Overview

overview

10

Static

static

4123a31a7b...5f.exe

windows7-x64

10

4123a31a7b...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe

  • Size

    772KB

  • MD5

    68e8582308a2f05401ef6d076facd012

  • SHA1

    2b2c9ed47453a7b8ef988da3d74af01e6d4340e6

  • SHA256

    4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f

  • SHA512

    14bd663c9c9ee8f4ac12774a14fd7a33108cf1fe7fed7afc8730719585e00521c4b12f03c5aba993f0ce98b6532794163b69c5a8bed84f71965c2d3f6e4fdcbc

  • SSDEEP

    12288:7CuQHZyt8xPBhU2BNt1tBPOVsoaDWal2fdFP/Jh+xD6ikf:7CBxZjBl2DaOfTnbYW5f

Score
10/10
darkcometgiriamoevasionrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

giriamo

C2

178.239.178.177:200

Mutex

DC_MUTEX-MBX97KS

Attributes
  • gencode

    RTdAVRUtBLYH

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe
    "C:\Users\Admin\AppData\Local\Temp\4123a31a7bc25e6a62bc2a0b63a09f123c8e357bdfd5c4e7f183e7f010149f5f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exe
      C:\Users\Admin\AppData\Local\Temp\\AppLunch\WinUpdate.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:316
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\AppLunch" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1012
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\AppLunch" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1100
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:832
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1952

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Hidden Files and Directories

    2
    T1158

    Privilege Escalation

    Defense Evasion

    Hidden Files and Directories

    2
    T1158

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\487436_494555917273809_1558112035_N.JPG
      Filesize

      18KB

      MD5

      13c2d008789cd754f9be4e88b07e66b5

      SHA1

      bf2cd3b19ac27b59115761bc0f451aace0467ae7

      SHA256

      7a0ff3bc01cab8f1afd116473965076b3c5071f92523c4dc3aa968a8e9cfb3e5

      SHA512

      151d75e7843009e81cd5f6c49e4f46087999ce4525e177db83c716840dcaa937dc6e8b2624e4ef3112ded3f7d9d2e9ca9410765908337ec02380e6a6f84deab7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exe
      Filesize

      1.1MB

      MD5

      34aa912defa18c2c129f1e09d75c1d7e

      SHA1

      9c3046324657505a30ecd9b1fdb46c05bde7d470

      SHA256

      6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

      SHA512

      d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exe
      Filesize

      1.1MB

      MD5

      34aa912defa18c2c129f1e09d75c1d7e

      SHA1

      9c3046324657505a30ecd9b1fdb46c05bde7d470

      SHA256

      6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

      SHA512

      d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      Download Submit
    • \Users\Admin\AppData\Local\Temp\AppLunch\WinUpdate.exe
      Filesize

      1.1MB

      MD5

      34aa912defa18c2c129f1e09d75c1d7e

      SHA1

      9c3046324657505a30ecd9b1fdb46c05bde7d470

      SHA256

      6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

      SHA512

      d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

      Download Submit
    • memory/316-82-0x0000000000000000-mapping.dmp
      Download
    • memory/580-62-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-76-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-90-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-64-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-66-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-69-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-68-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-71-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-74-0x000000000048F888-mapping.dmp
      Download
    • memory/580-73-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-59-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-60-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-78-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/580-84-0x0000000000400000-0x00000000004B6000-memory.dmp
      Filesize

      728KB

      Download
    • memory/832-87-0x0000000000000000-mapping.dmp
      Download
    • memory/1012-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1100-83-0x0000000000000000-mapping.dmp
      Download
    • memory/1260-56-0x0000000074C90000-0x000000007523B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1260-57-0x00000000003B5000-0x00000000003C6000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1260-55-0x0000000074C90000-0x000000007523B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1260-89-0x00000000003B5000-0x00000000003C6000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1260-54-0x0000000075C41000-0x0000000075C43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1592-80-0x0000000000000000-mapping.dmp
      Download