Overview

overview

10

Static

static

3

01ed6faee2...c1.exe

windows7-x64

10

01ed6faee2...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01ed6faee2a9f3aa9122de177ee91709de6c33e05b84ed312ecd9ce5ca1e08c1.exe

  • Size

    718KB

  • MD5

    be3a4de04dc9453290070a13f70f9201

  • SHA1

    254788b5e992cc36bf75311a4c712a06fc14dd29

  • SHA256

    01ed6faee2a9f3aa9122de177ee91709de6c33e05b84ed312ecd9ce5ca1e08c1

  • SHA512

    469f169a25ec9f255dce57d864d2b830f366a90f2c48666adc163870a21378dba6989ae466e5fb9ad40dac122f12ab9cdc2a9b932d98b5a133b7b15ab90f25e1

  • SSDEEP

    12288:QL88mbu2rpKomPPijFbJ34tEZCgWSZkK5VdKbggPdOXwx6vwGpy30Yw6W:b8p2goysF4taCgVRdiNlOQF30V

Score
10/10
darkcometfodiscoveryevasionrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

fo

C2

127.0.0.1:1010

46.39.230.61:1010
Mutex

DC_MUTEX-PR2UBLF

Attributes
  • gencode

    ovcHaFsW9bRT

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\01ed6faee2a9f3aa9122de177ee91709de6c33e05b84ed312ecd9ce5ca1e08c1.exe
    "C:\Users\Admin\AppData\Local\Temp\01ed6faee2a9f3aa9122de177ee91709de6c33e05b84ed312ecd9ce5ca1e08c1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\ror.exe
      "C:\Users\Admin\AppData\Local\Temp\ror.exe"
      2⤵
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Windows security modification
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4472
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ror.exe" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\ror.exe" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4932
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4412
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4900
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ror.exe
    Filesize

    251KB

    MD5

    169b88b99a74428b0dbc617fb209379e

    SHA1

    4743c42d5aea002dc04dbfe4e4eba2a2c4da6014

    SHA256

    6f6113d00980391262126021c78100e29d9cd12ca97c18ca1172c12e7138ce80

    SHA512

    44fdf103ee303b7497a633f595daf22704dc7af012796201bf9ac76561b41d10b6fc6007f5de5eeadf2a1c2db83310a5b73a7a466da3bb92ef4f675244f3666d

    Download Submit

  • memory/4472-14-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/4472-16-0x0000000000820000-0x0000000000821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4472-18-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/4472-21-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/4472-23-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/4472-25-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/4472-26-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/4472-28-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/4472-30-0x0000000000400000-0x00000000004B7000-memory.dmp

    Filesize

    732KB

    Download

  • memory/4900-17-0x00000000008F0000-0x00000000008F1000-memory.dmp

    Filesize

    4KB

    Download