Overview

overview

10

Static

static

10

343726e33a...08.exe

windows7-x64

10

343726e33a...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    343726e33afc7a951c5e9075a178b608.exe

  • Size

    725KB

  • MD5

    343726e33afc7a951c5e9075a178b608

  • SHA1

    df3aefa08e35b55fade041ad740ae76b9cae6408

  • SHA256

    9d05eb381c6e21b36c720b02cf48019ada67c029468b05f6aaaeee12a9fffe26

  • SHA512

    b25579d32ffb3ce5485d959675b7738805caa13d7180e01fbbbd909306da20efa0a1641b6b7c682b07fa64d7d9d72503571e9435d9214e751bfa612307889879

  • SSDEEP

    12288:h9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/d:bZ1xuVVjfFoynPaVBUR8f+kN10Ed

Score
10/10
darkcometsazanevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

127.0.0.1:1604

185.29.120.189:1604
Mutex

DC_MUTEX-C85CWU2

Attributes
  • InstallPath

    S1\updater.exe

  • gencode

    DlWfWyuahoYK

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Windows Firewall

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe
    "C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:3000
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:2692
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Deletes itself
      PID:2852
    • C:\ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe"
      2⤵
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2636

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Modify Registry

    2
    T1112

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe
      Filesize

      228KB

      MD5

      462105f6b59696ec4bb802bb7cf9568e

      SHA1

      a2532fd3b548e168a475fc7c2844cd7d6917a1b9

      SHA256

      eaa55ebaa2fc31e3a2b35a019b33479af3006431e30120ac9da0cd43a370d9ce

      SHA512

      6e37f9915f6e698764b898d93073e2517ca19ece6f397df4ed99c5ac49f944da398baaf26ae365db1127d23d33a43daf58cdbbe0e88e800d2aebeca20de59979

      Download Submit
    • C:\ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe
      Filesize

      132KB

      MD5

      4ad4b2aaa2cfb2e37f896a23c800e60f

      SHA1

      4708a9a568ff7f802ac18973208d2c16a32571b4

      SHA256

      8253d157a495cf4ceed105295fcdfae4098599c95194c098353432628f2c5048

      SHA512

      f8ca2fac0c90a518b37eff66bd61e8d4568e0c2ed296cfd5716f6ce5cdd4c7a308ee54c167dd98ff620f698b42c14f92cb59906296d33f7be95f659e758b03b1

      Download Submit
    • C:\ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe
      Filesize

      120KB

      MD5

      8d364b322a36fad076c78f629756b1a7

      SHA1

      369902ef4fe50b2bd171efc3f9d088d08703efe9

      SHA256

      050ceab1470ba817db9ec391461b167672eee4726702d9dda0c1b9ff8befb7ab

      SHA512

      a7dc8b15e66a4378f85d2bb579852736e548e099d5bfcdb443906e601e3430a0b00a9fef80f4eee270f41fba3f155a044b559c48bcafeb86397896433738dc2b

      Download Submit
    • \ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe
      Filesize

      296KB

      MD5

      b2869d39c0ef3295171674048c3a5eff

      SHA1

      bd6e805738c496bbb429f1c3a88f6a5dccc742bb

      SHA256

      ba463d2bfd534b8ff7f2b5ba652057170015d31b541f31b89a5d1c1b985a9b35

      SHA512

      df2565bc12d3e793d0bafb519d0207ff7f342dc8e7ca67838fde9944a018ef2783d8f9dd744261e53a6689c0e43f396b3c4f42c21042b639f43304025ecebc03

      Download Submit
    • \ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe
      Filesize

      37KB

      MD5

      27137efc765726f30cea4096c507a009

      SHA1

      fe70978ef0f35176c0fe4c407e4e01f99f347fc7

      SHA256

      b8000ca4b0463e5b52d7edcd89e9aeaa69144658fe4f5ddd47a7ac7488573e40

      SHA512

      8fd0a63d41200463d37759d5dc35d7c3892b710c73e88baf989039df0327969431a60fd80ebaf51f9040c786d286c83e37d025433ed71886099651a56599ad2e

      Download Submit
    • \ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe
      Filesize

      18KB

      MD5

      eab499427eb25af827edb09da8600e5b

      SHA1

      04205615c23a0643058abf805eab0931688ec93b

      SHA256

      d9112088efaca7f1363d2929ddcac567385ec312199831139f1dab5c67611472

      SHA512

      152724f1b2d11c1168849ba4949462761fa8bd6a652e3c62646ebbd4ad87d9e434a22efc33d2436571fbd6b6674c75ae9cc4d25ff8a3ee48c96d4504b80072af

      Download Submit
    • \ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe
      Filesize

      9KB

      MD5

      e6f17367754c7d70821feec94fcdd2a1

      SHA1

      7abdf69b586aecfb715b7cb42e38711e9663a7ca

      SHA256

      3f1d6f37af9badc143baced31f009629eebd00ac2fba08537bd0b9ff28b6c368

      SHA512

      6c686970c281e8c9ef31ff03effde4692ccda6f34ce1804375f6532e485e5fbbaec3fbdb22a5250ef6ce30f349a111b13cb62ad68de16792924168d4d46526b3

      Download Submit
    • memory/2480-0-0x00000000003C0000-0x00000000003C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2480-68-0x0000000000400000-0x00000000004C2000-memory.dmp
      Filesize

      776KB

      Download
    • memory/2636-67-0x0000000000430000-0x0000000000431000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2736-70-0x0000000000400000-0x00000000004C2000-memory.dmp
      Filesize

      776KB

      Download
    • memory/2736-71-0x0000000000400000-0x00000000004C2000-memory.dmp
      Filesize

      776KB

      Download
    • memory/2736-72-0x0000000000400000-0x00000000004C2000-memory.dmp
      Filesize

      776KB

      Download
    • memory/2736-74-0x0000000000400000-0x00000000004C2000-memory.dmp
      Filesize

      776KB

      Download
    • memory/2852-20-0x0000000000220000-0x0000000000221000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2852-3-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download