Overview

overview

10

Static

static

3

$$dinamikC...$$.exe

windows10-2004-x64

10

Resubmissions

19-02-2024 05:10

240219-ftyd4shh9y 10

Analysis

  • max time kernel
    75s
  • max time network
    75s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2024 05:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $$dinamikCristal$$.exe

  • Size

    746KB

  • MD5

    54090521d667d44350d72b066c6f242a

  • SHA1

    20424c81eb3b6bd68467333f7e45e60f7571518a

  • SHA256

    1c21cb19240f4e2b1ec3490c54a437b84345f41298ccc3d5c17fe8bf3dd16ba3

  • SHA512

    fde7c2f5f2558bf315e567898f93bffa9320670ebddb6bbba66541c3a93f21737398ed7d1dd134086bb9e9cdd00f580f434ac210dd68e57a371df855af3222bc

  • SSDEEP

    12288:jBdlwHRn+WlYV+8T+tkpeZuCWbKeYQjL7niHpwrcURuwSs/Y:jBkVdlYAKc1WmEjL7niHpwrcU2s/Y

Score
10/10
darkcometguest16evasionrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

4.tcp.eu.ngrok.io:16885

4.tcp.eu.ngrok.io:1604
Mutex

DC_MUTEX-Z4PMKKC

Attributes
  • gencode

    42mAfR1mKy33

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\$$dinamikCristal$$.exe
    "C:\Users\Admin\AppData\Local\Temp\$$dinamikCristal$$.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\dinamikPack.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\dinamikPack.sfx.exe
        dinamikPack.sfx -p320232023202 dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe
          "C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe"
          4⤵
          • Modifies firewall policy service
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Checks computer location settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3576
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:976
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2260
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:920
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1688
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            5⤵
              PID:2476

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Modify Registry

    4
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dinamikPack.exe
      Filesize

      251KB

      MD5

      cb93d92a764597510929423bf7b276a2

      SHA1

      0d436dc6657b49b95baa9880c0485e28ce5ba4fc

      SHA256

      20a207641e090e8ba7172e95efd4e7f9315a19bb6d15344997c1aa68b0e6a633

      SHA512

      58eb408c6f309e8e47b71877064d487aa05ba2a8c4d06d3c7ca624de1219568fc38b8ecea3321726cf275e6abb4d7e5b39fc312d592156b99d0d60366618112d

      Download Submit
    • C:\Windows\dinamikPack.bat
      Filesize

      55B

      MD5

      e69d25e8e79b1e64ab95cc95c63e1216

      SHA1

      f6ddca5d2683871e1385a87fb7a4449340dd0438

      SHA256

      bdf4826ae25feeb71f77a509b155f1d83adc4fa3024af979f638e185762171d6

      SHA512

      1f6179c5f1ea54ada17ab55b75be8b49f9ff5928ea827462be34b14298efe62b9a052c7ec5fdc698102cbe83b43458a9dee22bf5afcf8c3df7f31bca6f01af70

      Download Submit
    • C:\Windows\dinamikPack.sfx.exe
      Filesize

      573KB

      MD5

      77a913f94788fafc3bb9e6dd345cb3e2

      SHA1

      2a032a19f432a29717907d8e1fb3ee825d3bf3ff

      SHA256

      13a368a0959150310e8d0b3f6118e0d0930acf3e61057787cb9c81e6b88bd65d

      SHA512

      2aec5e05c7b5c3dab2fec683f662663e539e247628695df4d2ae43a16f8b79e80ed9b1fd944c03401e37be540196ef77767ee6dc66900306df352f1381eb93a8

      Download Submit
    • memory/2476-25-0x0000000000AA0000-0x0000000000AA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3576-23-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/3576-24-0x00000000026D0000-0x00000000026D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3576-26-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download