Overview

overview

10

Static

static

1

70cff7636e...ar.zip

windows7-x64

1

70cff7636e...ar.zip

windows10-2004-x64

10

Resubmissions

28-11-2024 18:27

241128-w3v84swkcw 10

28-11-2024 18:14

241128-wvelds1lhj 10

28-11-2024 18:03

241128-wm5gva1kaq 1

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 18:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70cff7636e0aaaef0cf817cbdb6c1375706e711a.zip.tar.zip

  • Size

    12.9MB

  • MD5

    ac7dceb4a85cb4250ac1268f8a3d7481

  • SHA1

    fdc57ca604746204049368a5d23e6c2893590d42

  • SHA256

    38a22130997f3fd2afd7d0773735c729eca349ad93455866ad02543109f4329a

  • SHA512

    912cf8aaa594e0838d332fd5d67c1b212887adffcaf765911dda048e23c7e57d4531cb3395cf57f9be6e12c79402863c21af605dfabee854c0dd3e2e435533fd

  • SSDEEP

    196608:6Gy8SAdVkkiPx5yAPpl0AOIy/w4n2uMhrM0yEtWoGcUKJvbdS8VylZhBqhcDy:6Gy8LXBIRo6u6rM0LgkUKJzdSLnhkN

Score
10/10
asyncratdarkcometdefaultguest16discoveryevasionpersistencerattrojanupx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

192.168.101.7:6606

192.168.101.7:7707

192.168.101.7:8808

192.168.101.7:1111

192.168.101.7:2222

192.168.101.7:3333

192.168.101.7:4444

192.168.101.7:5555

192.168.101.7:6666

192.168.101.7:7777

192.168.101.7:8888

192.168.101.7:9999
Mutex

H6EV9c34IZEW

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.101.7:1604

192.168.101.7:1605

192.168.101.7:1606

192.168.101.7:1607

192.168.101.7:1608

192.168.101.7:1609

192.168.101.7:1610

192.168.101.7:1611

192.168.101.7:1612

192.168.101.7:1613

192.168.101.7:1614

192.168.101.7:1615

192.168.101.7:1616

192.168.101.7:1617

192.168.101.7:1618

192.168.101.7:1619

192.168.101.7:1620

192.168.101.7:1621

192.168.101.7:1622

192.168.101.7:1623
Mutex

DC_MUTEX-J7WY70H

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    a7kB2AAlrgH4

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 3 TTPs 6 IoCs
    evasion
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\70cff7636e0aaaef0cf817cbdb6c1375706e711a.zip.tar.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3372
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5060
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\70cff7636e0aaaef0cf817cbdb6c1375706e711a\Bitcoin-Address-Utility-main\Bitcoin-Address-Utility-main\bitcoin address utility\Bitcoin-note.png" /ForceBootstrapPaint3D
      1⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2280
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      PID:2620
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4668
    • C:\Users\Admin\Downloads\70cff7636e0aaaef0cf817cbdb6c1375706e711a\Bitcoin-Address-Utility-main\Bitcoin-Address-Utility-main\bitcoin address utility\bitcoinaddresutility.config.exe
      "C:\Users\Admin\Downloads\70cff7636e0aaaef0cf817cbdb6c1375706e711a\Bitcoin-Address-Utility-main\Bitcoin-Address-Utility-main\bitcoin address utility\bitcoinaddresutility.config.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3116
    • C:\Users\Admin\Downloads\70cff7636e0aaaef0cf817cbdb6c1375706e711a\Bitcoin-Address-Utility-main\Bitcoin-Address-Utility-main\bitcoin address utility\setup-Btc Address Utility.exe
      "C:\Users\Admin\Downloads\70cff7636e0aaaef0cf817cbdb6c1375706e711a\Bitcoin-Address-Utility-main\Bitcoin-Address-Utility-main\bitcoin address utility\setup-Btc Address Utility.exe"
      1⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Downloads\70cff7636e0aaaef0cf817cbdb6c1375706e711a\Bitcoin-Address-Utility-main\Bitcoin-Address-Utility-main\bitcoin address utility\setup-Btc Address Utility.exe" +s +h
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\Downloads\70cff7636e0aaaef0cf817cbdb6c1375706e711a\Bitcoin-Address-Utility-main\Bitcoin-Address-Utility-main\bitcoin address utility\setup-Btc Address Utility.exe" +s +h
          3⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Downloads\70cff7636e0aaaef0cf817cbdb6c1375706e711a\Bitcoin-Address-Utility-main\Bitcoin-Address-Utility-main\bitcoin address utility" +s +h
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3168
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\Downloads\70cff7636e0aaaef0cf817cbdb6c1375706e711a\Bitcoin-Address-Utility-main\Bitcoin-Address-Utility-main\bitcoin address utility" +s +h
          3⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:628
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        2⤵
        • Modifies firewall policy service
        • Modifies security service
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:880
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies firewall policy service
          • Modifies security service
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3944
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3344

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    3
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    7
    T1112

    Credential Access

    Discovery

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      Filesize

      252KB

      MD5

      117c00cf711decc4e925c7ad12e2ca23

      SHA1

      b1821d002502ae4e77345c259e643807a4d42a34

      SHA256

      531cf2a20d45777f796656c0c1a1d00971bfc8a23485d9bd6a7b7e9beb5c00aa

      SHA512

      4e9d56d70cbcaf8a8d1340cb958fa544eabd37f30db0bd101525a90997d9a8311829983c4d7cdf24f0fffa3c01ecb98522caee966198c06bec4d54dd5eeb2f25

      Download Submit

    • memory/880-91-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/880-88-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2380-89-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/2620-21-0x00000248E95E0000-0x00000248E95E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-15-0x00000248E9540000-0x00000248E9541000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-19-0x00000248E95D0000-0x00000248E95D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-20-0x00000248E95E0000-0x00000248E95E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-2-0x00000248E0960000-0x00000248E0970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2620-6-0x00000248E09A0000-0x00000248E09B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2620-13-0x00000248E94C0000-0x00000248E94C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-18-0x00000248E95D0000-0x00000248E95D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2620-17-0x00000248E9540000-0x00000248E9541000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3116-25-0x00000000051F0000-0x000000000528C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3116-24-0x0000000004DE0000-0x0000000004E46000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3116-23-0x0000000000390000-0x00000000003CE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3572-26-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/3572-93-0x0000000000400000-0x00000000004B7000-memory.dmp

      Filesize

      732KB

      Download

    • memory/3944-92-0x0000000001200000-0x0000000001201000-memory.dmp

      Filesize

      4KB

      Download