Overview

overview

10

Static

static

3

92f143956b...64.exe

windows7-x64

10

92f143956b...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-02-2024 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92f143956b9a12540154e290c4e62564.exe

  • Size

    761KB

  • MD5

    92f143956b9a12540154e290c4e62564

  • SHA1

    1fee278385d5b122aed257fafad8438382492dec

  • SHA256

    eba350227560d9ced91f4d3d85758edeca142d387cb2156dc9e169aaa0a4e6c6

  • SHA512

    9dc37a30a62757252577fa00dbfc195b99274f8b868a9833a2b46f3b7b1d50c1363d142807b405068d8bdab1cbbc8ec5dca1691f223dc04c3b64c08066d5f3f7

  • SSDEEP

    12288:BMrNIqNDs+RG7Y/ovzi0dSR/qP5OrOEuDAE+GL2QehBLouk3DefG7h:CrNIqNDsK6tvRda/RONAE+M2QebnkQGl

Score
10/10
darkcometcryptedpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Crypted

C2

anonymoushere.no-ip.org:1604

Mutex

DC_MUTEX-J8M2E7P

Attributes
  • gencode

    GmA26Nic56qT

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92f143956b9a12540154e290c4e62564.exe
    "C:\Users\Admin\AppData\Local\Temp\92f143956b9a12540154e290c4e62564.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:208
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
        "C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4520
  • C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
    "C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 448
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:3764
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4812
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
    Filesize

    280KB

    MD5

    52b210e09a253e760791851f93718517

    SHA1

    18c89f4b1fc5d9850ab57bfa6c78a6518ebdb063

    SHA256

    822cc6d2c6a150934cd2557a84459ceb8d15d7de94376f00cd5cc82ef35fc13d

    SHA512

    dbc142e330ce6f8cf185dd51e84a694e644edb5c7dc0f2f780b3f1a0d6509d6527f2979e10ef35b3a27d7b5fb1e995387cb65c98baae6ecbf563e61a24028b92

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
    Filesize

    297KB

    MD5

    fe7c3dd024ee5d385ea23a2e2b963d94

    SHA1

    a9e058e840aa7bcd33c9aa45aafa4b321c885028

    SHA256

    e1b6a106b7ad1eeef3d6748b7ba92f891c41827e201c5f12aa45a9a71d1fc793

    SHA512

    4cbff6fafe23f9808a63f4ef97e8bd2997036d0e9036ba208b5e0150f9aeda8bbd39a1709e0f90dafe082cf48cc5158b70fbc41239c54eeca4a3cee1a8aa623e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
    Filesize

    149KB

    MD5

    d31c982d25c7994cad866e7aa2493b89

    SHA1

    58165482dbbca536f0433d2bf5927c8ee6ae653c

    SHA256

    b0d2003ad03288858cbddca09dc2425325fb85eb8558f3c218a408263a12caca

    SHA512

    db5e75a58653daea3860918b11af9b43c5846d4cb9277c20ff2262a4b8fee6e5096a3e9a0d49a3f6b60200a9504dbacec0ec609527cc1169923547e40190401d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    Filesize

    7KB

    MD5

    bfab13f3f1c91d2590ef07c65839ffef

    SHA1

    85177eab769ca28a67a56e768d1279b457b4fa74

    SHA256

    f50751a3a7df1fff2022b398b937892e4c6f7f545107a93466d26db346a04310

    SHA512

    02cee67f4bc8c5a330a6c0a96d88372497730b2477b9575451a5710b340f2c61f2c4f7644cae3d885363e4ec9aa30c736dd292120d0e25528674fe10b8bdd3b3

    Download Submit
  • memory/208-8-0x0000000000400000-0x00000000004B8000-memory.dmp
    Filesize

    736KB

    Download
  • memory/208-9-0x0000000000400000-0x00000000004B8000-memory.dmp
    Filesize

    736KB

    Download
  • memory/208-7-0x0000000000400000-0x00000000004B8000-memory.dmp
    Filesize

    736KB

    Download
  • memory/208-10-0x00000000006F0000-0x00000000006F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2044-50-0x0000000000400000-0x00000000004B8000-memory.dmp
    Filesize

    736KB

    Download
  • memory/2044-49-0x0000000000400000-0x00000000004B8000-memory.dmp
    Filesize

    736KB

    Download
  • memory/2044-47-0x00000000007F0000-0x00000000007F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2248-21-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2248-23-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2248-53-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2248-54-0x0000000001340000-0x0000000001350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2248-22-0x0000000001340000-0x0000000001350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4232-39-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4232-30-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4232-27-0x00000000010D0000-0x00000000010E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4232-26-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4520-42-0x0000000000B00000-0x0000000000B10000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4520-44-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4520-41-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4520-56-0x0000000000B00000-0x0000000000B10000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4520-55-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/4812-32-0x0000000002180000-0x0000000002181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5028-0-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/5028-52-0x0000000000C40000-0x0000000000C50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5028-51-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/5028-2-0x0000000000C40000-0x0000000000C50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5028-1-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/5028-48-0x0000000075440000-0x00000000759F1000-memory.dmp
    Filesize

    5.7MB

    Download