Overview

overview

10

Static

static

8

b00873e057...11.exe

windows7-x64

10

b00873e057...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    198s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe

  • Size

    411KB

  • MD5

    8ad534532990d0621cf1786d380ae9dd

  • SHA1

    9c1ccd4ff0874f2912dadebd318bf44886d9f1f4

  • SHA256

    b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411

  • SHA512

    3a36a93740e2cd8805372522bfe7149802f0891977e2a0dbb2b50362966fa586e4854807bdabcdc9fdd34a40908d607343cfda1a2c27174b8aeaea4ee296c7dc

  • SSDEEP

    12288:mlghoSqHNJ/Jj0l5e7kurPQHr5wv1hlajScDlu:sg2HNb0lM7z0Wv6Dlu

Score
10/10
darkcometmainevasionrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Main

C2

youknowwhat.zapto.org:8568

Mutex

DC_MUTEX-RSSVB20

Attributes
  • gencode

    1cfcWSgmK4PV

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe
    "C:\Users\Admin\AppData\Local\Temp\b00873e05729f1a9924e57e66594cfda4af9869824ee3a5069aad9de0fc37411.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Users\Admin\AppData\Local\Temp\Stage2.exe
      "C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
      2⤵
      • Executes dropped EXE
      PID:4720
    • C:\Users\Admin\AppData\Local\Temp\Stage1.exe
      "C:\Users\Admin\AppData\Local\Temp\Stage1.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Stage1.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3924
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\Stage1.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4316
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3444
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:64
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:3440

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Hidden Files and Directories

    2
    T1158

    Privilege Escalation

    Defense Evasion

    Hidden Files and Directories

    2
    T1158

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Stage1.exe
      Filesize

      691KB

      MD5

      c4d571eb966b037c2061aa29fb01943f

      SHA1

      f802ea85030ddfde9e642b7b38c9e28bb65c03e8

      SHA256

      3fd7ce3f71f9b39db14f25dffe37cbc64f7959e34ecedf6b2ae5139d46805ab0

      SHA512

      46899fbfe5bdeeb5043c205ca5e10c76e54a4c7976ec012d466a097b334502228485fc2b5343f97eaa40f2ef8f9120fa601b60dc8f6a53b7b8c41a8820ab8ab1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Stage1.exe
      Filesize

      691KB

      MD5

      c4d571eb966b037c2061aa29fb01943f

      SHA1

      f802ea85030ddfde9e642b7b38c9e28bb65c03e8

      SHA256

      3fd7ce3f71f9b39db14f25dffe37cbc64f7959e34ecedf6b2ae5139d46805ab0

      SHA512

      46899fbfe5bdeeb5043c205ca5e10c76e54a4c7976ec012d466a097b334502228485fc2b5343f97eaa40f2ef8f9120fa601b60dc8f6a53b7b8c41a8820ab8ab1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Stage2.exe
      Filesize

      364KB

      MD5

      955ec61291fa76ee822e2153f7fe6d51

      SHA1

      92502e7d90dffcfb116415c4972fcb348f4df3e3

      SHA256

      08dcd36115164e9d44cd2d28dd4e2ac89783f1246cdcde6ebc5f3a4e16752c96

      SHA512

      754c8e20539826ad207187e6bff2801faf106eef86fe0864992528d1b45e74e540002e7862202564cdec0733c0793dee839fbab7b5ab764c0dc3a7a9c41ab610

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Stage2.exe
      Filesize

      364KB

      MD5

      955ec61291fa76ee822e2153f7fe6d51

      SHA1

      92502e7d90dffcfb116415c4972fcb348f4df3e3

      SHA256

      08dcd36115164e9d44cd2d28dd4e2ac89783f1246cdcde6ebc5f3a4e16752c96

      SHA512

      754c8e20539826ad207187e6bff2801faf106eef86fe0864992528d1b45e74e540002e7862202564cdec0733c0793dee839fbab7b5ab764c0dc3a7a9c41ab610

      Download Submit
    • memory/64-145-0x0000000000000000-mapping.dmp
      Download
    • memory/3108-139-0x0000000000000000-mapping.dmp
      Download
    • memory/3440-143-0x0000000000000000-mapping.dmp
      Download
    • memory/3444-142-0x0000000000000000-mapping.dmp
      Download
    • memory/3924-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4232-132-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4316-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4720-136-0x0000000000400000-0x0000000000443000-memory.dmp
      Filesize

      268KB

      Download
    • memory/4720-137-0x0000000000400000-0x0000000000443000-memory.dmp
      Filesize

      268KB

      Download
    • memory/4720-133-0x0000000000000000-mapping.dmp
      Download