Overview

overview

10

Static

static

10

1.exe

windows7-x64

1

400.exe

windows7-x64

10

Chase_Bank...or.exe

windows7-x64

10

ChromeSoft.exe

windows7-x64

7

Fake Windo...er.exe

windows7-x64

4

Injector(v_5.24).exe

windows7-x64

8

RCE.exe

windows7-x64

10

TemD.exe

windows7-x64

10

best.exe

windows7-x64

10

btf.exe

windows7-x64

8

build.exe

windows7-x64

6

crypted.exe

windows7-x64

1

download.exe

windows7-x64

7

dp.exe

windows7-x64

7

etbnoc.exe

windows7-x64

1

fran.exe

windows7-x64

10

fud.exe

windows7-x64

1

gift_generator.exe

windows7-x64

7

lol.exe

windows7-x64

10

mt20200012.exe

windows7-x64

1

nopax.exe

windows7-x64

10

porn.jpg.exe

windows7-x64

1

putty.exe

windows7-x64

10

t.exe

windows7-x64

10

vnc.exe

windows7-x64

7

yk.exe

windows7-x64

10

zztop.exe

windows7-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    14/12/2023, 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RCE.exe

  • Size

    586KB

  • MD5

    bc2c57458db20a2a2d4ea99b3f5b8d37

  • SHA1

    25e08e1ee03372c5ce2f14fde486eee8bf6d6669

  • SHA256

    af6ea3e8d3f391d34464e30e2622162b417050345b429fb7553ff57d2c168be1

  • SHA512

    62ba9a5a19ff048eeebf3b611d83cdc3ac78805adc03751c30d5c530f4542f94fb0216d52c4ba94dbe3dc81604f6074c45c22ddc306891a994fabe6fdc923132

  • SSDEEP

    12288:uh1Lk70TnvjcQ+QSUofDRJsaVZ/OP4400KBIqLdMQT:ik70TrcQWHsgdZBISrT

Score
10/10
darkcomethackerevasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

hacker

C2

snatchfou.zapto.org:1604

Mutex

DC_MUTEX-EAGMYFG

Attributes
  • gencode

    QwbT0i9M7Prw

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RCE.exe
    "C:\Users\Admin\AppData\Local\Temp\RCE.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\WinWork.exe
      C:\Users\Admin\AppData\Local\Temp\WinWork.exe
      2⤵
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2860
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\WinWork.exe" +s +h
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2716
    • C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\WinWork.exe" +s +h
      1⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2580
    • C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      1⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\WinWork.exe
      Filesize

      353KB

      MD5

      83a0b65adb6c4062b5cbf3e72180e241

      SHA1

      6011b9b6d3c451cb2bd49c4ce10f486bc255ed94

      SHA256

      81e230ad0eb8480fb890694a360dc2aa2baa2087c82b0ddfcc06d633b4673d63

      SHA512

      6be941dde69cf747703add8309d538b009b759f66fdaa4675b26d0fb4a5d84846480f832940d02d4d19c0be847ccd05afbf93b3f70200ea9ef323a923fa58310

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WinWork.exe
      Filesize

      183KB

      MD5

      0e73186e069f5bfda71e8bf15cc2aca7

      SHA1

      d4373a0b9d50b06a76e4401c72566e8bb9546ea4

      SHA256

      8fa23d33d27a77f857db5612e75b59fc975a5dc40d7b71cc68f800188a399e1b

      SHA512

      f381614270d673aed0596b3fc9b70b7b4e4c4c125696de20e1e828686efe5bd8129d35c7151943568186ac7e4500574da2d5177dacdb715804cdbcdb93e84790

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WinWork.exe
      Filesize

      474KB

      MD5

      4bb9776d4b77739bfb56e9b5bc52c19f

      SHA1

      056ce9bac679095ace185b698870b27862af9038

      SHA256

      c1c7d9acfdf95386dc17339d4b03ef0915c8cdad77729683eaea1d31923dde4e

      SHA512

      fc1ec9a7767907499df2335af1043a3f0c6f686e25851a303cfbb68a927c0d606b6bc8a3173c3c06494573add8a4de1ccae721d7368c3edba60e99d3c4c40016

      Download Submit

    • \Users\Admin\AppData\Local\Temp\WinWork.exe
      Filesize

      442KB

      MD5

      8059b4a49e6af024ec9b306985f3bfbf

      SHA1

      dfeac34f13a7f8d16b40122eb85403c866a08499

      SHA256

      8c952dc22c9f2a972681763f8e2156cf87375d3696a96a2bfa1046ad04963c40

      SHA512

      cfc9694b23620090aa350c90a9058c17a837d95d4ccdd29a2c70c4cf6fb095153508747d8df84faa5a42175f7170cff877f12aaa945f82a9900bd86a212d69c6

      Download Submit

    • memory/2128-1-0x0000000074E50000-0x00000000753FB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2128-2-0x0000000074E50000-0x00000000753FB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2128-3-0x0000000002090000-0x00000000020D0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2128-11-0x0000000005610000-0x00000000056BA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2128-57-0x0000000074E50000-0x00000000753FB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2128-0-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2448-56-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-65-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-16-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-17-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-14-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-18-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2448-20-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-73-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-10-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-55-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-13-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-72-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-58-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-59-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-60-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-61-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-62-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-63-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-64-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-15-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-66-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-67-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-68-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-69-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-70-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2448-71-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2860-21-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2860-54-0x00000000002C0000-0x00000000002C1000-memory.dmp

      Filesize

      4KB

      Download