Overview

overview

Static

static

1810092b75...22.exe

windows7_x64

1810092b75...22.exe

windows10_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1810092b7599bad7adea10aeaf4df0c2af29fc85c0904662bab674f231752e22

  • Size

    594KB

  • Sample

    210228-d784ergj3n

  • MD5

    6815e92e3b69abb83257aff53ccf411b

  • SHA1

    dd588b78d08d8eea3f553fe1cec692ac2340111b

  • SHA256

    1810092b7599bad7adea10aeaf4df0c2af29fc85c0904662bab674f231752e22

  • SHA512

    1227bf5619eb7ae56ca4382db764cb55db5a77c3f549cfc478ddee59e35f24408848e737f005209ffa289414a2eb6f5128bd002c95448b103485e33f5bb054a1

Score
10/10
darkcometbootkitevasionpersistenceransomwarerattrojanupx

Malware Config

Targets

    • Target

      1810092b7599bad7adea10aeaf4df0c2af29fc85c0904662bab674f231752e22

    • Size

      594KB

    • MD5

      6815e92e3b69abb83257aff53ccf411b

    • SHA1

      dd588b78d08d8eea3f553fe1cec692ac2340111b

    • SHA256

      1810092b7599bad7adea10aeaf4df0c2af29fc85c0904662bab674f231752e22

    • SHA512

      1227bf5619eb7ae56ca4382db764cb55db5a77c3f549cfc478ddee59e35f24408848e737f005209ffa289414a2eb6f5128bd002c95448b103485e33f5bb054a1

    Score
    10/10
    darkcometevasionpersistencerattrojanupxbootkitransomware

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks