Overview

overview

10

Static

static

10

079d1841d6...30.exe

windows7-x64

10

079d1841d6...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe

  • Size

    756KB

  • MD5

    7f63869a181a8ebb360a89b58c739648

  • SHA1

    83e0504e36530cf417aee9cf6cfac90d0f21a451

  • SHA256

    079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030

  • SHA512

    5c1c5aaa55c3ea87138aaca88d771abb4d80d319abce0235f9ad5d6ad63c74d082c933366c7ea927fac80ef8d0874a71e9a67bb316355a8b31fd4cd060e67b86

  • SSDEEP

    12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hgqMd0QZhJ:KZ1xuVVjfFoynPaVBUR8f+kN10EBqD0e

Score
10/10
darkcometguest16evasionrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-Z5HMAL1

Attributes
  • gencode

    L2p2T15qZDML

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe
    "C:\Users\Admin\AppData\Local\Temp\079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\079d1841d6f0fde132f810937d247226410bbc239141493df978da344060f030.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:4048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1532
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
        PID:2996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2996-1-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4816-0-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4816-2-0x0000000000400000-0x00000000004CA000-memory.dmp

      Filesize

      808KB

      Download

    • memory/4816-4-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download