Overview

overview

10

Static

static

3

038531d52f...7d.exe

windows7-x64

10

038531d52f...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    038531d52fb5fc61c11beabcc05b8ae3f0a988cddbfab0db2f1e99bcb3c6757d.exe

  • Size

    4.5MB

  • MD5

    ac9e4c837b4617a8f76b8f06f23d3c68

  • SHA1

    d210f651d289a8e8b7b984735eb9b0df1b25278d

  • SHA256

    038531d52fb5fc61c11beabcc05b8ae3f0a988cddbfab0db2f1e99bcb3c6757d

  • SHA512

    45c3714e2b8f828e7b72bffc882801e3682f23bfb2abb5a8685550b710542cad31c1f902d906e32c0f9acb97e14e38da6cd93d171643925543a231adfe90b9b4

  • SSDEEP

    49152:VNkIeCY8EHOEoYzTny4X6gO0DA4HlEzD4ft7:d4ft7

Score
10/10
darkcometcrypter_t411discoveryrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

crypter_t411

C2

milanilou007.ddns.me:1604

Mutex

DC_MUTEX-92C3TY1

Attributes
  • gencode

    KpEHFrlns92y

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\038531d52fb5fc61c11beabcc05b8ae3f0a988cddbfab0db2f1e99bcb3c6757d.exe
    "C:\Users\Admin\AppData\Local\Temp\038531d52fb5fc61c11beabcc05b8ae3f0a988cddbfab0db2f1e99bcb3c6757d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Users\Admin\AppData\Local\Temp\installerfile.exe
      "C:\Users\Admin\AppData\Local\Temp\installerfile.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE
        "C:\Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2476
      • C:\Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE
        "C:\Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MINILYRICS02.EXE
    Filesize

    1.2MB

    MD5

    b300638f24c0673f9734585935fe5767

    SHA1

    feef51aa5c64d785be87c9c1ac4fbbc476e86dee

    SHA256

    8bdeb231f5a78e83ef8851ccbd76c530f8c0c88470da463953d03ed3acb8efea

    SHA512

    a8339d0298685273e77ff0640dd49df3f3da616d744adcd529ca5953900452b1dfe4963b9c7215a2c05e711f90b82839adb44d17098eef17842f57e067c980ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\installerfile.exe
    Filesize

    1.6MB

    MD5

    4a163c1e8faa4e78b56d25b2366aade5

    SHA1

    08a2acb90974547404ed68cbbd5f6670e3492503

    SHA256

    733847379f65033335aefb8ee2ff26a97d2261dc1a7e32af764a879986909108

    SHA512

    c644be8665dceddb987518feeb8af31e313e55003352a6e2525421fefa056670ab3d74fdab683ff2d977780200ccfe48268dedd76a080cce1d05147cfa7a11b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    fbbf9da918557aba6fa6e166a95ee8dd

    SHA1

    abbd02abae00172971a2e9cef62dab3b562f90c7

    SHA256

    dc7daec6f47e63b5d001cd648d40d93c29be6f2c95fe8b212dbb4d94d31cb12d

    SHA512

    0f877a9e5c6eb06374f0f19f92a6ea55b09998c42c67b16db680918e3e0c2023d511893173f76dde60a47ffe916b0d9af09b6255a158fa3e0743dc54d2a35a65

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsbA29B.tmp\instopt.ini
    Filesize

    785B

    MD5

    6e56f023c89ea7930c869514c1c3df6e

    SHA1

    ca80af91b6aea9d89a0ddfbf08f64d14203ecbdf

    SHA256

    7bf32323012c92f989b24d2ad75153f256d0ab44009854fb989b9470ed81d84f

    SHA512

    04b1b46a5506ca38f591b09dd53c384299dedddbbe636fb26c3226e21386a5e19ddb389123d0af7cf444881b7b07384d64dffed4513f4044b1afd79c01dda606

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsmA460.tmp\Installopt.dll
    Filesize

    27KB

    MD5

    e920530682d8a447f5eff132ead4d869

    SHA1

    d3336dd91694398f93434f4416247c01acb3b81d

    SHA256

    d828c804bdd845d95292038c5d90413b51625378e9df83dec49af70a76880323

    SHA512

    6b0b02fcad48d74be850e9fb3d18c7f3dd76e09e2fd024389a397d51cfaac8b65b2abd83b96b88d23f1a5fbae1b02641d0b947604841d1fbaa6adbb1dd00c03d

    Download Submit

  • memory/2664-15-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2664-123-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2664-18-0x0000000000C70000-0x0000000000C71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-130-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2664-129-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2664-128-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2664-127-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2664-116-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2664-118-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2664-120-0x0000000000400000-0x0000000000613000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5076-17-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/5076-2-0x000000001D6E0000-0x000000001DBAE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/5076-1-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/5076-3-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/5076-0-0x00007FFDD38D5000-0x00007FFDD38D6000-memory.dmp

    Filesize

    4KB

    Download