Analysis

  • max time kernel
    32s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 18:48

General

  • Target

    Lucky Proxy.exe

  • Size

    10.7MB

  • MD5

    f9f683c1fafc61bcccc9a44bef1f2867

  • SHA1

    464183bbe171e5b07921d293f2692c517353f6e4

  • SHA256

    9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d

  • SHA512

    ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279

  • SSDEEP

    98304:FQU/ui53ANXrPQU/8rJPPGlTrMdhSzVozBjVTcZOOSaHE6+KN51dE27Kfz7ns9z:FQPi5GQ7PuqShYBDRak6+AK2OfA

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-AYYXQ8E

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    SNTiKyNYVqQR

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Detects Eternity stealer 11 IoCs
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe
    "C:\Users\Admin\AppData\Local\Temp\Lucky Proxy.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
      "C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE"
      2⤵
      • Executes dropped EXE
      PID:1248
    • C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
      "C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe
        "C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
          "C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE"
          4⤵
          • Executes dropped EXE
          PID:4144
        • C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
          "C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE"
          4⤵
          • Executes dropped EXE
          PID:4472
        • C:\Windows\SysWOW64\MSDCSC\17RYb5VUkfWF\msdcsc.exe
          "C:\Windows\system32\MSDCSC\17RYb5VUkfWF\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2144
    • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ETERNITYV5.EXE
    Filesize

    887KB

    MD5

    656811e5b545b83c89e9172d71a31c9d

    SHA1

    94dfbaf4b72bb4a627205536db953fdfb06637f4

    SHA256

    24e4e3268b3b2b043f1ed4ea4e564eba2b0d19824e34f4fbc077510db817eba1

    SHA512

    66f52fc6dd64d58d5b89628cd276f1b098f6e533f3acb6e081daa3c0ce3b9b68977ac0455deef7488d5d7e58fbeedc01691cc2c535c13e5088533dcc70e2f3de

  • C:\Users\Admin\AppData\Local\Temp\KULO PROXY.EXE
    Filesize

    2.3MB

    MD5

    5846ff38efa46576737ad1b8a9246766

    SHA1

    36586aec663d0fcc12d0924b554ea3ce65599da5

    SHA256

    f6b7fdaa92f8551750fbd372a88efeda90dea586e01c75f9d463478d7752ac7b

    SHA512

    097058dd94a2de214ff69f56e3be54261d75d8dd7cb7b1a5ae2184cbc4bb720d09ab29defde6246939c0401bfd1171f435a86cf280642ada2578db9d30a65820

  • C:\Users\Admin\AppData\Local\Temp\LUCKY CRACKED.EXE
    Filesize

    1.6MB

    MD5

    177146ba249a68fa55f0e0ba3889b1c6

    SHA1

    994d06dd75554da0024251412c318beff740b7c7

    SHA256

    af8ff83661fb43de992e22464533348c1aaac81e54c58357e09d0a07cd559893

    SHA512

    1764d9372784c7428327bb6e5b9bbb339500566f90c3c784084d8319ffdd620f4fcc81506cadf3e8009ef2cf4e7731d0702e411cdff15740f404cbd3684bb1a0

  • C:\Users\Admin\AppData\Local\Temp\STEALER.EXE
    Filesize

    8.5MB

    MD5

    b81af4dd13f5db948ffec8b8707c2280

    SHA1

    f7f74d80b24ff02499be0fb46f416be14b21c287

    SHA256

    03fa8a7a7ac4dd4754f84f348737dc76f9102349bcac0ce64790bd20906ad21b

    SHA512

    0ef93304db63b84891bc7406d1a39112463600ae1bf4cc89fdb72db32d0ce237e05c84a1d31d94295c439cb4242e083ee97d44946bae61f1b5fa7319357eedde

  • C:\Users\Admin\AppData\Local\Temp\azy44iqu.ptn\KuloCrackedByHaci.exe
    Filesize

    3.8MB

    MD5

    afaafeb9ed3224a20c008fe4e987e0fc

    SHA1

    59605cdaded8aa6b009daba59056cbdfce8171d0

    SHA256

    f0395d96a4dae3a00181ff666507342a1b03f5e9a780d3ce8734e934eb13f90d

    SHA512

    747b94a51b065ad3f246a3a931dcc0c4a8b8efa6f9e996fdf63fb955e97f8cbcc45c8b2062292c3c89932df8c847d0d051e240f2903774cbae81d2ac83b8bb82

  • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
    Filesize

    10.7MB

    MD5

    f9f683c1fafc61bcccc9a44bef1f2867

    SHA1

    464183bbe171e5b07921d293f2692c517353f6e4

    SHA256

    9eca9396e9230e5d10850f535d8c08f571e73b76794f45c12bdca8a80446314d

    SHA512

    ca6481f8b1d0d2917368f3178256c2825a4de13b5d9baa720e7fa2aa3fd214b13881cb2457af1abe75345348842ad8896e8f1962d672ffb6cddf008dcd940279

  • memory/1548-76-0x000000001BE30000-0x000000001C238000-memory.dmp
    Filesize

    4.0MB

  • memory/1548-23-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp
    Filesize

    10.8MB

  • memory/1548-75-0x0000000001740000-0x0000000001750000-memory.dmp
    Filesize

    64KB

  • memory/1548-74-0x0000000001680000-0x0000000001681000-memory.dmp
    Filesize

    4KB

  • memory/1548-78-0x0000000001740000-0x0000000001750000-memory.dmp
    Filesize

    64KB

  • memory/1548-77-0x0000000001740000-0x0000000001750000-memory.dmp
    Filesize

    64KB

  • memory/1548-189-0x0000000001740000-0x0000000001750000-memory.dmp
    Filesize

    64KB

  • memory/1548-72-0x00000000016F0000-0x0000000001740000-memory.dmp
    Filesize

    320KB

  • memory/1548-190-0x0000000001740000-0x0000000001750000-memory.dmp
    Filesize

    64KB

  • memory/1548-73-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp
    Filesize

    10.8MB

  • memory/1548-21-0x0000000000620000-0x0000000000E9A000-memory.dmp
    Filesize

    8.5MB

  • memory/1548-188-0x0000000001740000-0x0000000001750000-memory.dmp
    Filesize

    64KB

  • memory/1548-185-0x00007FFFAA950000-0x00007FFFAB411000-memory.dmp
    Filesize

    10.8MB

  • memory/2144-184-0x0000000000400000-0x00000000007D6000-memory.dmp
    Filesize

    3.8MB

  • memory/2728-182-0x0000000000400000-0x00000000007D6000-memory.dmp
    Filesize

    3.8MB

  • memory/3272-97-0x0000000000400000-0x0000000000EC2000-memory.dmp
    Filesize

    10.8MB

  • memory/3272-0-0x00000000010A0000-0x00000000010A1000-memory.dmp
    Filesize

    4KB

  • memory/4144-123-0x000000001B8E0000-0x000000001B91E000-memory.dmp
    Filesize

    248KB

  • memory/4144-121-0x0000000000D60000-0x0000000000E46000-memory.dmp
    Filesize

    920KB

  • memory/4224-183-0x0000000000400000-0x0000000000EC2000-memory.dmp
    Filesize

    10.8MB