Overview

overview

10

Static

static

10

343726e33a...08.exe

windows7-x64

10

343726e33a...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    343726e33afc7a951c5e9075a178b608.exe

  • Size

    725KB

  • MD5

    343726e33afc7a951c5e9075a178b608

  • SHA1

    df3aefa08e35b55fade041ad740ae76b9cae6408

  • SHA256

    9d05eb381c6e21b36c720b02cf48019ada67c029468b05f6aaaeee12a9fffe26

  • SHA512

    b25579d32ffb3ce5485d959675b7738805caa13d7180e01fbbbd909306da20efa0a1641b6b7c682b07fa64d7d9d72503571e9435d9214e751bfa612307889879

  • SSDEEP

    12288:h9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/d:bZ1xuVVjfFoynPaVBUR8f+kN10Ed

Score
10/10
darkcometsazanevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

127.0.0.1:1604

185.29.120.189:1604
Mutex

DC_MUTEX-C85CWU2

Attributes
  • InstallPath

    S1\updater.exe

  • gencode

    DlWfWyuahoYK

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Windows Firewall

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe
    "C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    PID:1808
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
        PID:1804
      • C:\ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe
        "C:\ProgramData\Microsoft\Windows\Start Menu\S1\updater.exe"
        2⤵
          PID:1464
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            3⤵
              PID:1832
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            2⤵
              PID:1056
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe" +s +h
              2⤵
                PID:4360
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\343726e33afc7a951c5e9075a178b608.exe" +s +h
              1⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:4564
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
              1⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1068

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Privilege Escalation

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Defense Evasion

            Modify Registry

            2
            T1112

            Hide Artifacts

            2
            T1564

            Hidden Files and Directories

            2
            T1564.001

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1464-14-0x00000000009C0000-0x00000000009C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1464-18-0x0000000000400000-0x00000000004C2000-memory.dmp
              Filesize

              776KB

              Download
            • memory/1464-19-0x0000000000400000-0x00000000004C2000-memory.dmp
              Filesize

              776KB

              Download
            • memory/1804-3-0x0000000000F30000-0x0000000000F31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1808-0-0x0000000000B30000-0x0000000000B31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1808-16-0x0000000000400000-0x00000000004C2000-memory.dmp
              Filesize

              776KB

              Download
            • memory/1832-15-0x0000000000980000-0x0000000000981000-memory.dmp
              Filesize

              4KB

              Download