Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 10:13

General

  • Target

    cdca6cf1adac7a1b0e924e6588b9e096.exe

  • Size

    699KB

  • MD5

    cdca6cf1adac7a1b0e924e6588b9e096

  • SHA1

    1f0be53bbda5739eea99a8bce2f7602e17ff269e

  • SHA256

    c9b37efc16b190f11f7607ace2a8f5b60639b716a72321fc3aada925c53aa7ed

  • SHA512

    cfccc676c2808c4461846253fc44dd6cc46a7358357822863f967e5e1b1badb51052e4aefa2f9f371d92661be9de01739a33d3da5eae556f66feb1ad79f5a0a3

  • SSDEEP

    12288:vsOW6Q4OWz9h8T+t7bzyHew18LpuVKxTlQrrq+3r5VuGBBNjZfRzV:hW6VXRhVbzyfyR0qMXNjBRZ

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

185.113.208.205:1604

Mutex

DC_MUTEX-UCGJZEA

Attributes
  • InstallPath

    NvidiaGraphicSys.exe

  • gencode

    Hdnr2tMwrvAj

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Nvidia Graphics

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdca6cf1adac7a1b0e924e6588b9e096.exe
    "C:\Users\Admin\AppData\Local\Temp\cdca6cf1adac7a1b0e924e6588b9e096.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\XtuService.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\XtuService.sfx.exe
        XtuService.sfx.exe -p12345 dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Users\Admin\AppData\Local\Temp\XtuService.exe
          "C:\Users\Admin\AppData\Local\Temp\XtuService.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\XtuService.exe" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2452
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp\XtuService.exe" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2464
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2472
          • C:\Windows\SysWOW64\NvidiaGraphicSys.exe
            "C:\Windows\system32\NvidiaGraphicSys.exe"
            5⤵
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:572
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
                PID:1552

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Modify Registry

    4
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\XtuService.bat
      Filesize

      34B

      MD5

      1c74a86919d0e2ffc46439d9479f15dd

      SHA1

      9c3cf4a8b012282bfee734c27441b6b1ebe74cd3

      SHA256

      3e996691c8a3613d15dbe231a115a204abac909bf7d169d569a289499e8a92c3

      SHA512

      7296ed7b5a8d06ddb1aec91cb326a5fc9478727ff84a6279fcb074a9897b5634db461b1ef6df216e191b26c59aeadd3f849c0a264b9c8130082dcab583b84db0

    • C:\Windows\XtuService.sfx.exe
      Filesize

      448KB

      MD5

      8a771052fa399c5276cf1fd9f31894fc

      SHA1

      4b3d57bd00836bf72654da64eece700977ccb412

      SHA256

      fd2916efa699a88734d58ed4f9b202f026c5b269b5c864ff86396a96d0cf8f70

      SHA512

      3af9e1e9eaa634ff2df4c825b1b24200df47393e3ceca6cd6e5d987d81025f78538eb35757781b8bea63113b4ee4f5c520270e06c8e6328373305ccf8a3ff241

    • C:\Windows\XtuService.sfx.exe
      Filesize

      517KB

      MD5

      389a440d3646f55b2e1710eac0ee0dc4

      SHA1

      9b686a5347367c634c0e153d010f8c985ed3595d

      SHA256

      375cbbced8fdd09a7afeecac6fd842e3e0fbe7f1f91ed6be33f395aa4f756fb6

      SHA512

      4a204d0f82b989a829d4915d11552c8128e54db47aba4dacad68bb83249fac65e10c039a9b9eaf7b1348bbaa6665db44652829e73f235dbbcf10a08b039c18c8

    • \Users\Admin\AppData\Local\Temp\XtuService.exe
      Filesize

      252KB

      MD5

      a991a315e9e2cf61f714fa115850e0b5

      SHA1

      869eab5b7ad365b143f32ee09c4ac4f0a7c13239

      SHA256

      fb6749c7f90f62ea4f9f23256e0c99b530d33d17cfcb8706c8e196ac5c876e73

      SHA512

      692884aa9c13600a48bac3219ed91afdd55f269422a6d9f8780106e79f2649c979ed470e5a6a8a3fbb72df4f6c60c2a4b7aecaec475b937055a815baf06bf703

    • memory/572-86-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

    • memory/572-84-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

    • memory/572-96-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

    • memory/572-94-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

    • memory/572-92-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

    • memory/572-56-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

    • memory/572-58-0x0000000000240000-0x0000000000241000-memory.dmp
      Filesize

      4KB

    • memory/572-90-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

    • memory/1552-57-0x0000000000100000-0x0000000000101000-memory.dmp
      Filesize

      4KB

    • memory/1552-82-0x0000000001BD0000-0x0000000001BD1000-memory.dmp
      Filesize

      4KB

    • memory/2648-37-0x00000000034B0000-0x0000000003567000-memory.dmp
      Filesize

      732KB

    • memory/2648-38-0x00000000034B0000-0x0000000003567000-memory.dmp
      Filesize

      732KB

    • memory/2656-83-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

    • memory/2656-53-0x0000000003A90000-0x0000000003B47000-memory.dmp
      Filesize

      732KB

    • memory/2656-41-0x0000000000250000-0x0000000000251000-memory.dmp
      Filesize

      4KB

    • memory/2656-40-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB