Overview

overview

10

Static

static

3

075448d611...9a.exe

windows7-x64

10

075448d611...9a.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 05:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    075448d611663baa510daefcb583469a.exe

  • Size

    548KB

  • MD5

    075448d611663baa510daefcb583469a

  • SHA1

    c523655c92dbcc28b1a1fb2dd1f95e4333597f49

  • SHA256

    6d0ce472e07e0bcedad9f932e82512e2f4dd3db90afa0b7004d736b4b7fe7672

  • SHA512

    4caf88720b3d2306e2e006ca9bbc12373d9b088c09218c642feaf142023265fa9bbf0b057e86225adb8799b35d3070d9560709b198c4fea182b6047d161435ec

  • SSDEEP

    12288:HC8+l4wxUipjq5+Mou292BPMusotX6rwzW6XVFJ04qp4OsYOhg59AoWmO:Kq292BPTf0npPv4mO

Score
10/10
darkcometslavepersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

darkcometramon.zapto.org:1604

Mutex

DC_MUTEX-WACNQ32

Attributes
  • InstallPath

    MSDCSC\Update.exe

  • gencode

    1Zo5tGcdvz3w

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    WindowsUpdater

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe
    "C:\Users\Admin\AppData\Local\Temp\075448d611663baa510daefcb583469a.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\vbc.exe
      C:\Users\Admin\AppData\Local\Temp\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe
        "C:\Users\Admin\AppData\Roaming\MSDCSC\Update.exe"
        3⤵
        • Executes dropped EXE
        PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2748-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2748-24-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-35-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-9-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-13-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-22-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-19-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-21-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-25-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2748-18-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-16-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-11-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/2748-23-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/3016-2-0x0000000000A20000-0x0000000000A60000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3016-1-0x0000000074610000-0x0000000074BBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3016-20-0x0000000074610000-0x0000000074BBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3016-0-0x0000000074610000-0x0000000074BBB000-memory.dmp
    Filesize

    5.7MB

    Download