1a78

            SHA256

            ba61e7b65751344520cf3096d8a270884a77a4e8631ac3f8e4e189fdbbdec7c0

            SHA512

            cb2602ed3888b7a6c5bebb35694a4b12d1ac826dad1e66ed486fff42d76b280c10865263a21fe4d91101f66738ed3a8e35a6f9bf7339280cc8ac4fddcaa8874b

            Download Submit

          • \Users\Admin\AppData\Local\Temp\UDsUGb.exe
            Filesize

            510KB

            MD5

            01d151ccd2a75bd713b8ce81d6509eb8

            SHA1

            c751680d504bece45dc84e363e9e976fe77a8eac

            SHA256

            a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

            SHA512

            8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

            Download Submit

          • memory/1096-116-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1096-98-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1364-63-0x0000000000400000-0x00000000004AB000-memory.dmp

            Filesize

            684KB

            Download

          • memory/1364-67-0x0000000000400000-0x00000000004AB000-memory.dmp

            Filesize

            684KB

            Download

          • memory/1364-70-0x0000000000400000-0x00000000004AB000-memory.dmp

            Filesize

            684KB

            Download

          • memory/1364-71-0x0000000000400000-0x00000000004AB000-memory.dmp

            Filesize

            684KB

            Download

          • memory/1364-74-0x0000000000400000-0x00000000004AB000-memory.dmp

            Filesize

            684KB

            Download

          • memory/1364-111-0x0000000000400000-0x00000000004AB000-memory.dmp

            Filesize

            684KB

            Download

          • memory/1364-66-0x0000000000400000-0x00000000004AB000-memory.dmp

            Filesize

            684KB

            Download

          • memory/1364-64-0x0000000000400000-0x00000000004AB000-memory.dmp

            Filesize

            684KB

            Download

          • memory/1432-75-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1432-78-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1432-82-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1432-84-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1432-85-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1432-86-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1432-80-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1432-76-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1432-115-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1912-113-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download

          • memory/1912-114-0x0000000000400000-0x00000000004C7000-memory.dmp

            Filesize

            796KB

            Download