Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
16-03-2024 10:13
General
-
Target
cdca6cf1adac7a1b0e924e6588b9e096.exe
-
Size
699KB
-
MD5
cdca6cf1adac7a1b0e924e6588b9e096
-
SHA1
1f0be53bbda5739eea99a8bce2f7602e17ff269e
-
SHA256
c9b37efc16b190f11f7607ace2a8f5b60639b716a72321fc3aada925c53aa7ed
-
SHA512
cfccc676c2808c4461846253fc44dd6cc46a7358357822863f967e5e1b1badb51052e4aefa2f9f371d92661be9de01739a33d3da5eae556f66feb1ad79f5a0a3
-
SSDEEP
12288:vsOW6Q4OWz9h8T+t7bzyHew18LpuVKxTlQrrq+3r5VuGBBNjZfRzV:hW6VXRhVbzyfyR0qMXNjBRZ
Malware Config
Extracted
darkcomet
Guest16
185.113.208.205:1604
DC_MUTEX-UCGJZEA
-
InstallPath
NvidiaGraphicSys.exe
-
gencode
Hdnr2tMwrvAj
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Nvidia Graphics
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdca6cf1adac7a1b0e924e6588b9e096.exe"C:\Users\Admin\AppData\Local\Temp\cdca6cf1adac7a1b0e924e6588b9e096.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\XtuService.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\XtuService.sfx.exeXtuService.sfx.exe -p12345 dC:\Users\Admin\AppData\Local\Temp3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XtuService.exe"C:\Users\Admin\AppData\Local\Temp\XtuService.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\XtuService.exe" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\XtuService.exe" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\NvidiaGraphicSys.exe"C:\Windows\system32\NvidiaGraphicSys.exe"5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XtuService.exeFilesize
252KB
MD5a991a315e9e2cf61f714fa115850e0b5
SHA1869eab5b7ad365b143f32ee09c4ac4f0a7c13239
SHA256fb6749c7f90f62ea4f9f23256e0c99b530d33d17cfcb8706c8e196ac5c876e73
SHA512692884aa9c13600a48bac3219ed91afdd55f269422a6d9f8780106e79f2649c979ed470e5a6a8a3fbb72df4f6c60c2a4b7aecaec475b937055a815baf06bf703
-
C:\Windows\XtuService.batFilesize
34B
MD51c74a86919d0e2ffc46439d9479f15dd
SHA19c3cf4a8b012282bfee734c27441b6b1ebe74cd3
SHA2563e996691c8a3613d15dbe231a115a204abac909bf7d169d569a289499e8a92c3
SHA5127296ed7b5a8d06ddb1aec91cb326a5fc9478727ff84a6279fcb074a9897b5634db461b1ef6df216e191b26c59aeadd3f849c0a264b9c8130082dcab583b84db0
-
C:\Windows\XtuService.sfx.exeFilesize
540KB
MD5dde022f6784892790dca1b1e46c802a9
SHA108a103673b3e7ea7f254be3ea58a2aae1ac5e2d1
SHA2561203b0a5d202731d48e5d1a65bd3e75cb823d49548912da644ed3692194360d2
SHA512cc19b16c443ff3120371709a302f097b4005a9caae9a2ee6af688a5258b6a17fedc11670722011b4d4d6b472556867b50e3bd27deff5203bcb6593b99606b1ec
-
memory/3084-21-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3084-23-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/3084-87-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4080-86-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/4552-85-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/4552-88-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4552-90-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4552-92-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4552-94-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4552-96-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4552-98-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB