Overview

overview

10

Static

static

7

HELLO.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2024 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HELLO.exe

  • Size

    232KB

  • MD5

    3d44b09f3692fbb7e048e1168c001cba

  • SHA1

    e4782b1348431efe4c89d0340fe23ab81bc0a3f7

  • SHA256

    338f5bb747c33ad50cad75c3facd2f3103ce294a608666635d0b66a6ad2ce12c

  • SHA512

    7b4824d0243ce546ebe607d519494a7780422e1f693aff8b82a122dd004d157524cc3e58a39c3ee9cfb61e8b40ae0b6cff593776b05d6956f7479c6e20692392

  • SSDEEP

    6144:djFy93LU92VxOtVflFud4TnxcpPTASCmqMorHwMroS:ZFy9bPQZlFjrG0ZmYbw+oS

Score
10/10
darkcometguest16_minpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

lightttt.ddns.net:1604

Mutex

DCMIN_MUTEX-BJLBQY4

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    u03TbGe5ctBh

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HELLO.exe
    "C:\Users\Admin\AppData\Local\Temp\HELLO.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe
      "C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2648
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1028
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:1260
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:792
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2268
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4816
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3036

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe
      Filesize

      232KB

      MD5

      3d44b09f3692fbb7e048e1168c001cba

      SHA1

      e4782b1348431efe4c89d0340fe23ab81bc0a3f7

      SHA256

      338f5bb747c33ad50cad75c3facd2f3103ce294a608666635d0b66a6ad2ce12c

      SHA512

      7b4824d0243ce546ebe607d519494a7780422e1f693aff8b82a122dd004d157524cc3e58a39c3ee9cfb61e8b40ae0b6cff593776b05d6956f7479c6e20692392

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF432D28905559A01D.TMP
      Filesize

      16KB

      MD5

      1a340fcb409a80e805767fe7f809fff9

      SHA1

      02e9d1c80c062f4e643b09cfc7ac4c5fd549a54d

      SHA256

      289fe96af42ecf74c4430ce11505fe365c48cbb1807aaa2488a39d9207123e85

      SHA512

      2a97e5f69df2fccd1280978453c3bd22dce0def4beb593e9321ad8865fba127c404f4e9107634d1999a384dc0cc7ec77e098967a75e25357686321e0ef0c93f7

      Download Submit
    • memory/1028-107-0x000001CA661F0000-0x000001CA661F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1028-103-0x000001CA664C0000-0x000001CA664C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1028-100-0x000001CA66560000-0x000001CA66562000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1028-13-0x000001CA65E00000-0x000001CA65E10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1028-29-0x000001CA66900000-0x000001CA66910000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1028-48-0x000001CA66490000-0x000001CA66492000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2180-1-0x00000000007C0000-0x00000000007C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2180-8-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2180-0-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2648-10-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2648-9-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2648-119-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2648-117-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2648-115-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2648-111-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2648-80-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/2648-7-0x0000000000660000-0x0000000000661000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2648-11-0x0000000000400000-0x00000000004B7000-memory.dmp
      Filesize

      732KB

      Download
    • memory/4816-76-0x00000215B9FD0000-0x00000215B9FD2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4816-68-0x00000215B9F40000-0x00000215B9F42000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4816-74-0x00000215B9FB0000-0x00000215B9FB2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4816-70-0x00000215B9F70000-0x00000215B9F72000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4816-78-0x00000215B9FF0000-0x00000215B9FF2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4816-72-0x00000215B9F90000-0x00000215B9F92000-memory.dmp
      Filesize

      8KB

      Download