Overview

overview

10

Static

static

c1e539ef1d...a5.exe

windows7-x64

10

c1e539ef1d...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1e539ef1d5ae993fa4c9058f4e2e6caf14e61226b349b191cdfa37e65b710a5.exe

  • Size

    1.1MB

  • MD5

    87f31938ba32ffe17ff1bbe96e076421

  • SHA1

    97487d29f1cf63559d87d31fc03c20b2b4e4a911

  • SHA256

    c1e539ef1d5ae993fa4c9058f4e2e6caf14e61226b349b191cdfa37e65b710a5

  • SHA512

    8b23fd6549f998142f7a64e260736ae6293b84451ad73a80da3597ec482feccf27bebe2be32f2c89b711244a9f370d640114cae7d3d2104153205703006fffcf

  • SSDEEP

    12288:pJIE4VW2o/LW0NHX68XU9sUX9T8+3M2UBvSwo9nKeK3wzuM/5Tdi77X9Z4YuL4:pSy/S0NPK1CWMTxkKeKAbdEX9Z4YuL4

Score
10/10
darkcometloveevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Love

C2

pet105.no-ip.biz:100

Mutex

DC_MUTEX-TNT8SFG

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    JJbwi9MArQ9S

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1e539ef1d5ae993fa4c9058f4e2e6caf14e61226b349b191cdfa37e65b710a5.exe
    "C:\Users\Admin\AppData\Local\Temp\c1e539ef1d5ae993fa4c9058f4e2e6caf14e61226b349b191cdfa37e65b710a5.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops autorun.inf file
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
      C:\Users\Admin\AppData\Local\Temp\\plugtemp\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\plugtemp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\plugtemp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1540
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        PID:748
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Kép0423.jpg
    Filesize

    52KB

    MD5

    d5c6f3f52b18415003b73c2cd1f19834

    SHA1

    4496e69730f13826ae2772269120d46c45a2f152

    SHA256

    86f76fea42393fc3cde5283c3d129208a604647b6b806e94dfb54577827022e4

    SHA512

    07adb088b2dc8ac23f44df5ceb706cd1477eff5f7f4f3d37709beaf5fd8e8149d772ede75bf1a83c2a4e35c2536cf82b614e9b2bfee72d9e8c787183a01bf285

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit

  • \Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit

  • \Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    Download Submit

  • memory/748-84-0x0000000000000000-mapping.dmp

    Download

  • memory/936-54-0x0000000076941000-0x0000000076943000-memory.dmp

    Filesize

    8KB

    Download

  • memory/936-75-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/936-55-0x0000000074A90000-0x000000007503B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1484-80-0x0000000000000000-mapping.dmp

    Download

  • memory/1508-79-0x0000000000000000-mapping.dmp

    Download

  • memory/1540-82-0x0000000000000000-mapping.dmp

    Download

  • memory/1552-81-0x0000000000000000-mapping.dmp

    Download

  • memory/2000-64-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-77-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-74-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-72-0x000000000048F888-mapping.dmp

    Download

  • memory/2000-71-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-69-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-85-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-67-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-66-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-62-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-60-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-58-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2000-57-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download