Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 11:11
General
-
Target
c97cf0d0a0a498ecfd3474d97cf5314f399dacea63701df422f1b0199ad28608.exe
-
Size
252KB
-
MD5
9d1f92ac5af5eff6e517e587e1e8278b
-
SHA1
732ca21d250323be7b2ef24c3c335005e839b196
-
SHA256
c97cf0d0a0a498ecfd3474d97cf5314f399dacea63701df422f1b0199ad28608
-
SHA512
715a7cdb9f2270c447aae9df60be3a2ace48fa276da2ef09161b558b255434e74f5fb3c423b82813c1574bd37e2645ea1cea3375bb613c2b6c7064ed95478063
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c97cf0d0a0a498ecfd3474d97cf5314f399dacea63701df422f1b0199ad28608.exe"C:\Users\Admin\AppData\Local\Temp\c97cf0d0a0a498ecfd3474d97cf5314f399dacea63701df422f1b0199ad28608.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
9d1f92ac5af5eff6e517e587e1e8278b
SHA1732ca21d250323be7b2ef24c3c335005e839b196
SHA256c97cf0d0a0a498ecfd3474d97cf5314f399dacea63701df422f1b0199ad28608
SHA512715a7cdb9f2270c447aae9df60be3a2ace48fa276da2ef09161b558b255434e74f5fb3c423b82813c1574bd37e2645ea1cea3375bb613c2b6c7064ed95478063
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
9d1f92ac5af5eff6e517e587e1e8278b
SHA1732ca21d250323be7b2ef24c3c335005e839b196
SHA256c97cf0d0a0a498ecfd3474d97cf5314f399dacea63701df422f1b0199ad28608
SHA512715a7cdb9f2270c447aae9df60be3a2ace48fa276da2ef09161b558b255434e74f5fb3c423b82813c1574bd37e2645ea1cea3375bb613c2b6c7064ed95478063
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
9d1f92ac5af5eff6e517e587e1e8278b
SHA1732ca21d250323be7b2ef24c3c335005e839b196
SHA256c97cf0d0a0a498ecfd3474d97cf5314f399dacea63701df422f1b0199ad28608
SHA512715a7cdb9f2270c447aae9df60be3a2ace48fa276da2ef09161b558b255434e74f5fb3c423b82813c1574bd37e2645ea1cea3375bb613c2b6c7064ed95478063
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
9d1f92ac5af5eff6e517e587e1e8278b
SHA1732ca21d250323be7b2ef24c3c335005e839b196
SHA256c97cf0d0a0a498ecfd3474d97cf5314f399dacea63701df422f1b0199ad28608
SHA512715a7cdb9f2270c447aae9df60be3a2ace48fa276da2ef09161b558b255434e74f5fb3c423b82813c1574bd37e2645ea1cea3375bb613c2b6c7064ed95478063
-
memory/1224-0-0x0000000000000000-mapping.dmp
-
memory/1224-1-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/1224-2-0x0000000000000000-mapping.dmp
-
memory/1364-5-0x0000000000000000-mapping.dmp
-
memory/1744-8-0x0000000000000000-mapping.dmp
-
memory/1744-9-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1744-10-0x0000000000000000-mapping.dmp