Overview

overview

10

Static

static

10

ESLgdmd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ESLgdmd.exe

  • Size

    658KB

  • MD5

    9a1296f15ba38db6500996f2ab63326b

  • SHA1

    23fdace0f52b005b4a8c48f1e3d2328d1dc17daa

  • SHA256

    4218376daccfef8f6ab886677d35f611742d87514f397ba364aecc31def43162

  • SHA512

    4b95b505ad0c40a524106ecb74a21586076b3b83cce9039cb16890d91e62a7952a4bfcd55240ebad43af2f0a5dece71644e247983e89475bdddddda5ec5c1db1

  • SSDEEP

    12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hxM:KZ1xuVVjfFoynPaVBUR8f+kN10EB7M

Score
10/10
darkcometguest16evasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

hacker201.no-ip.biz:1604

Mutex

DC_MUTEX-5VHD9SM

Attributes
  • InstallPath

    Windupdt/winupdate.exe

  • gencode

    0HWc2rAvaCd2

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    winupdater

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ESLgdmd.exe
    "C:\Users\Admin\AppData\Local\Temp\ESLgdmd.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies security service
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
        PID:2400

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Modify Registry

    5
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2400-1-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3248-8-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-7-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-3-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-4-0x0000000002500000-0x0000000002501000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3248-9-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-6-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-2-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-0-0x0000000002500000-0x0000000002501000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3248-5-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-10-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-11-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-12-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-13-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-14-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-15-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/3248-16-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download