Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-12-2024 15:16

General

  • Target

    e8412105090ad0e9d7d905b811afd4c055f69ed631b0b6de8fe34ffac23de890.exe

  • Size

    718KB

  • MD5

    7a59e4b586b19bb7e57799e71831bf30

  • SHA1

    260639259b3781deaed92c9c63e196a3b9c100be

  • SHA256

    e8412105090ad0e9d7d905b811afd4c055f69ed631b0b6de8fe34ffac23de890

  • SHA512

    e233cf418db931990a8671b6e1c7e52dc2a7595cb77e913e98c9f2c2150e6b713012cd19f2487761a8e364e320af47741cf7ab53142fe9305d7491a8b76d747c

  • SSDEEP

    12288:QL88mbu2rpKomPPijFbJ34tEZCgWSZkK5VdKbggPdOXwx6vwGpy30Yw6W:b8p2goysF4taCgVRdiNlOQF30V

Malware Config

Extracted

Family

darkcomet

Botnet

fo

C2

127.0.0.1:1010

46.39.230.61:1010

Mutex

DC_MUTEX-PR2UBLF

Attributes
  • gencode

    ovcHaFsW9bRT

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8412105090ad0e9d7d905b811afd4c055f69ed631b0b6de8fe34ffac23de890.exe
    "C:\Users\Admin\AppData\Local\Temp\e8412105090ad0e9d7d905b811afd4c055f69ed631b0b6de8fe34ffac23de890.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\ror.exe
      "C:\Users\Admin\AppData\Local\Temp\ror.exe"
      2⤵
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2256
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ror.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\ror.exe" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2604
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2244
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ror.exe

    Filesize

    251KB

    MD5

    169b88b99a74428b0dbc617fb209379e

    SHA1

    4743c42d5aea002dc04dbfe4e4eba2a2c4da6014

    SHA256

    6f6113d00980391262126021c78100e29d9cd12ca97c18ca1172c12e7138ce80

    SHA512

    44fdf103ee303b7497a633f595daf22704dc7af012796201bf9ac76561b41d10b6fc6007f5de5eeadf2a1c2db83310a5b73a7a466da3bb92ef4f675244f3666d

  • memory/2256-12-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2256-13-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

  • memory/2256-42-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2256-45-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2256-47-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2256-51-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2284-15-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/2284-41-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB