Overview

overview

10

Static

static

8

309a5f9f92...66.exe

windows7_x64

10

309a5f9f92...66.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-11-2020 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    309a5f9f926b2fa365a94cbf98214566.exe

  • Size

    559KB

  • MD5

    e4e5a0ee373f5b6085efdb3f2a5f0071

  • SHA1

    85e6daa5792408d4cb4f23767436759f03b683ac

  • SHA256

    fec8c19e1915a8d64f709db2021902713998b20826dda3128a8dd2a414dd7172

  • SHA512

    549bb1c0256b45cf5c7342e915bfd6c5adc1c4ff9d27e13756e5468edbcd2dbf07fbd9ec712ac757c0226d41d2b57ff159968368e18d66485fc74568d0e67658

Score
10/10
darkcometpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\309a5f9f926b2fa365a94cbf98214566.exe
    "C:\Users\Admin\AppData\Local\Temp\309a5f9f926b2fa365a94cbf98214566.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pneXB.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f
        3⤵
        • Adds Run key to start application
        PID:824
    • C:\Users\Admin\AppData\Roaming\mcsft.exe
      "C:\Users\Admin\AppData\Roaming\mcsft.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Users\Admin\AppData\Roaming\mcsft.exe
        C:\Users\Admin\AppData\Roaming\mcsft.exe
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pneXB.bat
    MD5

    a5feca573884d76f559b996d45e8ad9a

    SHA1

    0e81a993f3af4e31d60653dc2513186f0495f1c8

    SHA256

    c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f

    SHA512

    a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda

    Download Submit
  • C:\Users\Admin\AppData\Roaming\mcsft.exe
    MD5

    5465d21ef5d723e5c678452a463d1359

    SHA1

    ec0124167ea7d1fa011b6fa4377cca8f3befe2a8

    SHA256

    8b527bc0b64e2a7b2de8a166eb1192692a2551371914426a98c7dcd6af0b54de

    SHA512

    b9b9e721c8f3a6eb54ae8084bfedfe676a103250656aaae07d994369f50f7b9cfc0e9a2f4f08a9924d4ffe0e81e9ddee6119842df8c7b7f052ecfb012bba098f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\mcsft.exe
    MD5

    5465d21ef5d723e5c678452a463d1359

    SHA1

    ec0124167ea7d1fa011b6fa4377cca8f3befe2a8

    SHA256

    8b527bc0b64e2a7b2de8a166eb1192692a2551371914426a98c7dcd6af0b54de

    SHA512

    b9b9e721c8f3a6eb54ae8084bfedfe676a103250656aaae07d994369f50f7b9cfc0e9a2f4f08a9924d4ffe0e81e9ddee6119842df8c7b7f052ecfb012bba098f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\mcsft.exe
    MD5

    5465d21ef5d723e5c678452a463d1359

    SHA1

    ec0124167ea7d1fa011b6fa4377cca8f3befe2a8

    SHA256

    8b527bc0b64e2a7b2de8a166eb1192692a2551371914426a98c7dcd6af0b54de

    SHA512

    b9b9e721c8f3a6eb54ae8084bfedfe676a103250656aaae07d994369f50f7b9cfc0e9a2f4f08a9924d4ffe0e81e9ddee6119842df8c7b7f052ecfb012bba098f

    Download Submit
  • memory/192-16-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/192-15-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/192-12-0x00000000004B3320-mapping.dmp
    Download
  • memory/192-11-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/192-14-0x0000000073AF0000-0x0000000073B83000-memory.dmp
    Filesize

    588KB

    Download
  • memory/584-5-0x0000000000000000-mapping.dmp
    Download
  • memory/584-8-0x0000000073AF0000-0x0000000073B83000-memory.dmp
    Filesize

    588KB

    Download
  • memory/824-4-0x0000000000000000-mapping.dmp
    Download
  • memory/2564-2-0x0000000000000000-mapping.dmp
    Download