Overview

overview

10

Static

static

3

f9197d5a2e...28.exe

windows7-x64

10

f9197d5a2e...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2023 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9197d5a2e2d7a2b2f80bb387f7d2c28.exe

  • Size

    1.2MB

  • MD5

    f9197d5a2e2d7a2b2f80bb387f7d2c28

  • SHA1

    4852766feb4948903bc09c9a493bf0f0398c0095

  • SHA256

    5bfa91a23214f1a4bba7efffd224e5fdde2e7b69ecd9fe286b62451585c577a9

  • SHA512

    6a53efdd665ccc6cc0bcd287809326ec9af28b584d14bf448d944fdbca27abde5362353c5793277bd29cffb79a322d034721d120060574aa667335551eff8718

  • SSDEEP

    24576:Y2O/GlDHqFHHVDFNEzQbCG3/QJfSPXYuTfx8n2VuFSWVxNu:nHUYQjQhUo0WbsGxQ

Score
10/10
darkcometnewbaby2evasionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

NEWBABY2

C2

dcthings.changeip.org:988

Mutex

DC_MUTEX-HMSY2RH

Attributes
  • gencode

    a2CQEonCR87h

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9197d5a2e2d7a2b2f80bb387f7d2c28.exe
    "C:\Users\Admin\AppData\Local\Temp\f9197d5a2e2d7a2b2f80bb387f7d2c28.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Users\Admin\85yd658866kut\ppirvcydqcw.exe
      "C:\Users\Admin\85yd658866kut\ppirvcydqcw.exe" qzkhxqu
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
          PID:4204
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\85YD65~1\run.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4236
          • C:\Users\Admin\85yd658866kut\ppirvcydqcw.exe
            "C:\Users\Admin\85yd658866kut\ppirvcydqcw.exe" qzkhxqu
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4248
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\85YD65~1\run.vbs
      Filesize

      91B

      MD5

      4ba0f257cfecca4d4aa9ba86c64f5445

      SHA1

      21f9ba7919df0ab397ca4576582ffa9dfe062f3c

      SHA256

      89ffd3ac7e3c3a2e6a1e34fb9dc5ab4cd06efc81b2a06701227654632de93e9f

      SHA512

      7090738e013b1a14803d3aaf82297fb9ea55c4c74584d3ee3dd4ffd82806984478e91b064005afee0dd8ddd16064a595b2f5ee116de62d276f36a05ab127fff3

      Download Submit

    • C:\Users\Admin\85YD65~1\vyxlzmmjau.KRY
      Filesize

      146B

      MD5

      f8f28e7c74bd6a4cc7df56669afa88cf

      SHA1

      7bb80e39c9110df945606e130487d9d6640b070b

      SHA256

      c77b3f14f6b629c255ca6a3a670a2a74c745fb81eaaa889b48f1e6f40b2204dd

      SHA512

      36ce3e93494ab29b2993053915848719d2323767fc728eb48bec9fb2b779e134fd4bf8af6e2c3a62308ec1cf103146c6af63d83afd870cd7293fd4d7f34e1a52

      Download Submit

    • C:\Users\Admin\85YD65~1\xoutq.UQF
      Filesize

      251KB

      MD5

      ee86c399347a94cc72e7f7265beaad5f

      SHA1

      fac42d67f75805b995f5e64cdb1396f931b93373

      SHA256

      bbbc1f71ad5a62ee9c0d79027b92d8e8507e53ca0e25cb6927f05dc3f488cd11

      SHA512

      728c9f1e38d91af7aa9cc3e02960c666891103cba59db77aa332937c9dc158b8e7d5c866f34831b18381e87d8c10fd8e6dc5918e33c40481c1d7aa73e885e80d

      Download Submit

    • C:\Users\Admin\85yd658866kut\ppirvcydqcw.exe
      Filesize

      910KB

      MD5

      330c70c8a9a4add2f13b5d896e335574

      SHA1

      8b50e8ed46359453ddd2f95fb666eaa0688e33f9

      SHA256

      767e7e13b2dd575a03e92e687c973248bef7a0f17984a69cdf052ea0d342dc16

      SHA512

      0c0eaabd34d93440df485a0f2682de919417fc6eefb18b296354eee49aae45b9f117a580e6bdbc9d9480f80e67ac14943f364e8f8b4c4342656331ca5d7aede3

      Download Submit

    • C:\Users\Admin\85yd658866kut\qzkhxqu
      Filesize

      595KB

      MD5

      52f8f20255eac104a2975b734204f3cc

      SHA1

      0a0402efbde9cfe28f17861c3c9d9016cdba09a3

      SHA256

      a62ab6e3aa126805569997b7bbf26a1468a9a7c079432d1a176cae871329525d

      SHA512

      50c80cfea54a6417d21f2e3268c4069ceb0cc6c4d9e359d070056b556aee216995de30400620505149efbd1c5317107e5909cfb5952ec6f08537cbd0c2dc4647

      Download Submit

    • memory/2188-31-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2188-32-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2188-35-0x0000000001750000-0x0000000001751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2188-37-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2188-36-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2188-34-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2188-33-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2188-30-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2188-38-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download