Overview

overview

10

Static

static

2a8e8e9ba3...9f.exe

windows7_x64

10

2a8e8e9ba3...9f.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-05-2021 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe

  • Size

    406KB

  • MD5

    43349e08c310568c4d852900a9de2124

  • SHA1

    f7a8cb308703af8abee75ed61ee61843bf778873

  • SHA256

    2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f

  • SHA512

    75e82f2218e02d21d5fbd50c5d6e3b75372738d57180e29800f89ce0d329bbe0696b2252e88c99c8147482dc42983cfcb395712f59bfcc81c159f27e8c6281c1

Score
10/10
darkcometevasionpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe
        "C:\Users\Admin\AppData\Local\Temp\2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
          "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
          3⤵
          • Modifies WinLogon for persistence
          • Modifies firewall policy service
          • Executes dropped EXE
          • Deletes itself
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1996
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:616
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
              5⤵
              • Views/modifies file attributes
              PID:1072
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
            4⤵
            • Modifies firewall policy service
            • Executes dropped EXE
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:332
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              5⤵
              • Adds Run key to start application
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              PID:552
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1184
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
          PID:1124
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "1447369961986230383198416077114096609971844441259-588605278-1137860248-487365046"
          1⤵
            PID:320

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
            MD5

            06f5d39b957927fbf88e7bd337a54c95

            SHA1

            1e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99

            SHA256

            37dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5

            SHA512

            42b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Crypted.exe
            MD5

            06f5d39b957927fbf88e7bd337a54c95

            SHA1

            1e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99

            SHA256

            37dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5

            SHA512

            42b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
            MD5

            b774ae3fb1da087e1f83b4f7b2060e5a

            SHA1

            97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

            SHA256

            adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

            SHA512

            f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

            Download Submit
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            MD5

            06f5d39b957927fbf88e7bd337a54c95

            SHA1

            1e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99

            SHA256

            37dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5

            SHA512

            42b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98

            Download Submit
          • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
            MD5

            06f5d39b957927fbf88e7bd337a54c95

            SHA1

            1e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99

            SHA256

            37dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5

            SHA512

            42b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98

            Download Submit
          • C:\Windows\SYSTEM.INI
            MD5

            b3322adf5e35ddfde9c26de7f98c991d

            SHA1

            922672760e86113453ad072ad98ad94736b2d17b

            SHA256

            81f147ad1c11518fab13ec19b55dbd1606b208f3cf6ac584095a05eaf0b6e2ec

            SHA512

            799491d8adb699d4961d87aeefb24a178d795e70fe6e0a0e15a8bcd25c553ceb0ca33d38ee9c9ec96aadef9be3fd2ea11fdef4162e6cf272a573076b4dc41598

            Download Submit
          • \Users\Admin\Documents\MSDCSC\msdcsc.exe
            MD5

            06f5d39b957927fbf88e7bd337a54c95

            SHA1

            1e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99

            SHA256

            37dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5

            SHA512

            42b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98

            Download Submit
          • \Users\Admin\Documents\MSDCSC\msdcsc.exe
            MD5

            06f5d39b957927fbf88e7bd337a54c95

            SHA1

            1e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99

            SHA256

            37dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5

            SHA512

            42b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98

            Download Submit
          • memory/332-89-0x0000000001E90000-0x0000000001E91000-memory.dmp
            Filesize

            4KB

            Download
          • memory/332-87-0x00000000002C0000-0x00000000002C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/332-84-0x0000000002000000-0x000000000308E000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/332-74-0x0000000000000000-mapping.dmp
            Download
          • memory/552-81-0x0000000000400000-0x00000000004C9000-memory.dmp
            Filesize

            804KB

            Download
          • memory/552-82-0x00000000004C69D0-mapping.dmp
            Download
          • memory/616-86-0x0000000000140000-0x0000000000141000-memory.dmp
            Filesize

            4KB

            Download
          • memory/616-85-0x0000000000130000-0x0000000000137000-memory.dmp
            Filesize

            28KB

            Download
          • memory/616-71-0x0000000000000000-mapping.dmp
            Download
          • memory/1072-78-0x0000000000000000-mapping.dmp
            Download
          • memory/1092-65-0x0000000001D95000-0x0000000001D96000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1092-59-0x0000000001D70000-0x0000000001D72000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1092-61-0x0000000001D76000-0x0000000001D95000-memory.dmp
            Filesize

            124KB

            Download
          • memory/1092-60-0x000007FEF25E0000-0x000007FEF3676000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1996-66-0x0000000002100000-0x000000000318E000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1996-64-0x0000000075AA1000-0x0000000075AA3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1996-67-0x0000000000260000-0x0000000000262000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1996-62-0x0000000000000000-mapping.dmp
            Download
          • memory/1996-68-0x0000000000270000-0x0000000000271000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1996-69-0x0000000000390000-0x0000000000391000-memory.dmp
            Filesize

            4KB

            Download