Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 03:01

General

  • Target

    fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe

  • Size

    718KB

  • MD5

    cc2f7185c6f4fb6308920d5a5676a600

  • SHA1

    2b5d0eb8e5cd4f76b3504e5011d8eed711c9fcb5

  • SHA256

    fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dc

  • SHA512

    ffa55b7d96a57213c98374332d26463b9779bcaff52a509df9e523f8e4171770859666bcf07a7215c4c31941269c8d4d89f142d04df8337d7ff174859bf7c67a

  • SSDEEP

    12288:QL88mbu2rpKomPPijFbJ34tEZCgWSZkK5VdKbggPdOXwx6vwGpy30Yw6m:b8p2goysF4taCgVRdiNlOQF309

Malware Config

Extracted

Family

darkcomet

Botnet

fo

C2

127.0.0.1:1010

46.39.230.61:1010

Mutex

DC_MUTEX-PR2UBLF

Attributes
  • gencode

    ovcHaFsW9bRT

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe
    "C:\Users\Admin\AppData\Local\Temp\fba9123755068d98735d9c5a00d99abd57a90acaccce9b1a0549c1aeb76613dcN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\ror.exe
      "C:\Users\Admin\AppData\Local\Temp\ror.exe"
      2⤵
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2808
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ror.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\ror.exe" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2444
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2476
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ror.exe

    Filesize

    251KB

    MD5

    169b88b99a74428b0dbc617fb209379e

    SHA1

    4743c42d5aea002dc04dbfe4e4eba2a2c4da6014

    SHA256

    6f6113d00980391262126021c78100e29d9cd12ca97c18ca1172c12e7138ce80

    SHA512

    44fdf103ee303b7497a633f595daf22704dc7af012796201bf9ac76561b41d10b6fc6007f5de5eeadf2a1c2db83310a5b73a7a466da3bb92ef4f675244f3666d

  • memory/1660-11-0x0000000002470000-0x0000000002527000-memory.dmp

    Filesize

    732KB

  • memory/2420-16-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/2420-43-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/2808-13-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2808-14-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

  • memory/2808-44-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2808-47-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2808-49-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

  • memory/2808-53-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB