Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 13:59

General

  • Target

    Kulo Crack.exe

  • Size

    3.8MB

  • MD5

    c67c96ec69aba49e5798b60b78064a76

  • SHA1

    ae2d3fde593c1d7abdf375857f07ed6040e97bf9

  • SHA256

    a39b5594c05aa5701d27c79dd9cc783baa29834f42034c63e1329971d957d8b5

  • SHA512

    d45bbfa95d9d1da377538387c0ae58e17d8a4302111f107c0a0772ba8a7353610a0eaa530c24324918d7889dad497ca465170631f380a3b82271be8218fe6169

  • SSDEEP

    49152:AQDgok30ErC6qcXeDGqrHnsXLUWlEINye1OwnBWNhagAL7TjbM0YQRfsaH:AQU//rTarMAhSP

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-DM31UDC

Attributes
  • gencode

    hsUX4vmM8rqc

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Detects Eternity stealer 3 IoCs
  • Eternity

    Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kulo Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\Kulo Crack.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\ASD.EXE
      "C:\Users\Admin\AppData\Local\Temp\ASD.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\dcd.exe
        "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
        3⤵
        • Executes dropped EXE
        PID:4024
    • C:\Users\Admin\AppData\Local\Temp\KULO CRACKED.EXE
      "C:\Users\Admin\AppData\Local\Temp\KULO CRACKED.EXE"
      2⤵
      • Executes dropped EXE
      PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ASD.EXE
    Filesize

    885KB

    MD5

    40828c2fea99e6d82601e973b6219635

    SHA1

    967ad61398e27cce7fe91392a7f2aca705915fe6

    SHA256

    296df2c2bdb287be3bfb2e78c1984efa875c32351972feecd7252cd825328334

    SHA512

    3825e24109fab2671f9aa28c93962bd6be4cecdfa8ead4254695d783bcdb177c131995dfbc377c3e81ed15ff925ed1e7e3dc118bf1dcb4101997650244827037

  • C:\Users\Admin\AppData\Local\Temp\KULO CRACKED.EXE
    Filesize

    2.3MB

    MD5

    4c8e68e1dcf467c29bd1db499400b5eb

    SHA1

    bc058901152dc725799dab88d9b91fe45cfee9cd

    SHA256

    108c775a20a5c9b705a3a1c9ad1dc52bae5d98f6befc2db2497a82654806b847

    SHA512

    c0c3227d11d713f3e4c2bd961123fae01e453671a9a93d6c248c62598d78136553af48d1e7a9e7695c7ac2b4e6c0d7b23f2b7ec9ebfc5456a9f1e6ef851ea05c

  • C:\Users\Admin\AppData\Local\Temp\dcd.exe
    Filesize

    227KB

    MD5

    b5ac46e446cead89892628f30a253a06

    SHA1

    f4ad1044a7f77a1b02155c3a355a1bb4177076ca

    SHA256

    def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

    SHA512

    bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

  • memory/1660-0-0x00000000025D0000-0x00000000025D1000-memory.dmp
    Filesize

    4KB

  • memory/1660-34-0x0000000000400000-0x00000000007D6000-memory.dmp
    Filesize

    3.8MB

  • memory/3052-24-0x000000001AF90000-0x000000001AFA0000-memory.dmp
    Filesize

    64KB

  • memory/3052-21-0x000000001AE70000-0x000000001AEC0000-memory.dmp
    Filesize

    320KB

  • memory/3052-23-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
    Filesize

    4KB

  • memory/3052-25-0x00000000024E0000-0x000000000251E000-memory.dmp
    Filesize

    248KB

  • memory/3052-27-0x000000001AF90000-0x000000001AFA0000-memory.dmp
    Filesize

    64KB

  • memory/3052-26-0x000000001AF90000-0x000000001AFA0000-memory.dmp
    Filesize

    64KB

  • memory/3052-20-0x00007FFA33CB0000-0x00007FFA34771000-memory.dmp
    Filesize

    10.8MB

  • memory/3052-32-0x000000001B370000-0x000000001B472000-memory.dmp
    Filesize

    1.0MB

  • memory/3052-33-0x00007FFA33CB0000-0x00007FFA34771000-memory.dmp
    Filesize

    10.8MB

  • memory/3052-19-0x0000000000230000-0x0000000000316000-memory.dmp
    Filesize

    920KB