Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 21:17
General
-
Target
98755eadea7bd0b44fc437ec5bb15f3aaedcf5cb3265e59e579c23dd29086958.exe
-
Size
266KB
-
MD5
607f3249f01bcb2406e81c2cce900f73
-
SHA1
ee08e9662d34fa613e43ef7d9c81b393377abded
-
SHA256
98755eadea7bd0b44fc437ec5bb15f3aaedcf5cb3265e59e579c23dd29086958
-
SHA512
f46ce677320f2de9b0fce39733484485c14274d3a6e391e68a23ce3aa2273d1bd2871f028293b69ce4319afed73efa251d26483ad5522066624fca75208fca0d
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\98755eadea7bd0b44fc437ec5bb15f3aaedcf5cb3265e59e579c23dd29086958.exe"C:\Users\Admin\AppData\Local\Temp\98755eadea7bd0b44fc437ec5bb15f3aaedcf5cb3265e59e579c23dd29086958.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\98755eadea7bd0b44fc437ec5bb15f3aaedcf5cb3265e59e579c23dd29086958.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\98755eadea7bd0b44fc437ec5bb15f3aaedcf5cb3265e59e579c23dd29086958.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
607f3249f01bcb2406e81c2cce900f73
SHA1ee08e9662d34fa613e43ef7d9c81b393377abded
SHA25698755eadea7bd0b44fc437ec5bb15f3aaedcf5cb3265e59e579c23dd29086958
SHA512f46ce677320f2de9b0fce39733484485c14274d3a6e391e68a23ce3aa2273d1bd2871f028293b69ce4319afed73efa251d26483ad5522066624fca75208fca0d
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
607f3249f01bcb2406e81c2cce900f73
SHA1ee08e9662d34fa613e43ef7d9c81b393377abded
SHA25698755eadea7bd0b44fc437ec5bb15f3aaedcf5cb3265e59e579c23dd29086958
SHA512f46ce677320f2de9b0fce39733484485c14274d3a6e391e68a23ce3aa2273d1bd2871f028293b69ce4319afed73efa251d26483ad5522066624fca75208fca0d
-
memory/2600-0-0x0000000000000000-mapping.dmp
-
memory/2716-1-0x0000000000000000-mapping.dmp
-
memory/2772-5-0x0000000000000000-mapping.dmp
-
memory/2772-6-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/2772-7-0x0000000000000000-mapping.dmp
-
memory/3824-2-0x0000000000000000-mapping.dmp