Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 07:04

General

  • Target

    879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe

  • Size

    1.5MB

  • MD5

    9f846304ca03af9cd8c24364305f51d6

  • SHA1

    bf0f159c9f477058f6f4b1af7c91b18a3bfc4d49

  • SHA256

    879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad

  • SHA512

    d61ca65e9f0fec86f049f23b9913f7c56440b522a9636641e167f51b24cec36f6260d96905ecac1fdc28c1669094d6e574dcaa70d04ad3c3060912f437f1c77f

  • SSDEEP

    24576:n/y/69r+q6e/2YeY+yTZ8h7IETl/GjNwBVSInELrKE0Wx8fglv/K:nKEiql2Y9iEGGjNxJXUIllv/K

Malware Config

Extracted

Family

darkcomet

Botnet

bot

C2

canardwc.zapto.org:1604

Mutex

DC_MUTEX-VSDJA8C

Attributes
  • gencode

    E9ARHzMPTXjL

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
    "C:\Users\Admin\AppData\Local\Temp\879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1588
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
      2⤵
      • Executes dropped EXE
      PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
    Filesize

    1.0MB

    MD5

    8a2b12a27fdf10348d290d79f9ec9e79

    SHA1

    13581a9f08ef3f16610ef14f3760b7d5bfdc4b38

    SHA256

    a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b

    SHA512

    4570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
    Filesize

    1.0MB

    MD5

    8a2b12a27fdf10348d290d79f9ec9e79

    SHA1

    13581a9f08ef3f16610ef14f3760b7d5bfdc4b38

    SHA256

    a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b

    SHA512

    4570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
    Filesize

    1.0MB

    MD5

    9378cd24a793c9b90fddf97d92d1b09c

    SHA1

    899eab9097900a28a294d0f63d480202b89be6fa

    SHA256

    775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

    SHA512

    600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
    Filesize

    1.0MB

    MD5

    9378cd24a793c9b90fddf97d92d1b09c

    SHA1

    899eab9097900a28a294d0f63d480202b89be6fa

    SHA256

    775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

    SHA512

    600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
    Filesize

    1.0MB

    MD5

    9378cd24a793c9b90fddf97d92d1b09c

    SHA1

    899eab9097900a28a294d0f63d480202b89be6fa

    SHA256

    775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

    SHA512

    600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

  • memory/520-147-0x0000000000000000-mapping.dmp
  • memory/1588-139-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

  • memory/1588-142-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

  • memory/1588-145-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

  • memory/1588-141-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

  • memory/1588-138-0x0000000000000000-mapping.dmp
  • memory/1588-150-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

  • memory/1588-151-0x0000000000400000-0x00000000004B2000-memory.dmp
    Filesize

    712KB

  • memory/2864-144-0x0000000000400000-0x000000000067E000-memory.dmp
    Filesize

    2.5MB

  • memory/2864-146-0x0000000000400000-0x000000000067E000-memory.dmp
    Filesize

    2.5MB

  • memory/2864-135-0x0000000000000000-mapping.dmp