Overview

overview

10

Static

static

8

cc82575926...7d.exe

windows7_x64

10

cc82575926...7d.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    06-11-2020 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe

  • Size

    3.9MB

  • MD5

    f779b9615b86f9dded7f6de1e5c3178c

  • SHA1

    932bb2bb8ee87f26726f0cfd01113fbe65936271

  • SHA256

    cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d

  • SHA512

    710b974627772a4fbf600fb0417690bbc4b956d4d25debae2748f23be473ce17f5356df9f37d17a3b65bcfd462f3bb8377d21af001f9f5e619ff01a2cfcbf500

Score
10/10
darkcometpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
    "C:\Users\Admin\AppData\Local\Temp\cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMHBA.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3188
    • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
      "C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3548
      • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NMHBA.bat
    MD5

    173bcce4810d4901872d0ef4f0bfea4e

    SHA1

    561b03fdfe68b6419fddf57f32e1aab9a6126a2f

    SHA256

    10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

    SHA512

    2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
    MD5

    191a1f6f257a7bd5a6e8c62ec29ea2ad

    SHA1

    0ea0890aa6e0054b2b97bfd9d5372c9a8aaf557e

    SHA256

    0a64c6b7bd6d2b87997a29250d50275c14da7499d151435f9bb874f6464dd0ac

    SHA512

    21735dff6a395739c979f1bb782fd18537a690eb54b8c01c96cc63d440405c644e43f0107f02997d2dc529a77e5faba86666dfeacf972f990a7751a67af84e7b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
    MD5

    191a1f6f257a7bd5a6e8c62ec29ea2ad

    SHA1

    0ea0890aa6e0054b2b97bfd9d5372c9a8aaf557e

    SHA256

    0a64c6b7bd6d2b87997a29250d50275c14da7499d151435f9bb874f6464dd0ac

    SHA512

    21735dff6a395739c979f1bb782fd18537a690eb54b8c01c96cc63d440405c644e43f0107f02997d2dc529a77e5faba86666dfeacf972f990a7751a67af84e7b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
    MD5

    191a1f6f257a7bd5a6e8c62ec29ea2ad

    SHA1

    0ea0890aa6e0054b2b97bfd9d5372c9a8aaf557e

    SHA256

    0a64c6b7bd6d2b87997a29250d50275c14da7499d151435f9bb874f6464dd0ac

    SHA512

    21735dff6a395739c979f1bb782fd18537a690eb54b8c01c96cc63d440405c644e43f0107f02997d2dc529a77e5faba86666dfeacf972f990a7751a67af84e7b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
    MD5

    191a1f6f257a7bd5a6e8c62ec29ea2ad

    SHA1

    0ea0890aa6e0054b2b97bfd9d5372c9a8aaf557e

    SHA256

    0a64c6b7bd6d2b87997a29250d50275c14da7499d151435f9bb874f6464dd0ac

    SHA512

    21735dff6a395739c979f1bb782fd18537a690eb54b8c01c96cc63d440405c644e43f0107f02997d2dc529a77e5faba86666dfeacf972f990a7751a67af84e7b

    Download Submit
  • memory/1180-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1180-8-0x0000000073970000-0x0000000073A03000-memory.dmp
    Filesize

    588KB

    Download
  • memory/2148-2-0x0000000000000000-mapping.dmp
    Download
  • memory/2204-16-0x0000000000407450-mapping.dmp
    Download
  • memory/2204-15-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2204-18-0x0000000073970000-0x0000000073A03000-memory.dmp
    Filesize

    588KB

    Download
  • memory/2204-20-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2204-21-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/3188-4-0x0000000000000000-mapping.dmp
    Download
  • memory/3548-14-0x0000000073970000-0x0000000073A03000-memory.dmp
    Filesize

    588KB

    Download
  • memory/3548-12-0x00000000004B3310-mapping.dmp
    Download
  • memory/3548-11-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/3548-19-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/3548-24-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download