Overview

overview

10

Static

static

10

gang.exe

windows7-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gang.exe

  • Size

    658KB

  • MD5

    e7bd8408dd2f953a075215d62009b98f

  • SHA1

    830c1f58cbd35b7dbcbc955ae4bcdb3d753c7f4c

  • SHA256

    a54374fbebdd89c10f55d3321a0d926f8631a1cb126598e9a502604c8031eafd

  • SHA512

    8dc8af946d701452bc0467725067616b7962024ec694be3b1d67c3e1ed07487c5dec3e168a2c76008c65d7769688548c86a2895af3cb176d044fed8820375ea1

  • SSDEEP

    12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hW:eZ1xuVVjfFoynPaVBUR8f+kN10EBQ

Score
10/10
darkcometguest16_mindiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-SLWCWZC

Attributes
  • InstallPath

    DCSCMIN\IMDCSC.exe

  • gencode

    plL1zEd99z7k

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    DarkComet RAT

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gang.exe
    "C:\Users\Admin\AppData\Local\Temp\gang.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
      "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2100
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2820
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2892
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2644
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    313B

    MD5

    44c83fc55f6c3fbcc266defd38c90ea1

    SHA1

    70a34439bb18350259434aa477a5d557ea0fbdde

    SHA256

    2d2d229fb1ec11158b9131338a0133505eeaa4d8258e4cb84ad4d2c493908206

    SHA512

    116589eeb57c03fbba4d32855bddd567e89737e359c179ad6b34335e5c3d60d57bf020b03210f469106adf5b399f5700c7a9132b1320bbc24cde37875dfb48c8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    313B

    MD5

    168dc3fd2aeecddb1e652bddf06c1cf9

    SHA1

    1798d79da083cc483b898a55ef7f24e16f224ae6

    SHA256

    74489be6e9249489132166a14ed3b0628f0eb4e8244092c94f1e1739b431c81a

    SHA512

    fcfcb2fd3e3ab7a734670903a13eca098fd35a8f1a8f0504c00a38de31ab7a407f2532c553703333f353009b04420910324ae7c082caf4fd03e23807bbb675f6

    Download Submit

  • \Users\Admin\Documents\DCSCMIN\IMDCSC.exe
    Filesize

    658KB

    MD5

    e7bd8408dd2f953a075215d62009b98f

    SHA1

    830c1f58cbd35b7dbcbc955ae4bcdb3d753c7f4c

    SHA256

    a54374fbebdd89c10f55d3321a0d926f8631a1cb126598e9a502604c8031eafd

    SHA512

    8dc8af946d701452bc0467725067616b7962024ec694be3b1d67c3e1ed07487c5dec3e168a2c76008c65d7769688548c86a2895af3cb176d044fed8820375ea1

    Download Submit

  • memory/2100-24-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2100-14-0x00000000004C0000-0x00000000004C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2100-13-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2100-10-0x00000000004C0000-0x00000000004C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2100-40-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2100-20-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2100-22-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2100-23-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2520-12-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2520-0-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2644-26-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2644-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2656-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2820-19-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2820-17-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2820-16-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download