Overview

overview

10

Static

static

c4211660f4...39.exe

windows7-x64

10

c4211660f4...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe

  • Size

    317KB

  • MD5

    178b94a462503845831cd0a6c3e3b500

  • SHA1

    99510e9b7abbfff7cc4097e51196ad801fc1d82d

  • SHA256

    c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

  • SHA512

    ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

  • SSDEEP

    6144:hzjAH9agPC3gLzeAyzhsv70s3QS8A7KQGNBZmUF4nHytzcc:xAdag1mAyzMxp8A7KQGNBZm3HOcc

Score
10/10
darkcomet24evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

24

C2

127.0.0.1:1604

172.162.22.200:1604

remaxcheckings.no-ip.biz:1604
Mutex

DC_MUTEX-AT9WGLV

Attributes
  • InstallPath

    MSDCSC\remaxcheckings.exe

  • gencode

    WN5Nr6wiGseC

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    remaxcheckings

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 9 IoCs
    evasion
  • Modifies security service 2 TTPs 3 IoCs
    evasion
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 3 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe
    "C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\net.exe
        net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MpsSvc
          4⤵
            PID:5020
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        2⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4108
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
            PID:4992
        • C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe
          C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe
          2⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3972
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe" +s +h
            3⤵
              PID:4808
              • C:\Windows\SysWOW64\attrib.exe
                attrib "C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe" +s +h
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1908
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
              3⤵
                PID:3224
                • C:\Windows\SysWOW64\attrib.exe
                  attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
                  4⤵
                  • Sets file to hidden
                  • Views/modifies file attributes
                  PID:3596
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                3⤵
                  PID:3240
                • C:\MSDCSC\remaxcheckings.exe
                  "C:\MSDCSC\remaxcheckings.exe"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  PID:628
                  • C:\Windows\SysWOW64\cmd.exe
                    /c net stop MpsSvc
                    4⤵
                      PID:3932
                      • C:\Windows\SysWOW64\net.exe
                        net stop MpsSvc
                        5⤵
                          PID:2868
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop MpsSvc
                            6⤵
                              PID:380
                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                          4⤵
                          • Modifies firewall policy service
                          • Modifies security service
                          • Windows security bypass
                          • Disables RegEdit via registry modification
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3960
                        • C:\MSDCSC\remaxcheckings.exe
                          C:\MSDCSC\remaxcheckings.exe
                          4⤵
                          • Modifies firewall policy service
                          • Modifies security service
                          • Windows security bypass
                          • Disables RegEdit via registry modification
                          • Executes dropped EXE
                          • Windows security modification
                          • Adds Run key to start application
                          • System policy modification
                          PID:1800

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Winlogon Helper DLL

                  1
                  T1004

                  Modify Existing Service

                  2
                  T1031

                  Hidden Files and Directories

                  2
                  T1158

                  Registry Run Keys / Startup Folder

                  1
                  T1060

                  Privilege Escalation

                  Defense Evasion

                  Modify Registry

                  7
                  T1112

                  Disabling Security Tools

                  2
                  T1089

                  Hidden Files and Directories

                  2
                  T1158

                  Credential Access

                  Discovery

                  Query Registry

                  1
                  T1012

                  System Information Discovery

                  2
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\MSDCSC\remaxcheckings.exe
                    Filesize

                    317KB

                    MD5

                    178b94a462503845831cd0a6c3e3b500

                    SHA1

                    99510e9b7abbfff7cc4097e51196ad801fc1d82d

                    SHA256

                    c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                    SHA512

                    ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                    Download Submit
                  • C:\MSDCSC\remaxcheckings.exe
                    Filesize

                    317KB

                    MD5

                    178b94a462503845831cd0a6c3e3b500

                    SHA1

                    99510e9b7abbfff7cc4097e51196ad801fc1d82d

                    SHA256

                    c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                    SHA512

                    ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                    Download Submit
                  • C:\MSDCSC\remaxcheckings.exe
                    Filesize

                    317KB

                    MD5

                    178b94a462503845831cd0a6c3e3b500

                    SHA1

                    99510e9b7abbfff7cc4097e51196ad801fc1d82d

                    SHA256

                    c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                    SHA512

                    ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339.exe
                    Filesize

                    317KB

                    MD5

                    178b94a462503845831cd0a6c3e3b500

                    SHA1

                    99510e9b7abbfff7cc4097e51196ad801fc1d82d

                    SHA256

                    c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                    SHA512

                    ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\InstallDir\help.exe
                    Filesize

                    317KB

                    MD5

                    178b94a462503845831cd0a6c3e3b500

                    SHA1

                    99510e9b7abbfff7cc4097e51196ad801fc1d82d

                    SHA256

                    c4211660f42c1a72369c64c614ae994836bc501040058521cfc07383cadae339

                    SHA512

                    ee4ee70924bf2221de983527cbc3b6d10c2962d0f0f046efe523088bf51df0da0de0c5a8a56e8c6958167e32052201b789eeff2cc989d2333760e9549e0465cf

                    Download Submit
                  • memory/380-155-0x0000000000000000-mapping.dmp
                    Download
                  • memory/628-149-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1800-157-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1800-163-0x0000000000400000-0x00000000004B7000-memory.dmp
                    Filesize

                    732KB

                    Download
                  • memory/1908-148-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2080-133-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2180-134-0x00000000021F0000-0x00000000021F4000-memory.dmp
                    Filesize

                    16KB

                    Download
                  • memory/2516-132-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2868-154-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3224-145-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3240-146-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3596-147-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3932-153-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3972-143-0x0000000000400000-0x00000000004B7000-memory.dmp
                    Filesize

                    732KB

                    Download
                  • memory/3972-141-0x0000000000400000-0x00000000004B7000-memory.dmp
                    Filesize

                    732KB

                    Download
                  • memory/3972-140-0x0000000000400000-0x00000000004B7000-memory.dmp
                    Filesize

                    732KB

                    Download
                  • memory/3972-139-0x0000000000400000-0x00000000004B7000-memory.dmp
                    Filesize

                    732KB

                    Download
                  • memory/3972-156-0x0000000000400000-0x00000000004B7000-memory.dmp
                    Filesize

                    732KB

                    Download
                  • memory/3972-137-0x0000000000400000-0x00000000004B7000-memory.dmp
                    Filesize

                    732KB

                    Download
                  • memory/3972-136-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4808-144-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4992-142-0x0000000000000000-mapping.dmp
                    Download
                  • memory/5020-135-0x0000000000000000-mapping.dmp
                    Download