Analysis
-
max time kernel
74s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 06:12
General
-
Target
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe
-
Size
406KB
-
MD5
43349e08c310568c4d852900a9de2124
-
SHA1
f7a8cb308703af8abee75ed61ee61843bf778873
-
SHA256
2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f
-
SHA512
75e82f2218e02d21d5fbd50c5d6e3b75372738d57180e29800f89ce0d329bbe0696b2252e88c99c8147482dc42983cfcb395712f59bfcc81c159f27e8c6281c1
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe"C:\Users\Admin\AppData\Local\Temp\2a8e8e9ba3a837db56a178f5330ee982a08bb083fcb907cba34ccaae9f7e289f.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Modify Existing Service
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
3Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Users\Admin\AppData\Local\Temp\Crypted.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batMD5
b774ae3fb1da087e1f83b4f7b2060e5a
SHA197eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
06f5d39b957927fbf88e7bd337a54c95
SHA11e61377c60f65ef7c9fb92e95e0dc9ad0b02aa99
SHA25637dc1ca88af5f3c14f1dd19326b50b60c14eff8a0b0f45323faf8eb948769fa5
SHA51242b04d9d3404dbd17e59b3508fe38d16295e2e949db19708ce3b5d4c5cca62e1e2971988fd8d8d8bdbdccba1a0bdc4a8582d1fb16b1778028d6557e921bdeb98
-
C:\Windows\SYSTEM.INIMD5
351fae79cf197c26b423b438a88ab92b
SHA15c1983b2dd413883df7ab45498622dfd79b6a402
SHA2569ccfe517a8394cf2395c1eb7e32c96eeb61b941c6cafcf8776f4436b05d48d12
SHA5129a9ea3668590f4ba6843eac2d85627b896a889005e64ed8d3fa219f867cd71f29e24f6f94b129786b1c9665a2b75d49b14dd4d186f8debdb62e87eb284001db9
-
memory/2596-120-0x00000000024B0000-0x000000000353E000-memory.dmpFilesize
16.6MB
-
memory/2596-123-0x0000000000AC0000-0x0000000000BFC000-memory.dmpFilesize
1.2MB
-
memory/2596-117-0x0000000000000000-mapping.dmp
-
memory/2596-127-0x0000000000AC0000-0x0000000000BFC000-memory.dmpFilesize
1.2MB
-
memory/2596-126-0x0000000000AC0000-0x0000000000BFC000-memory.dmpFilesize
1.2MB
-
memory/2688-121-0x0000000000000000-mapping.dmp
-
memory/2688-136-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/3372-134-0x0000000000000000-mapping.dmp
-
memory/3884-122-0x0000000000000000-mapping.dmp
-
memory/3884-129-0x00000000023A0000-0x000000000342E000-memory.dmpFilesize
16.6MB
-
memory/3884-132-0x0000000004210000-0x0000000004211000-memory.dmpFilesize
4KB
-
memory/3884-131-0x00000000041C0000-0x00000000041C2000-memory.dmpFilesize
8KB
-
memory/3884-130-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/3968-116-0x0000000002C54000-0x0000000002C55000-memory.dmpFilesize
4KB
-
memory/3968-115-0x0000000002C52000-0x0000000002C54000-memory.dmpFilesize
8KB
-
memory/3968-114-0x0000000002C50000-0x0000000002C52000-memory.dmpFilesize
8KB