Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2024, 10:30

General

  • Target

    6a30b320446a423c14f5c2eb1e69bde8.exe

  • Size

    946KB

  • MD5

    6a30b320446a423c14f5c2eb1e69bde8

  • SHA1

    5eb9991fbdd44574984b569498eb71586cde8c9b

  • SHA256

    9a9d814c6d40bb1f2b5b1efb69041afff09b3c41fc618bd79bb8053205a08a24

  • SHA512

    ea43756d7a3d1b55d9cc86cec0bba3e8bd4e7a59a8841d29ddfc53091791c1e61e3e66c55c17adfddc510892f518685f4b4e1984ed6350191d5f85c2f9172140

  • SSDEEP

    12288:mUmKtThdsnPbLoTXPThJj9Hjdv5c6Z4EvZq0qcaSB0KdqgSdzRrrB5zMPq39zivZ:DtnsnPHohJj90nEvpuYqggVrrTYPhx

Malware Config

Extracted

Family

darkcomet

Botnet

rsman

C2

internetconnection.no-ip.info:8889

Mutex

DCMIN_MUTEX-FKV7NNB

Attributes
  • gencode

    sdDYWLgbyDpT

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe
    "C:\Users\Admin\AppData\Local\Temp\6a30b320446a423c14f5c2eb1e69bde8.exe"
    1⤵
    • Drops startup file
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Windows\InstallDir\help.exe
      C:\Windows\InstallDir\help.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Windows\SysWOW64\cmd.exe
        /c net stop MpsSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3924
        • C:\Windows\SysWOW64\net.exe
          net stop MpsSvc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1632
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MpsSvc
            5⤵
              PID:4812
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4328
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4328 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1524
        • C:\Windows\InstallDir\help.exe
          C:\Windows\InstallDir\help.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3840

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            471B

            MD5

            062fdbb9bb3c118fcc66827cdc26e6f0

            SHA1

            2033529788108b0514b5acae2b0ed3b7e051c318

            SHA256

            10a79f11b599e86eb9a03e62f1969485589597cef2b4d8b2a7f1133736e97c22

            SHA512

            33ecbc35c98d8aa24f24e420dd352fb35048696fdc96cafe15bdae131cc18f81426bc515393a3b940519f289d3b0585516eced7b692ff607bd9ef366db098810

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            404B

            MD5

            dd36d6dc06c6c289c31e35f398170a2e

            SHA1

            e375b39a129249b04977a0d541197dd21569074b

            SHA256

            12fe7b98965525cd62ea653f3e895e55b9eaf0109b819a860f3d98805df41ed2

            SHA512

            6832bb0130ce122c80a33da82acd1c2a7ecca8f7bc144e513ef923559166b793fb01f9461e71e1b8d4238f51cc11ca24af3d5e3cfe7223088d4aad37b7d7fcd0

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M8F18HYR\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Windows\InstallDir\help.exe

            Filesize

            946KB

            MD5

            6a30b320446a423c14f5c2eb1e69bde8

            SHA1

            5eb9991fbdd44574984b569498eb71586cde8c9b

            SHA256

            9a9d814c6d40bb1f2b5b1efb69041afff09b3c41fc618bd79bb8053205a08a24

            SHA512

            ea43756d7a3d1b55d9cc86cec0bba3e8bd4e7a59a8841d29ddfc53091791c1e61e3e66c55c17adfddc510892f518685f4b4e1984ed6350191d5f85c2f9172140

          • memory/3840-18-0x00000000007E0000-0x00000000007E1000-memory.dmp

            Filesize

            4KB

          • memory/3840-34-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-55-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-19-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-20-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-21-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-22-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-23-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-24-0x00000000007E0000-0x00000000007E1000-memory.dmp

            Filesize

            4KB

          • memory/3840-16-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-15-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-17-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-35-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-36-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-37-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-54-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-48-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-49-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-50-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-51-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-52-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3840-53-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB

          • memory/3992-0-0x0000000002280000-0x0000000002286000-memory.dmp

            Filesize

            24KB

          • memory/4328-12-0x0000000000400000-0x00000000004B2000-memory.dmp

            Filesize

            712KB