Overview

overview

10

Static

static

3

1348493b6f...fN.exe

windows7-x64

10

1348493b6f...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2024 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1348493b6f64887733493d5410611dc0e30a21bb5b0ad75550614b285d8419cfN.exe

  • Size

    4.5MB

  • MD5

    42915e4c23133dad9b7dfe6e26e59e00

  • SHA1

    6f5166b6348536f21e433d4c13fce83d5641de16

  • SHA256

    1348493b6f64887733493d5410611dc0e30a21bb5b0ad75550614b285d8419cf

  • SHA512

    e5d01879e5713d1a7b076fbb53290a831f7b159b7f418094717babc1552859d947eb55bcc533f4435cac52c29d21809ca7ceef49c199ce36d8525beb1a65c6ef

  • SSDEEP

    49152:VNkIeCY8EHOEoYzTny4X6gO0DA4HlEzD4ft:d4ft

Score
10/10
darkcometcrypter_t411discoveryrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

crypter_t411

C2

milanilou007.ddns.me:1604

Mutex

DC_MUTEX-92C3TY1

Attributes
  • gencode

    KpEHFrlns92y

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 15 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1348493b6f64887733493d5410611dc0e30a21bb5b0ad75550614b285d8419cfN.exe
    "C:\Users\Admin\AppData\Local\Temp\1348493b6f64887733493d5410611dc0e30a21bb5b0ad75550614b285d8419cfN.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\installerfile.exe
      "C:\Users\Admin\AppData\Local\Temp\installerfile.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE
        "C:\Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2088
      • C:\Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE
        "C:\Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\installerfile.exe
    Filesize

    1.6MB

    MD5

    4a163c1e8faa4e78b56d25b2366aade5

    SHA1

    08a2acb90974547404ed68cbbd5f6670e3492503

    SHA256

    733847379f65033335aefb8ee2ff26a97d2261dc1a7e32af764a879986909108

    SHA512

    c644be8665dceddb987518feeb8af31e313e55003352a6e2525421fefa056670ab3d74fdab683ff2d977780200ccfe48268dedd76a080cce1d05147cfa7a11b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsoE63C.tmp\instopt.ini
    Filesize

    785B

    MD5

    6e56f023c89ea7930c869514c1c3df6e

    SHA1

    ca80af91b6aea9d89a0ddfbf08f64d14203ecbdf

    SHA256

    7bf32323012c92f989b24d2ad75153f256d0ab44009854fb989b9470ed81d84f

    SHA512

    04b1b46a5506ca38f591b09dd53c384299dedddbbe636fb26c3226e21386a5e19ddb389123d0af7cf444881b7b07384d64dffed4513f4044b1afd79c01dda606

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE
    Filesize

    1.2MB

    MD5

    b300638f24c0673f9734585935fe5767

    SHA1

    feef51aa5c64d785be87c9c1ac4fbbc476e86dee

    SHA256

    8bdeb231f5a78e83ef8851ccbd76c530f8c0c88470da463953d03ed3acb8efea

    SHA512

    a8339d0298685273e77ff0640dd49df3f3da616d744adcd529ca5953900452b1dfe4963b9c7215a2c05e711f90b82839adb44d17098eef17842f57e067c980ad

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsoE63C.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    fbbf9da918557aba6fa6e166a95ee8dd

    SHA1

    abbd02abae00172971a2e9cef62dab3b562f90c7

    SHA256

    dc7daec6f47e63b5d001cd648d40d93c29be6f2c95fe8b212dbb4d94d31cb12d

    SHA512

    0f877a9e5c6eb06374f0f19f92a6ea55b09998c42c67b16db680918e3e0c2023d511893173f76dde60a47ffe916b0d9af09b6255a158fa3e0743dc54d2a35a65

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsyE84E.tmp\Installopt.dll
    Filesize

    27KB

    MD5

    e920530682d8a447f5eff132ead4d869

    SHA1

    d3336dd91694398f93434f4416247c01acb3b81d

    SHA256

    d828c804bdd845d95292038c5d90413b51625378e9df83dec49af70a76880323

    SHA512

    6b0b02fcad48d74be850e9fb3d18c7f3dd76e09e2fd024389a397d51cfaac8b65b2abd83b96b88d23f1a5fbae1b02641d0b947604841d1fbaa6adbb1dd00c03d

    Download Submit

  • memory/880-12-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/880-14-0x0000000000A10000-0x0000000000C23000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/880-13-0x0000000000A10000-0x0000000000C23000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/880-119-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/880-121-0x0000000000A10000-0x0000000000C23000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/880-122-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1224-2-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1224-25-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1224-0-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1224-1-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

    Filesize

    9.6MB

    Download