Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://temp.sh/MfOi...

windows10-1703-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-07-2024 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://temp.sh/MfOiO/games_installer.exe

Score
10/10
darkcometguest16_minrattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

income-saying.gl.at.ply.gg:51714

Mutex

DCMIN_MUTEX-NWUL1LY

Attributes
  • gencode

    ZKlfG4mdFQsH

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://temp.sh/MfOiO/games_installer.exe"
    1⤵
      PID:4956
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1956
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\games_installer.exe
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\games_installer.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4520
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2404
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2272
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3524
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4676
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:2384
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3544
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2560

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
      Filesize

      4KB

      MD5

      1bfe591a4fe3d91b03cdf26eaacd8f89

      SHA1

      719c37c320f518ac168c86723724891950911cea

      SHA256

      9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

      SHA512

      02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V28C7N3J\edgecompatviewlist[1].xml
      Filesize

      74KB

      MD5

      d4fc49dc14f63895d997fa4940f24378

      SHA1

      3efb1437a7c5e46034147cbbc8db017c69d02c31

      SHA256

      853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

      SHA512

      cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3DFY8PVG\games_installer[1].exe
      Filesize

      658KB

      MD5

      12af453bbf1dfe573ac71879fb1b36c8

      SHA1

      2eb9f00d2dd7cf000edc2414be0f66611035c3fd

      SHA256

      8a1970ca792a8e2bfc4ae792d52dd267d2347aa5e5072db254d12cb781248aaa

      SHA512

      bd314eb59cbcead9b434d1f9670ff48f5a7652dc76c1c494fd6736ff673422d7525f9d6f57bc5269ad6d0bfbd2deaee2f447f14f477ba451026225b2079c3570

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\VQDT4NKQ\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3DFY8PVG\games_installer[1].exe
      Filesize

      303KB

      MD5

      1219a9faf02e5ab1abf5a9afdba6b93f

      SHA1

      8d47a8649e9a84c0ca7650915b4dcc03a35525c0

      SHA256

      e1a7404d21471f760757113a4128586f64fcc7503d7a81c96a7dc25f7f35efff

      SHA512

      311b7c2a21679ce19f11556683164d7dd81aa8d53f6cbff4e9094db1fcc503bf6ac0f086cf4e2158c4bbba61ddfe4b102a5b7ca4060d7ee45501b2c42c70c322

      Download Submit
    • memory/1956-0-0x000002CA4A320000-0x000002CA4A330000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1956-35-0x000002CA47750000-0x000002CA47752000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1956-16-0x000002CA4A420000-0x000002CA4A430000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1956-132-0x000002CA513D0000-0x000002CA513D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1956-133-0x000002CA51500000-0x000002CA51501000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2272-45-0x000001FAE26C0000-0x000001FAE27C0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3524-71-0x0000020FC3FB0000-0x0000020FC3FB2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3524-61-0x0000020FB3840000-0x0000020FB3940000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3524-62-0x0000020FC3D80000-0x0000020FC3D82000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3524-65-0x0000020FC3DB0000-0x0000020FC3DB2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3524-67-0x0000020FC3DD0000-0x0000020FC3DD2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3524-69-0x0000020FC3DF0000-0x0000020FC3DF2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3524-73-0x0000020FC4070000-0x0000020FC4072000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4520-107-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/4520-125-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/4520-128-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/4520-166-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download
    • memory/4520-182-0x0000000000400000-0x00000000004B2000-memory.dmp
      Filesize

      712KB

      Download