Analysis

  • max time kernel
    145s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2024 14:56

General

  • Target

    israbokchat.exe

  • Size

    756KB

  • MD5

    da12c6ff5cd8c76ea98749f8cecca7e0

  • SHA1

    320f3efb2d9e2f40a2f572600b594f6d0d962ca9

  • SHA256

    11ac419df5e4ff7f40024c59c4eef2376b73ce230a74d76532e02794965798fc

  • SHA512

    bc38df1580a168d0c4c83ce15aff98d86f0a96f26ebc12eb1d966ec8370ecdf17786f7c98fbd3496a91c8e33b09070975d667ed55c60d3e3a3c91f9f4570ecfd

  • SSDEEP

    12288:v9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h9KlKebJR:ZZ1xuVVjfFoynPaVBUR8f+kN10EBPhO

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

6.tcp.eu.ngrok.io:12633

Mutex

DC_MUTEX-CMZ8PA7

Attributes
  • gencode

    B5x3C3ZaFyH2

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies security service 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\israbokchat.exe
    "C:\Users\Admin\AppData\Local\Temp\israbokchat.exe"
    1⤵
    • Modifies security service
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2740
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\israbokchat.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\israbokchat.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:4240
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:4612
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies security service
      • Disables RegEdit via registry modification
      • Suspicious use of AdjustPrivilegeToken
      PID:1560
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffd49dc46f8,0x7ffd49dc4708,0x7ffd49dc4718
      2⤵
        PID:1804
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        2⤵
          PID:548
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5004
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
          2⤵
            PID:4956
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
            2⤵
              PID:2720
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
              2⤵
                PID:3620
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
                2⤵
                  PID:5180
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
                  2⤵
                    PID:5188
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
                    2⤵
                      PID:5392
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
                      2⤵
                        PID:5400
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
                        2⤵
                          PID:5540
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:5556
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13134853335582528460,229165927414190981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
                          2⤵
                            PID:5672
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4048
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:320

                            Network

                            MITRE ATT&CK Matrix ATT&CK v13

                            Persistence

                            Create or Modify System Process

                            1
                            T1543

                            Windows Service

                            1
                            T1543.003

                            Privilege Escalation

                            Create or Modify System Process

                            1
                            T1543

                            Windows Service

                            1
                            T1543.003

                            Defense Evasion

                            Modify Registry

                            2
                            T1112

                            Hide Artifacts

                            2
                            T1564

                            Hidden Files and Directories

                            2
                            T1564.001

                            Discovery

                            Query Registry

                            2
                            T1012

                            System Information Discovery

                            3
                            T1082

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              36bb45cb1262fcfcab1e3e7960784eaa

                              SHA1

                              ab0e15841b027632c9e1b0a47d3dec42162fc637

                              SHA256

                              7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

                              SHA512

                              02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              1e3dc6a82a2cb341f7c9feeaf53f466f

                              SHA1

                              915decb72e1f86e14114f14ac9bfd9ba198fdfce

                              SHA256

                              a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

                              SHA512

                              0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              586ec74678eb095c1c262fe78aa03a70

                              SHA1

                              01f54c7c13bcf867f6bf1d14b92a668fdb479a91

                              SHA256

                              cc15332afcb4db9c32511bd13e6f72dc10bb17d8b9a004f817c786ebed46d1af

                              SHA512

                              3afae300e7319dde6346cd244e5beaa35d0a3c40c61b08e0720dba09a22e383b4352f54dec8aed5c46378b706b0d013dbfcf724b5b115b01b2a5a2b84fa1837c

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              e0e76b52b3b782f1bf66e55707d91ecb

                              SHA1

                              12bb45042ced42f4152d634b5330bd0ec13e4e83

                              SHA256

                              4e96e8c7c11e541f776f449bb55f76fa6dfb767d74a9fe0d46234c6c6b0dbe43

                              SHA512

                              f943f5488b84ba83da5e5bc5becf0232159920df85aacf263735f9714d90ee6092d6bde8db807fe274de6c0b84b43407782581a167ffb47764093d25fd9e279f

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              f6b87c49721ce68f40c9ea26be728db0

                              SHA1

                              0a48e6b3bddd7d87c4e49f2b83b8431417865754

                              SHA256

                              a7f648616e62389285dcd1f9bffe9054dec6b0c008257b4880fb190009bff637

                              SHA512

                              69f6fe2726ab69edcbe0d66894dddbb9d4108e83c1fc63f3834dc62b4c107e3c45c9be59d3ca141a0344f1d9a953836277b2c5189e572367e0fe5b97ec19ff04

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              ccacf3471e9dae974c80241d5cb1feb6

                              SHA1

                              b3fa2e4575d8f4f077645d82834c936b269d0299

                              SHA256

                              2e3d6a4ef729bc6b8ad6441b67e5edc0016b1406304edfa54cb7d5589bd4e992

                              SHA512

                              ed4912bed778f24c7d4027a41f47571ddaeea63c13d90502c13bbddd6dd984a053be1cbb981b557d96a3ca2e436d5e24b0a351143e1c8008db4c27a40a7b75e6

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              12KB

                              MD5

                              982399188d82fef9560835dda19562a2

                              SHA1

                              26407cf5e28fc1610c17b31d569e0c4da39ee35d

                              SHA256

                              9944e2307840c81d239d13036c006e4f11603c74d0cc88a00b9c71ff55b836c7

                              SHA512

                              85ba0fc06090b5c415a7f366a855469c403e51e4269b4e2fb362f7439ec4fdad5b1ee45dec14b28245828cf9ee89da31226d668cbd24693831247efa8947610a

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                              Filesize

                              264KB

                              MD5

                              e42877eecefa05aef46d466629dc8b08

                              SHA1

                              b10446555c94fb6d0e284b838e448cb554ed0854

                              SHA256

                              7aa9d699ebb624280a4972a38f8f04aadc943f58df3e9266b3d0211e02e7c2b8

                              SHA512

                              30342764bb8d7d2fb1924aa6b0a03d2ad8077d00289e53da9c3bf4dd995aef7afe7a5f12a593d1fe4091fe1256d7dbb641d9adc6a47e4257d161c8f7fe178196

                            • \??\pipe\LOCAL\crashpad_5060_RJVPSMDGLFLEVGIC
                              MD5

                              d41d8cd98f00b204e9800998ecf8427e

                              SHA1

                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                              SHA256

                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                              SHA512

                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                            • memory/1560-1-0x0000000000400000-0x00000000004CA000-memory.dmp
                              Filesize

                              808KB

                            • memory/2740-2-0x0000000000400000-0x00000000004CA000-memory.dmp
                              Filesize

                              808KB

                            • memory/2740-0-0x0000000002860000-0x0000000002861000-memory.dmp
                              Filesize

                              4KB