Overview

overview

10

Static

static

3

setup.exe

windows10-2004-x64

10

setup.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2025, 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    712KB

  • MD5

    3d30882dd83cdbcb727fa9fe6f93180a

  • SHA1

    b4a951c7fe04688c25f91ccb887b8dc22fc759fd

  • SHA256

    1491e9e9a7feaba77ea5f3114cf10dc279e57f807bc5ab0a7044b8eb8df1377c

  • SHA512

    d0f2d0d83b5860982debe6118a74cb43d5b1f699deab73c73f79a24c19181bd796ab869d74fc46a8b76e49f0f516fb54b61c10ae5d5c662899f087d035fdda7b

  • SSDEEP

    12288:/kfaC8uq4tpQxf91tnVhKLw8lx+AByjQBDKRXxhXQoy0LEsj+xNcMvbTcvE4Tzgu:J/CD6fntnVX8yASqx0Fq4qbTcef2

Score
10/10
darkcometguest16discoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

giviker.zapto.org:100

127.0.0.1:81
Mutex

DC_MUTEX-V8U94FG

Attributes
  • InstallPath

    Windupdate\winupdate.exe

  • gencode

    g4pACYv8bQ%*

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    winupdate

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:6112
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE"
        3⤵
        • Modifies WinLogon for persistence
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5056
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3152
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            5⤵
            • Checks BIOS information in registry
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4312
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
      2⤵
        PID:3048
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
        C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5640
        • C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
          "C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe"
          3⤵
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4820
            • C:\Windows\SysWOW64\explorer.exe
              "C:\Windows\SysWOW64\explorer.exe"
              5⤵
                PID:5804
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 80
                  6⤵
                  • Program crash
                  PID:3680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5804 -ip 5804
        1⤵
          PID:5572

        Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\explorer.exe.log
          Filesize

          128B

          MD5

          a5dcc7c9c08af7dddd82be5b036a4416

          SHA1

          4f998ca1526d199e355ffb435bae111a2779b994

          SHA256

          e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

          SHA512

          56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE
          Filesize

          464KB

          MD5

          e528c9ceeb7f95c587085b8c81fadd32

          SHA1

          bf161fcfad797e54d20f21d7c60ad49cddf00856

          SHA256

          8edbf5024b447b4d9803fa0a47fa1cd815ae37701ecc2967d45e92721574c888

          SHA512

          feec96236d2a57deaa70c3f029c340bbc74f4650d6176fe362bd7faa9053660f0c82db712f523fe7b6aee6c93cb5c1f3227c0bec11036a5ddbbfeb37106f2382

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WIFIWP~1.EXE
          Filesize

          607KB

          MD5

          34023d08f16ead8bf2950977c6fd58bb

          SHA1

          cac710544bdad073f55190781073d52aa0036c41

          SHA256

          7f23e3050d990f95663fc4cea26673f3052c8f69f57a4f318a26603f344dbcde

          SHA512

          765f8038e5229e6f93c4b0a239783469b7db0ab0672a0ad846f102bb834c83857111c3d12151ba2d59c79a172e9985c26b1e6dae77918e90dd6aa8bc3b37181d

          Download Submit

        • memory/5056-79-0x0000000000400000-0x00000000004B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/5056-83-0x0000000000400000-0x00000000004B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/5056-81-0x0000000000400000-0x00000000004B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/5056-77-0x0000000000400000-0x00000000004B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/5056-227-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/5056-212-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-53-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-48-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-21-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-22-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-24-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-23-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-20-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-47-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-55-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-54-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-61-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-52-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-82-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-74-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-73-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-72-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-69-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-62-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-60-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-19-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-51-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-50-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-49-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-18-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-46-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-43-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-45-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-44-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-42-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-41-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-39-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-40-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-38-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-37-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-36-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-35-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-34-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-33-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-32-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-31-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-30-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-29-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-28-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-27-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-26-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/6112-16-0x0000000076BB0000-0x0000000076BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/6112-17-0x0000000076B90000-0x0000000076C80000-memory.dmp

          Filesize

          960KB

          Download

        • memory/6112-7-0x00000000001C0000-0x00000000001E0000-memory.dmp

          Filesize

          128KB

          Download