Analysis

  • max time kernel
    146s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-08-2024 16:03

General

  • Target

    GeoIP.dat.exe

  • Size

    658KB

  • MD5

    773337c85cf79e1af4c604fd44924f25

  • SHA1

    3ce6e2c2661679caa4911f1b5588ac816db91ed8

  • SHA256

    ca0ca21d2dae0588f4ab2a83e1c68f49eed195fd88d61ec2be2d7445a9095d22

  • SHA512

    974c9c6b040e871eba8cf202df5dcdd39e8170df00ad863dc3f4c7ae00c6a75fd032c6632fdaead37ed568b4b357b05fb838839af214a37f4b93d873111ff730

  • SSDEEP

    12288:i9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hA:OZ1xuVVjfFoynPaVBUR8f+kN10EBq

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-Y40X8WQ

Attributes
  • gencode

    HuyzjRxRwYmK

  • install

    false

  • offline_keylogger

    true

  • password

    0123456789

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe
    "C:\Users\Admin\AppData\Local\Temp\GeoIP.dat.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4156
  • C:\Windows\System32\DataExchangeHost.exe
    C:\Windows\System32\DataExchangeHost.exe -Embedding
    1⤵
      PID:4760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\ConfirmCompare.mpg

      Filesize

      365KB

      MD5

      fc1a9fe4e0bbe4300bca5898007e1b6f

      SHA1

      8fc589e9da845015ada24386d18384237024b39d

      SHA256

      6f1811a2c098cf4b6a536c686e5f78b630b9dada4a0c64e9859cdb3c29455750

      SHA512

      00cb3a784a2532dccb811727d490bf7735ac741de891d5bced9149be04de8d7e0ae1e9c7b2ae2a85371fdfcc48794b7b155b343ea4fdc3d999407ffc383685b1

    • C:\Users\Admin\Desktop\ConvertToCopy.asx

      Filesize

      196KB

      MD5

      26847010e60a1c94e26e750e4079ba76

      SHA1

      96aee5c06d51c8aaae6354720a9743673d59716c

      SHA256

      d04250913e102e8dd9452b7ac0a50b756f0c0d3d6c080773faa65f01a576d00a

      SHA512

      09fde30f4e3c1dab8f0f313ded304e19206dc8ec6f401fd2a3f20c10e4b956f204cf9cd712a7feaef9084f47bc0082a987a1a1d4316abc63a44d2e7b4050dd79

    • C:\Users\Admin\Desktop\DebugOpen.vbs

      Filesize

      398KB

      MD5

      e850e1476faeea48e3f69544a8f7a87e

      SHA1

      0a97e460f926889ecd43d3982d73f06025faf3b8

      SHA256

      4c85893a754ffe24304ea074f779380cca71d0a96b61c53c98318ecedc0721df

      SHA512

      cffab3fb45056a9d93d18604349f6f043e580f39760a4e6afa5cdb2e671dd4be518d172229fbd2570f725c42cd23b3630982c46eeb0d32b0ea6cf0f9d3e9764c

    • C:\Users\Admin\Desktop\DismountRead.wm

      Filesize

      376KB

      MD5

      b5e4695b905dd5c711535e05f034aee2

      SHA1

      38854c3601c4132e624629e41168b6d7eb9ec5c5

      SHA256

      9557e559bdf36ce8ca15b677aa9978912a9a16cf05864161db6477cb9ea9337f

      SHA512

      3fe496a45109bc5aa4bdeccaee29777681be3b0d671a460346d35f40f148fd9cb4e6f664fa6b0112d482559ef93915926869bfc097c00e9d4f3102bf33d736c2

    • C:\Users\Admin\Desktop\EditShow.mpa

      Filesize

      252KB

      MD5

      e14951168f9383004c87210dde4445f1

      SHA1

      c0799dff0f90c38939333f50f07ddcc35b2017e1

      SHA256

      c7f98fe6a2dbc1f2496e036c364df1c1062de43c054d12461df80a3bdb72df5d

      SHA512

      245f52a1de17bd99c40dd7d1f4114bbb71f05d6857d71eea66b38ac33217b3ed604e004af0dbb8e79f211e89089e2dc08f9bc55f42d6750f89db2873d3242b85

    • C:\Users\Admin\Desktop\ExportWrite.wvx

      Filesize

      387KB

      MD5

      c0690398ec857a032c36ef8875b559ed

      SHA1

      ea8954bc6bff1b2530527f4e9ace772ef87086a9

      SHA256

      78bd8bd8c58d52aacf644d4595677937893a41de4178977998029a916ba24c7d

      SHA512

      c62af79e568bb9d6caa941016a6a6f0e7f49fce9abd37ea99c6eae5da5dc61f7c317b3d6e06d9d742defd42bf15b6b4e75a8b5fcaa4c5d217ac215cf54800bdc

    • C:\Users\Admin\Desktop\HideSkip.mpeg3

      Filesize

      151KB

      MD5

      3490fd006a30294ab88a8f94f9c73de1

      SHA1

      6258539be375b0f879adea1bdce14fcd66a932b3

      SHA256

      b60a005d9244509f089663e3fbb4d3a4c7218861579b3f88db2b198021bc64cd

      SHA512

      dff505f254f2dda01d17fcb4dfd342492660c96eeeeda2c9a8b876d402645d4e9209206c05d042b5074264015844fcc4b3b4619aa6ca30dbfc1a546e5c10b0b6

    • C:\Users\Admin\Desktop\JoinOut.odp

      Filesize

      595KB

      MD5

      855d166542c222fe8a220924c73ef184

      SHA1

      8c6165a12a3edb31b821bbac12f0463d9f14312d

      SHA256

      1f5786268b8cd3da51ad86e419b49a0ec01f217c389bbb54d1793ab6d74edcfe

      SHA512

      ee3fa6238d21f9f63c2604d5945ead52da4cce7ae412e566edfdfeac4ccc5601411ec1e1a79804602c0f7a3256e2c433767d7c8fe77a6a16306e5d61463423e0

    • C:\Users\Admin\Desktop\OpenCompress.au3

      Filesize

      219KB

      MD5

      b5dea194bb43193390b1c9103b4a732e

      SHA1

      cd4607514f7770b03c46b2d08acaab1165711b57

      SHA256

      acb610ed2684d3d0fae797eb4d545c0439ddfaafc7a565ae8639e68f872b7d50

      SHA512

      45f04a2900d1c9fa54009bafa25cd26cd919b91684be3aae12452ce2a3d152b57ba72ce8b9d5374a25ecfed267ed27aacb368f8298832a4a2e4ef37fccb257d9

    • C:\Users\Admin\Desktop\OutImport.wmv

      Filesize

      353KB

      MD5

      1cc8f4f9436b3a273195c1f5049c4601

      SHA1

      693b596e295da459d1f687d69db28d74ae869307

      SHA256

      18eb031a1d6f4ef2701d7153802cbee02119f034db89c0447c47a430700aa0f5

      SHA512

      2a99cfe3bf250829741a3baf5f4f19488b5e5c815d69a209853bb7b9756ffd7a6599a7e9123e719c64486f4f7577834eb36dc13b8733b2a83f7577f6e8285e93

    • C:\Users\Admin\Desktop\PingConnect.vsx

      Filesize

      174KB

      MD5

      c47b299befdfa21d58f91bac72d96de1

      SHA1

      a40803a933879de0832c29201c5bcb6b252e6189

      SHA256

      d3e134dbd33fa461610cb3495eaee3e55f43a7cf66a592a7ddf9164fd0953ec9

      SHA512

      e724b1d2ed7c9ad144514627a2c63138552399e101914fa66ef5331e7ed42c0b811125a880f6a52879778b5f196dff2f38e6fce12bdd815eebf2fc8533cd6541

    • C:\Users\Admin\Desktop\RedoSubmit.xltm

      Filesize

      421KB

      MD5

      af5e875bd5a108de6c881237c2ed9c3c

      SHA1

      8bd25d9e5aa7019f360cc24eb96ab83f92af3bdf

      SHA256

      24b18341dd2c02779e333732faf5647b2079500e896d1c58aa6ea470e173bf15

      SHA512

      35f701357ff32f5b37448753cd1d5ac5d7aefa14d167c673c0770f72e39f4327c5ea0e32e0ef3f6bf502c4a4b61ebc4fcf651fbd1512ecbc704545c2d4890214

    • C:\Users\Admin\Desktop\ResetClose.wmx

      Filesize

      410KB

      MD5

      88957384243c4e4b26342a407ba069c4

      SHA1

      66219781d7ecdd057da52234b4cb727d28784a19

      SHA256

      549bc194c0d80103ce254405aba467a2ce3afd50a25f45a13e03e5ef34984955

      SHA512

      a1b27c6319394a398a79dba7cc66d8b545fcb7ea0781614568e48669189a6358abbfb33eb6a61fcc946fd57a0fd1599e412b176951e5751f681e2f3cea74044b

    • C:\Users\Admin\Desktop\ResolveCompress.xltm

      Filesize

      241KB

      MD5

      377fe264cfcee1cdbfd6adb8c7375bb4

      SHA1

      6c782adea9723ef6cec96acbc74d2e88415a05ba

      SHA256

      219306b805ef93ee52c0cc7f801b0b48629f19e9622cb54eedfde68a42625dc2

      SHA512

      9842755e2e376dae31a1fd27f08c95f5e5a6d7a2c2d0f9b3a58c2ca3180567822ef7c0bd612134ddb9a0093b4021e7b3e24ac06a899bca47face032173ea5301

    • C:\Users\Admin\Desktop\ResumeGroup.m1v

      Filesize

      207KB

      MD5

      df6e02e7ad9dbef70b698a4b75c75bf4

      SHA1

      6334228adae92b2f620f4083285c3428e1d57461

      SHA256

      9b31cbf0d7ddb4d4646e6005839af6fd2e3372631ee6bbd768634d2727fc6865

      SHA512

      799e49f48069fa256a5e1b71fa45f2fab4dd62c4e251263b75ab5f536f7d437d870992206dba9d6ea4934fedc0e7eafba063e52f39f873fa8ea78b6ad3b99903

    • C:\Users\Admin\Desktop\RevokeUnprotect.midi

      Filesize

      162KB

      MD5

      b91b107f90f1270bf5030498f2bcdcb7

      SHA1

      90c5730c70cce85733b10466e1a01f3ffc5f0678

      SHA256

      9a14a455a25ce21cb1babb5e6202303a42234173f042de7b5e11515d03cc2389

      SHA512

      5846e4d918f24bed7bd48a8e7369b4afdbf430b0773739c8224974d296bb3f85aab68fc14cf3225a65661689eb2e825f65d54992046eec4f741e06e01a3d5881

    • C:\Users\Admin\Desktop\SelectRequest.ps1

      Filesize

      320KB

      MD5

      9ca2530a7bd34b2fa0d8707e13cbef8f

      SHA1

      e99b1e24cdbd2ab11da2876299f38499d1da5e43

      SHA256

      805b9bcca3839294ec0f65879a18b39e4fcb917f89a5492fbe009d4735853e2c

      SHA512

      d33b66388fbab61eb5881d8c03b9330de8e8fc5327d3a7c7c44a201b8ca0d2124bdee18b9d6961266a80fd7129559e097d728757de3a45969f5dde7e3c563374

    • C:\Users\Admin\Desktop\SetPop.pptx

      Filesize

      230KB

      MD5

      e7171eaf64bc7bdef4e6ad6818f4fee3

      SHA1

      93e10c4ff478a897cfd4ae9c1971f0374976882d

      SHA256

      32d6da9398182621ed44d01674fde90fc4ad122c78d7c9765988917762bd4160

      SHA512

      b4a2d3ec7d495269cd3de7658412b4f2db1ac1300b8c381e9069f92d8bc6fb4cc3ba74272e0fa5b8181f7ca4662d19389aafab45ac9e68613dd4c0d8b47f93c6

    • C:\Users\Admin\Desktop\SplitPing.aif

      Filesize

      286KB

      MD5

      e5679f40583f5c551877eda26e7df384

      SHA1

      297055518c84c8cdfcd52ab37801c1a0086ba81a

      SHA256

      5f96d54fc20ddaa10a3fe4a11fb1e8ff9a02ce09eab6fe37bb5e15f2c9a7578d

      SHA512

      ada811885d5b2c4683cf1c6dcf094482c939057b0bb48d8b66292d4991f5de186b8b0f5330b79a39f1cda8ceb876ac121917eb1adf23febbf5f6938312e306c2

    • C:\Users\Admin\Desktop\StartCompare.tiff

      Filesize

      309KB

      MD5

      014225827862358aa6c29ec6ac1663ca

      SHA1

      43812b84eec73e27a47d4e7723cad3e926c17de8

      SHA256

      0001f6bc45fdae8becf2f880e4e2b087a34341b4b4bad34c59a29d7041974c63

      SHA512

      7d842ee612a71ff6f2bedd6e735ffa7712774cd0568e866b4a08d57e3d4d9ace6d596eb56b86263dcbf1c0803809f67451c469d0cf4ad7da72f75a71b9586aab

    • C:\Users\Admin\Desktop\StartCompare.wav

      Filesize

      432KB

      MD5

      214f24f121ec1e1344ab1d02258c47c1

      SHA1

      ec237d8304da048243a2daa41aab0d3bee41b0af

      SHA256

      1481bfeae50ec98f4f4f706c1ca506e5e8efe52a73fe8ec31456024c593e26e9

      SHA512

      188a462707c57495f7f3f40911c11238e273cfdae6459e39f3dac84e6f2671f9d2942567e477bc47464d456c3cc69580887e781d4dbd546aac9b43b3aacf6b1d

    • C:\Users\Admin\Desktop\StartExport.bmp

      Filesize

      297KB

      MD5

      16ecc1ceac7aee5d407ecbbcf199a9ab

      SHA1

      9f07dc9aa07bee8a0cbbeda04ab8bf32e64ec29a

      SHA256

      1a3bc200cd92e8ef5ab7325229e6bb614eb1bf090793e7df78f28f911296961a

      SHA512

      51d8ec01409861cdfabf4327ce0ef3a67d24428fc61f814ae287ec48e9801fad366340e40fe3c7d31179e6b18e52825adb8078a40ccfc7923b723447465d43e2

    • C:\Users\Admin\Desktop\TraceClear.001

      Filesize

      185KB

      MD5

      8432cf94420d9b42a93e61ef6a23e49f

      SHA1

      f65e41ae03cdf109c175f739f26e8d5d29547e07

      SHA256

      c97b7c06cff104e5c73b75bca04980a875b705758b27f53057ffa4f0f23fb995

      SHA512

      8a79da70764e36c36aa7f2f4e777e42a8d1b34c1310152822c77c72b821a38f2fbe2616f549f4420d696da9e753ac561e28c3aad37f935ce06e28e451d8fa467

    • C:\Users\Admin\Desktop\UnregisterHide.pub

      Filesize

      275KB

      MD5

      e19ead919ec0d7067060e70d72f522c3

      SHA1

      e41a788387cf666d8cfaa0af53c832937caec5fe

      SHA256

      fc875535e3c8fc16229e1a54eef027122b04d618cc6f43d9441bcaab463438c1

      SHA512

      6032bc8f1c3a1416229b06b76345d15c34b2d523125105ebb108f8c09ed7a0824afeb98c6860a845f618a44398bd033384925a03d810d639febbb7d96f456d34

    • C:\Users\Admin\Desktop\UnregisterLimit.svg

      Filesize

      331KB

      MD5

      2d9f1e301a47cfd7f2f041ca59056eae

      SHA1

      3ca5f428c650511380d84e711b55b6f46d8b4acf

      SHA256

      6c34dd08f11b98ca3e99867e8e5427af712546ff7199094202e1f453a17f66a8

      SHA512

      beb96fafb1d04beafc2232b6f58381fd8473631f26a5bf6fb30fa608942eb9224d6853e15b25d03bac860d0b235e378123fb4b0fece4f257f52359cdf9ea1562

    • C:\Users\Admin\Desktop\UpdateApprove.dxf

      Filesize

      342KB

      MD5

      749e66ca058e0c83dd8f25ef6eae8e5f

      SHA1

      06bdf9d305afc4a8a016c081db395eaf2eb764a6

      SHA256

      4a164882964e837656937e70ebe75525f0cedabfa14678bd59c0316298361d99

      SHA512

      0d2dbe279d869f462f71026d2999766f2a87191f9a5b84abf1e3c0144c289f17046f68e8448bb5bcab193a8d3f86d3b7d5c12b769a776a7cc689e26a63fe8c95

    • memory/4156-0-0x0000000002310000-0x0000000002311000-memory.dmp

      Filesize

      4KB

    • memory/4156-16-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/4156-3-0x0000000002310000-0x0000000002311000-memory.dmp

      Filesize

      4KB

    • memory/4156-1-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/4156-51-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB