Overview

overview

10

Static

static

c4211660f4...39.exe

windows7-x64

10

c4211660f4...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe

  • Size

    317KB

  • MD5

    178b94a462503845831cd0a6c3e3b500

  • SHA1

    99510e9b7abbfff7cc4097e51196ad801fc1d82d

  • SHA256

    c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

  • SHA512

    ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

  • SSDEEP

    6144:hzjAH9agPC3gLzeAyzhsv70s3QS8A7KQGNBZmUF4nHytzcc:xAdag1mAyzMxp8A7KQGNBZm3HOcc

Score
10/10
darkcomet24evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

24

C2

127.0.0.1:1604

172.162.22.200:1604

remaxcheckings.no-ip.biz:1604
Mutex

DC_MUTEX-AT9WGLV

Attributes
  • InstallPath

    MSDCSC\remaxcheckings.exe

  • gencode

    WN5Nr6wiGseC

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    remaxcheckings

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 9 IoCs
    evasion
  • Modifies security service 2 TTPs 3 IoCs
    evasion
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 3 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe
    "C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1328
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MpsSvc
          4⤵
            PID:1164
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        2⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
            PID:1324
        • C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe
          C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe
          2⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1244
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe" +s +h
            3⤵
              PID:1768
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe" +s +h
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1600
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
              3⤵
                PID:2000
                • C:\Windows\SysWOW64\attrib.exe
                  attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
                  4⤵
                  • Sets file to hidden
                  • Views/modifies file attributes
                  PID:316
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                3⤵
                • Deletes itself
                PID:1352
              • C:\MSDCSC\remaxcheckings.exe
                "C:\MSDCSC\remaxcheckings.exe"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                PID:900
                • C:\Windows\SysWOW64\cmd.exe
                  /c net stop MpsSvc
                  4⤵
                    PID:1924
                    • C:\Windows\SysWOW64\net.exe
                      net stop MpsSvc
                      5⤵
                        PID:1948
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop MpsSvc
                          6⤵
                            PID:1992
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                        4⤵
                        • Modifies firewall policy service
                        • Modifies security service
                        • Windows security bypass
                        • Disables RegEdit via registry modification
                        • Adds Run key to start application
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2040
                      • C:\MSDCSC\remaxcheckings.exe
                        C:\MSDCSC\remaxcheckings.exe
                        4⤵
                        • Modifies firewall policy service
                        • Modifies security service
                        • Windows security bypass
                        • Disables RegEdit via registry modification
                        • Executes dropped EXE
                        • Windows security modification
                        • Adds Run key to start application
                        • System policy modification
                        PID:976

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Persistence

                Winlogon Helper DLL

                1
                T1004

                Modify Existing Service

                2
                T1031

                Hidden Files and Directories

                2
                T1158

                Registry Run Keys / Startup Folder

                1
                T1060

                Privilege Escalation

                Defense Evasion

                Modify Registry

                7
                T1112

                Disabling Security Tools

                2
                T1089

                Hidden Files and Directories

                2
                T1158

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\MSDCSC\remaxcheckings.exe
                  Filesize

                  317KB

                  MD5

                  178b94a462503845831cd0a6c3e3b500

                  SHA1

                  99510e9b7abbfff7cc4097e51196ad801fc1d82d

                  SHA256

                  c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                  SHA512

                  ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                  Download Submit
                • C:\MSDCSC\remaxcheckings.exe
                  Filesize

                  317KB

                  MD5

                  178b94a462503845831cd0a6c3e3b500

                  SHA1

                  99510e9b7abbfff7cc4097e51196ad801fc1d82d

                  SHA256

                  c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                  SHA512

                  ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                  Download Submit
                • C:\MSDCSC\remaxcheckings.exe
                  Filesize

                  317KB

                  MD5

                  178b94a462503845831cd0a6c3e3b500

                  SHA1

                  99510e9b7abbfff7cc4097e51196ad801fc1d82d

                  SHA256

                  c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                  SHA512

                  ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe
                  Filesize

                  317KB

                  MD5

                  178b94a462503845831cd0a6c3e3b500

                  SHA1

                  99510e9b7abbfff7cc4097e51196ad801fc1d82d

                  SHA256

                  c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                  SHA512

                  ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\InstallDir\help.exe
                  Filesize

                  317KB

                  MD5

                  178b94a462503845831cd0a6c3e3b500

                  SHA1

                  99510e9b7abbfff7cc4097e51196ad801fc1d82d

                  SHA256

                  c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                  SHA512

                  ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                  Download Submit
                • \MSDCSC\remaxcheckings.exe
                  Filesize

                  317KB

                  MD5

                  178b94a462503845831cd0a6c3e3b500

                  SHA1

                  99510e9b7abbfff7cc4097e51196ad801fc1d82d

                  SHA256

                  c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                  SHA512

                  ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                  Download Submit
                • \Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe
                  Filesize

                  317KB

                  MD5

                  178b94a462503845831cd0a6c3e3b500

                  SHA1

                  99510e9b7abbfff7cc4097e51196ad801fc1d82d

                  SHA256

                  c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                  SHA512

                  ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                  Download Submit
                • memory/316-79-0x0000000000000000-mapping.dmp
                  Download
                • memory/900-81-0x0000000000000000-mapping.dmp
                  Download
                • memory/976-95-0x00000000004B5900-mapping.dmp
                  Download
                • memory/976-101-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1048-55-0x0000000000000000-mapping.dmp
                  Download
                • memory/1164-57-0x0000000000000000-mapping.dmp
                  Download
                • memory/1244-63-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1244-62-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1244-72-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1244-73-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1244-71-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1244-69-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1244-89-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1244-66-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1244-67-0x00000000004B5900-mapping.dmp
                  Download
                • memory/1244-65-0x0000000000400000-0x00000000004B7000-memory.dmp
                  Filesize

                  732KB

                  Download
                • memory/1324-58-0x0000000000000000-mapping.dmp
                  Download
                • memory/1328-56-0x0000000000000000-mapping.dmp
                  Download
                • memory/1352-76-0x0000000000000000-mapping.dmp
                  Download
                • memory/1600-78-0x0000000000000000-mapping.dmp
                  Download
                • memory/1724-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/1724-60-0x0000000000250000-0x0000000000254000-memory.dmp
                  Filesize

                  16KB

                  Download
                • memory/1768-74-0x0000000000000000-mapping.dmp
                  Download
                • memory/1924-86-0x0000000000000000-mapping.dmp
                  Download
                • memory/1948-87-0x0000000000000000-mapping.dmp
                  Download
                • memory/1992-88-0x0000000000000000-mapping.dmp
                  Download
                • memory/2000-75-0x0000000000000000-mapping.dmp
                  Download