Overview

overview

10

Static

static

10

11fb758dd3...66.exe

windows7-x64

10

11fb758dd3...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11fb758dd3cdc09650445e5527b88e66.exe

  • Size

    1.1MB

  • MD5

    11fb758dd3cdc09650445e5527b88e66

  • SHA1

    35a122d148139c21185496adf1abb0c63ceba357

  • SHA256

    41a682da16b22581581ef2353fe9e900be9162609dc89c956addd256b4f9d546

  • SHA512

    cd7f9e76dd23e5f76a6bb45e9d0d6da182a62018697817f892e06a0f0b7d61e5c150947273bdf07f8e71e3e4e3c12343bc3ae5ce48e3be3dd0c531f5aa9fcf4d

  • SSDEEP

    24576:RVmqz0QRWoJEfg0oChGdJQbjPbNW5tYeP+GF/9YvWmztzWFq:RBAQRV2o3MPY5Aw9YvjzAq

Score
10/10
darkcomettrojan_evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Trojan_

C2

rubino.zapto.org:1604

Mutex

DC_MUTEX-9E0FYS9

Attributes
  • InstallPath

    Java.exe

  • gencode

    KHoKmB1jKaxU

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Java

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\11fb758dd3cdc09650445e5527b88e66.exe
    "C:\Users\Admin\AppData\Local\Temp\11fb758dd3cdc09650445e5527b88e66.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE
      "C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE"
      2⤵
      • Executes dropped EXE
      PID:3684
    • C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE
      "C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Users\Admin\AppData\Roaming\Java.exe
        "C:\Users\Admin\AppData\Roaming\Java.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:4856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE
    Filesize

    157KB

    MD5

    cf7dc664d5f00183b920f9001b3cf6a4

    SHA1

    248facb4586b68768954c2b6e6947c651b17ea54

    SHA256

    3cc66a22f26f6517f52f6efe17f510510e89312a4ff893c71e689abfda26eb4a

    SHA512

    b47387fa31ddde23154ecb0ad25589cd468b5701320aa3b8f473315eea310c1d4fa351a9dbb7cb658f3707cf092cbb1a95137f6ee902943ddfb32856e9741027

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE
    Filesize

    846KB

    MD5

    c1f94d8462f922748cdbdca166744f3d

    SHA1

    fa051be7431a989577cea812e93f2a501435c941

    SHA256

    4a238fb5aff8e80948017e4e3f4268c2bf6155007192c65c009adb52450ad494

    SHA512

    6472a4d983fb779019deb6aa5f444128eda4e17e5600f2a8a1cffedb6a71cfd7cccb61c0f532d1ecb536f8fa2b836633f21e54e214ad0b84a56000acd94cb7a9

    Download Submit

  • memory/2512-38-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/2512-22-0x00000000022E0000-0x00000000022E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3684-53-0x00000000018F0000-0x0000000001900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-26-0x00007FFC78470000-0x00007FFC78E11000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3684-25-0x00000000018F0000-0x0000000001900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-24-0x00007FFC78470000-0x00007FFC78E11000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3684-40-0x000000001BFF0000-0x000000001C096000-memory.dmp

    Filesize

    664KB

    Download

  • memory/3684-41-0x000000001C570000-0x000000001CA3E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/3684-42-0x000000001CB60000-0x000000001CBFC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3684-43-0x0000000001900000-0x0000000001908000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3684-44-0x000000001CCC0000-0x000000001CD0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3684-45-0x00000000018F0000-0x0000000001900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-46-0x00000000018F0000-0x0000000001900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-51-0x00000000018F0000-0x0000000001900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3684-48-0x00007FFC78470000-0x00007FFC78E11000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4856-49-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4856-50-0x00000000021A0000-0x00000000021A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4856-47-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4856-52-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4856-39-0x00000000021A0000-0x00000000021A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4856-54-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4856-55-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4856-56-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4856-57-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4856-58-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4856-59-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4856-60-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download