Overview

overview

10

Static

static

1

b8e9f57718...9d.exe

windows7-x64

10

b8e9f57718...9d.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-03-2024 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8e9f57718a08d5ce927db8f4789569d.exe

  • Size

    1.2MB

  • MD5

    b8e9f57718a08d5ce927db8f4789569d

  • SHA1

    2c27146487faede087a7c21d27b5663a295ad44d

  • SHA256

    36952b4bf4a7f5b524adb73c6ff3aaa28c38c87d5ede6ecbad670caac7428538

  • SHA512

    ade073fa43b91b3c8e7c8f93f023076a4c0d45c9329f35c6d73fa4995fa156248f2a17842eb2d9ba3f49aedaf80b8239570142ec7aa6f51c09e4c9b6d4d0e659

  • SSDEEP

    24576:iaCwtiqV012KXkJHsYiyGQWgANWGyo70zWGT8y5N7I:W56xi9ZUGFqxM

Score
10/10
darkcometparallax!!!!!!!!!!!ddos-spread!!!!!!!!!!!!!!!!!persistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

!!!!!!!!!!!DDos-Spread!!!!!!!!!!!!!!!!!

C2

91.234.106.186:9292

Mutex

DC_MUTEX-S03QZ61

Attributes
  • gencode

    uZqfU11u4x0p

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

    ratparallax
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe
    "C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe
      "C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Users\Admin\AppData\Roaming\KEOJF.exe
        "C:\Users\Admin\AppData\Roaming\KEOJF.exe"
        3⤵
        • Executes dropped EXE
        PID:1700
    • C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe
      "C:\Users\Admin\AppData\Local\Temp\b8e9f57718a08d5ce927db8f4789569d.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ORCHM.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Security" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\security.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1300
      • C:\Users\Admin\AppData\Roaming\Security\security.exe
        "C:\Users\Admin\AppData\Roaming\Security\security.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Users\Admin\AppData\Roaming\Security\security.exe
          "C:\Users\Admin\AppData\Roaming\Security\security.exe"
          4⤵
          • Executes dropped EXE
          PID:2184
        • C:\Users\Admin\AppData\Roaming\Security\security.exe
          "C:\Users\Admin\AppData\Roaming\Security\security.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1296
        • C:\Users\Admin\AppData\Roaming\Security\security.exe
          "C:\Users\Admin\AppData\Roaming\Security\security.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ORCHM.bat
    Filesize

    147B

    MD5

    6f473a1ba53e043362047f72e20b34f4

    SHA1

    e8f121a589e1207ed950453376ee1d21b1223835

    SHA256

    5fbce2c77a90ba9edbcf60be3851ab81633b7c10b1babb624d475c7be589de4b

    SHA512

    b4976d40bc708ae6cddf367a5382cd532e4cf235b848cdaa4e4d317e06d9126e50745a7772591bc21dc7380689f4399e57501b0aa73cd231bce32e22d53b0818

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Security\security.exe
    Filesize

    64KB

    MD5

    13843b72cf0d0e85e61fc61debf05809

    SHA1

    6cfda54330609a41ed0190c755ac20e72617f314

    SHA256

    dd06850673019ec0c1a8c18f06feb308c5e5e69c758bd8f58989319b269556d7

    SHA512

    8453bdd727e45477fe400c995afcf6d138dc930ecfe0106c74a5fe7beb12fa66b58e788d8b37d061c7b0910bd2c376d6ebab11f2a3b4083dd53b8b2f678e5cf0

    Download Submit

  • \Users\Admin\AppData\Roaming\KEOJF.exe
    Filesize

    396KB

    MD5

    97dfac6e0541c19a7cc8adb8fe322d4e

    SHA1

    3d30f9a61e70ee3970d041a83c5f64ae84bddf0b

    SHA256

    247c8b720d4ffa93f1b1f72d6df7dcacd80fb91d8f6747a339ba75fe690d89d1

    SHA512

    61ae747e122fa662035ddb29476a8381f320f8c3ba9dd3ceeb4a91e85eba61104a10a6461d54eca14a90be393745cda09222ddb29985d996ce8855b2bba27888

    Download Submit

  • \Users\Admin\AppData\Roaming\Security\security.exe
    Filesize

    1.2MB

    MD5

    18622d07172e6130ed199a1b5965c907

    SHA1

    0578da5c901db514c7ef779bf25229364b4737dd

    SHA256

    ab699cf562a925c6ae5982abccb8012f709871404acb76031e12b1fd2e709dc0

    SHA512

    abc9311f113b01257640ee6984dc47c7dbe32bb2006cb4b2d3333905231cc857ae2bd94a2be168764e8a6b41efdb1b2d0ee52e6cef645997f9a4b149bb180863

    Download Submit

  • memory/1296-443-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1296-388-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1656-165-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1656-428-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1656-167-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1700-185-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2184-372-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2340-36-0x00000000029D0000-0x00000000029D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-58-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-12-0x0000000002C20000-0x0000000002C21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-4-0x0000000002A20000-0x0000000002A21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-2-0x0000000002A20000-0x0000000002A21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-96-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-130-0x00000000028D0000-0x00000000029A7000-memory.dmp

    Filesize

    860KB

    Download

  • memory/2340-76-0x00000000029B0000-0x00000000029B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-68-0x00000000029C0000-0x00000000029C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-66-0x00000000029C0000-0x00000000029C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-14-0x0000000002C20000-0x0000000002C21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-56-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-24-0x0000000002870000-0x0000000002871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-26-0x0000000002870000-0x0000000002871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-78-0x00000000029B0000-0x00000000029B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-38-0x00000000029D0000-0x00000000029D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-46-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-48-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2700-431-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2700-430-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2700-432-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2700-447-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2976-146-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2976-152-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2976-138-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2976-136-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2976-437-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2976-134-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download