Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 22:46

General

  • Target

    6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe

  • Size

    343KB

  • MD5

    77fd5c6a7ed616d1146a055a9aa58720

  • SHA1

    cafacc26a98e13c768eeea3bba37973db58453c3

  • SHA256

    6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a

  • SHA512

    65fa1be05fc3df2caab383fb82af5b619ee1caedab09689878f596596ebf2972ec450fc24ae9e4c27f1639cbcac26c4b7898fa8c95ae27d4fbddb5df228f112f

  • SSDEEP

    6144:XYLtU7Ixhnhz5TN6mJWd/7qMD8gmggfojeGbfUTpYDDmu/+3fbN:osI3lFZWdqswtfJG+pG/YN

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

159.146.115.189:3131

Mutex

DC_MUTEX-6VU05UR

Attributes
  • gencode

    FbWUotbhX9sQ

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe
    "C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
      C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2364
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:340993 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2976
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    7f2bb387f282c6049da4ccb144e590cc

    SHA1

    d7900cdb207b452c722dc6d55a25bf3357e2b9a9

    SHA256

    fb39b872088c159570524e098b18e94fe822f30515656f7c78d120eea184b1ea

    SHA512

    ae4062a3ef2d47cd5f4fb96f7a8963f2ec0ee6f789799e0a7be1f4bc3ddb8a60790c9d24339f5d1e1b4a0f3f5bf5d47b315d1cd267e107bb0dd59f3fc8e3b804

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    e5b430e9c7fedc04497a9c6d8e0d3cf5

    SHA1

    37ecab8ffcd4cd1f9b94711f76641b2c96d902ae

    SHA256

    b6cb548b3d7dd1dc92cf934466a5945f019eb413fe2f23a19598205df9296f85

    SHA512

    f0fcf2e1e21997775a4b22aade4222fb3fc244bd4f0e7bfb1e479df87068164536fe931b3415da1a8c0595758fe5ed7b636f4796e4edb07ec94fd2d332ce673a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    ee6659a2c36342f56ddcd6dccf480ded

    SHA1

    ca5bf991e7193e90822398606002e30efa07d221

    SHA256

    5b292a6bcc8249099a731d7f2f4ff8508844ec6bc16b63caf9221c99214c74e3

    SHA512

    01bee0c4e36ed522ee93731eff3ada71bddaab2d0829d4c5fe27bcaa492d739fdc321e39d5e561e4925589cdb6d0aca42611ff44eb6ceb114d9b57e504001343

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    0456ce20734f12838a4df9573433eef9

    SHA1

    270dfadad84bf3fef153c19e86770b491be03ede

    SHA256

    b7163b6ca29954e7fc0a62b8e7e2a08e8f527b6c128f22e3ad79a3d10b3e89a2

    SHA512

    96d061b3d5932ed3b2ffbba8d48aaca131957735152aa0d4293ddd76391fd97dbb57432918a628c6912cbc8f836c477073b4b49f27e3433a8af56a0326dc9c11

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    15e06708608003d2e694ad2023381f87

    SHA1

    125498151ffbf9e98468e8e29dc421c731ec990d

    SHA256

    71bfc9720ee41cfadadd5fe042f690e6e92c9091064470d46f61e95b62d2bd14

    SHA512

    24956ea88838bc47349e18bc33c3948c643daccc5a2db250e43f89e776def22c65fa7c01bdc2cdaf1219cd9bff9e9d48383e5a75820143a7980b1b86a5b1d23a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    86dcfe1613edb6cdb7688f80c21a350b

    SHA1

    8ed82fb7520f3b6f38112383b7731759baa18dee

    SHA256

    7abcac79319de40b7374f05558f313a0d295bea9ea02eaa8c9713466c453436b

    SHA512

    871c4e0358009a1de300bf4ed0bd01258fcaa8fb8507f64598d6b5e6f2ce0acaf032bd9d412519a93474a3240f69982f28b5051c17f3a32b465c1e933bf1ad1c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    bb683931b113812c88325ab5f7e2f76f

    SHA1

    57cf185cbbf3cf7554e6c5cae947160e561b74a8

    SHA256

    39c38a9e14022ecde0dade166c178f8dbd0687d783d70628d2eff039c6280358

    SHA512

    3430763cfda9b97d1201f5c9e5767856f7d9e3f9f73cd77ec74d16d260b00220077efe832cbb6f7e883fb9d8cf4d9753e73746d8c6596e7d90d25c33134f77bf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    faa84a7a2acf642e4d951a4dfb245b5b

    SHA1

    c18d3cbe4ade991328aadce58bf5e3169ee01743

    SHA256

    4e31a7211577ff4ce936380ac5f8e48debf9238e82342ca8388dd73f388161fd

    SHA512

    9797751d3f189d2b6b31b6500458ade53f2423cf0c459b8e993664ef2bb797d1ec4f20c183b103fa1a672158ba2e1cb4c7a1cc07e1a0dabdb53489cba48bed02

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    60f966976f5f73b96b460a8f3a72f4f3

    SHA1

    bfc5afa7837f343e7b7dfededb0addc5a40ca086

    SHA256

    d181aee88353fe4f335878edf38ce83db0f3f6e5bdc72d54ef69acd5121e4e6a

    SHA512

    fd912be31d8d9a3c65eb16ddabac5c208c38eda8146509851dac764b7948dcb55322ba1e001300570c30b4e3a8295a7a61bad46fcec14ef456d868e675cdd783

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    f8346cf9748581b7f08949eae3635a34

    SHA1

    78e72d202aebc41700c79fe1c447fda128f3bdc6

    SHA256

    2dba7d3dc2f8b98ca6e731b02219736c0a1d7aa6a376c99c32b2918c07f4b860

    SHA512

    77b2c66d64282676b7f9683fc9b4e49e7dd70220488765dc32d0ca9fc5bf5d285f1ddc99a6178082a80cefaf0a5ca81e10e7e8b5f7f8c6fe7a8075621d18e1d2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    446c621dc0be0f3814d9a1cadc461ad1

    SHA1

    66a702ca448eda1cba5d1f06c89ea147fde2d085

    SHA256

    13f9ac672e005653f576a71bd940af9a97f305672bd080590a3f13dbf7158d2b

    SHA512

    637c7bf2315fc0cbfd427794a8835f036a351efc3b019abc33d1e03d6688a97ad4419118858e6d238c7fbdb452c2b3445cc5e6fec02dc3130f322b2f257deb9f

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B2A77CE1-F55C-11EF-9981-C62FFBBDC457}.dat

    Filesize

    5KB

    MD5

    c125780be7b71fdf216cc8f9513506d4

    SHA1

    e74bc7c4aaf88ee79d7ebc6c2bc5d1d69da5b2b7

    SHA256

    0b69540af596caaa293b449e505d107d73d5d3d6a0f7b3449fc6c148f4c46aba

    SHA512

    b296c2039c35dbf546f2006a300a7dda2b5da87c86c35c377fb876188b22d89a08562c0801dd4ade809377690fc0b8c9e89586e8ced004f4b5d87e17301d7b40

  • C:\Users\Admin\AppData\Local\Temp\CabE88E.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF744.tmp

    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

  • \Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

  • memory/1616-12-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

  • memory/1616-19-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/1616-137-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/1616-36-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/1616-334-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/1616-337-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/1616-9-0x0000000000360000-0x00000000003BD000-memory.dmp

    Filesize

    372KB

  • memory/1616-10-0x0000000000360000-0x00000000003BD000-memory.dmp

    Filesize

    372KB

  • memory/1616-0-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/1732-21-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/1732-11-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/1732-13-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/1732-17-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/1732-16-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

  • memory/1732-15-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/1732-14-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB