Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 18:48

General

  • Target

    Lucky Proxy.exe

  • Size

    10.7MB

  • MD5

    f9f683c1fafc61bcccc9a44bef1f2867

  • SHA1

    464183bbe171e5b07921d293f2692c517353f6e4

  • SHA256

    9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d

  • SHA512

    ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279

  • SSDEEP

    98304:FQU/ui53ANXrPQU/8rJPPGlTrMdhSzVozBjVTcZOOSaHE6+KN51dE27Kfz7ns9z:FQPi5GQ7PuqShYBDRak6+AK2OfA

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-AYYXQ8E

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    SNTiKyNYVqQR

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Detects Eternity stealer 15 IoCs
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe
    "C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
      "C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE"
      2⤵
      • Executes dropped EXE
      PID:3068
    • C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
      "C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe
        "C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
          "C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Users\Admin\AppData\Local\Temp\dcd.exe
            "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
            5⤵
            • Executes dropped EXE
            PID:1768
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1200 -s 1544
            5⤵
              PID:2724
          • C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
            "C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE"
            4⤵
            • Executes dropped EXE
            PID:1372
          • C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe
            "C:\Windows\system32\MSDCSC\17RYb5VUkfWF\msdcsc.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2728
        • C:\Users\Admin\AppData\Local\Temp\dcd.exe
          "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
          3⤵
          • Executes dropped EXE
          PID:2372
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2624 -s 1904
          3⤵
            PID:2468
        • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
          "C:\Windows\system32\MSDCSC\msdcsc.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2404

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Modify Registry

      2
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
        Filesize

        2.3MB

        MD5

        5846ff38efa46576737ad1b8a9246766

        SHA1

        36586aec663d0fcc12d0924b554ea3ce65599da5

        SHA256

        f6b7fdaa92f8551750fbd372a88efeda90dea586e01c75f9d463478d7752ac7b

        SHA512

        097058dd94a2de214ff69f56e3be54261d75d8dd7cb7b1a5ae2184cbc4bb720d09ab29defde6246939c0401bfd1171f435a86cf280642ada2578db9d30a65820

      • C:\Users\Admin\AppData\Local\Temp\dcd.exe
        Filesize

        227KB

        MD5

        b5ac46e446cead89892628f30a253a06

        SHA1

        f4ad1044a7f77a1b02155c3a355a1bb4177076ca

        SHA256

        def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

        SHA512

        bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

      • C:\Users\Admin\AppData\Local\Temp\l1kgazv1.uny\KuloCrackedByHaci.exe
        Filesize

        3.8MB

        MD5

        afaafeb9ed3224a20c008fe4e987e0fc

        SHA1

        59605cdaded8aa6b009daba59056cbdfce8171d0

        SHA256

        f0395d96a4dae3a00181ff666507342a1b03f5e9a780d3ce8734e934eb13f90d

        SHA512

        747b94a51b065ad3f246a3a931dcc0c4a8b8efa6f9e996fdf63fb955e97f8cbcc45c8b2062292c3c89932df8c847d0d051e240f2903774cbae81d2ac83b8bb82

      • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        Filesize

        10.7MB

        MD5

        f9f683c1fafc61bcccc9a44bef1f2867

        SHA1

        464183bbe171e5b07921d293f2692c517353f6e4

        SHA256

        9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d

        SHA512

        ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279

      • \Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
        Filesize

        887KB

        MD5

        656811e5b545b83c89e9172d71a31c9d

        SHA1

        94dfbaf4b72bb4a627205536db953fdfb06637f4

        SHA256

        24e4e3268b3b2b043f1ed4ea4e564eba2b0d19824e34f4fbc077510db817eba1

        SHA512

        66f52fc6dd64d58d5b89628cd276f1b098f6e533f3acb6e081daa3c0ce3b9b68977ac0455deef7488d5d7e58fbeedc01691cc2c535c13e5088533dcc70e2f3de

      • \Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
        Filesize

        1.6MB

        MD5

        177146ba249a68fa55f0e0ba3889b1c6

        SHA1

        994d06dd75554da0024251412c318beff740b7c7

        SHA256

        af8ff83661fb43de992e22464533348c1aaac81e54c58357e09d0a07cd559893

        SHA512

        1764d9372784c7428327bb6e5b9bbb339500566f90c3c784084d8319ffdd620f4fcc81506cadf3e8009ef2cf4e7731d0702e411cdff15740f404cbd3684bb1a0

      • \Users\Admin\AppData\Local\Temp\STEALER.EXE
        Filesize

        8.5MB

        MD5

        b81af4dd13f5db948ffec8b8707c2280

        SHA1

        f7f74d80b24ff02499be0fb46f416be14b21c287

        SHA256

        03fa8a7a7ac4dd4754f84f348737dc76f9102349bcac0ce64790bd20906ad21b

        SHA512

        0ef93304db63b84891bc7406d1a39112463600ae1bf4cc89fdb72db32d0ce237e05c84a1d31d94295c439cb4242e083ee97d44946bae61f1b5fa7319357eedde

      • memory/1200-49-0x0000000000B60000-0x0000000000C46000-memory.dmp
        Filesize

        920KB

      • memory/1200-51-0x00000000002E0000-0x000000000031E000-memory.dmp
        Filesize

        248KB

      • memory/2172-50-0x0000000000400000-0x0000000000EC2000-memory.dmp
        Filesize

        10.8MB

      • memory/2172-0-0x00000000003F0000-0x00000000003F1000-memory.dmp
        Filesize

        4KB

      • memory/2404-73-0x0000000000400000-0x0000000000EC2000-memory.dmp
        Filesize

        10.8MB

      • memory/2404-75-0x0000000000400000-0x0000000000EC2000-memory.dmp
        Filesize

        10.8MB

      • memory/2404-97-0x0000000000400000-0x0000000000EC2000-memory.dmp
        Filesize

        10.8MB

      • memory/2404-99-0x0000000000400000-0x0000000000EC2000-memory.dmp
        Filesize

        10.8MB

      • memory/2416-61-0x0000000000400000-0x00000000007D6000-memory.dmp
        Filesize

        3.8MB

      • memory/2624-16-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
        Filesize

        9.9MB

      • memory/2624-15-0x0000000000CF0000-0x000000000156A000-memory.dmp
        Filesize

        8.5MB

      • memory/2624-72-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
        Filesize

        9.9MB

      • memory/2624-26-0x000000001C020000-0x000000001C428000-memory.dmp
        Filesize

        4.0MB

      • memory/2728-74-0x0000000000400000-0x00000000007D6000-memory.dmp
        Filesize

        3.8MB

      • memory/2728-76-0x0000000000400000-0x00000000007D6000-memory.dmp
        Filesize

        3.8MB