Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 11:34
General
-
Target
9b89fb51be345ff9564807566ff45444.exe
-
Size
252KB
-
MD5
1ae87b63858a496bd9473e57fb4d8f31
-
SHA1
30593034cc80261649a334cde198d6c2dc3a866c
-
SHA256
113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
-
SHA512
d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b89fb51be345ff9564807566ff45444.exe"C:\Users\Admin\AppData\Local\Temp\9b89fb51be345ff9564807566ff45444.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1ae87b63858a496bd9473e57fb4d8f31
SHA130593034cc80261649a334cde198d6c2dc3a866c
SHA256113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
SHA512d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1ae87b63858a496bd9473e57fb4d8f31
SHA130593034cc80261649a334cde198d6c2dc3a866c
SHA256113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
SHA512d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1ae87b63858a496bd9473e57fb4d8f31
SHA130593034cc80261649a334cde198d6c2dc3a866c
SHA256113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
SHA512d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1ae87b63858a496bd9473e57fb4d8f31
SHA130593034cc80261649a334cde198d6c2dc3a866c
SHA256113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
SHA512d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
-
memory/1788-10-0x0000000000000000-mapping.dmp
-
memory/1788-9-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1788-8-0x0000000000000000-mapping.dmp
-
memory/1972-5-0x0000000000000000-mapping.dmp
-
memory/2012-0-0x0000000000000000-mapping.dmp
-
memory/2012-1-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2012-2-0x0000000000000000-mapping.dmp