Overview

overview

10

Static

static

62095329f4...5f.exe

windows7_x64

10

62095329f4...5f.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    14-05-2021 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe

  • Size

    1.5MB

  • MD5

    bc6a79b6114ed8f1121008aeb8528e22

  • SHA1

    fc34e6014ff7aa79ffb6744aa1c02506c5162f30

  • SHA256

    62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f

  • SHA512

    f5034cf4764bea453dce20d8cc4e0bedad66fa018817f8a520560e4fa012c67466b802646d345092881ebd1aa4c728a2b885f18dd61b385731761649ef427f85

Score
10/10
darkcometpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
    "C:\Users\Admin\AppData\Local\Temp\62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe
      "C:\Users\Admin\AppData\Local\Temp\62095329f455650fecd65d699b6a3c5e63fe16b04ad5f09eaef8f9f671f18c5f.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQOMQ.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\test\test.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2128
      • C:\Users\Admin\AppData\Roaming\test\test.exe
        "C:\Users\Admin\AppData\Roaming\test\test.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Users\Admin\AppData\Roaming\test\test.exe
          "C:\Users\Admin\AppData\Roaming\test\test.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1300
        • C:\Users\Admin\AppData\Roaming\test\test.exe
          "C:\Users\Admin\AppData\Roaming\test\test.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FQOMQ.bat
    MD5

    527683c48cc4c7190219814c77b72fe0

    SHA1

    d995878a8f4b9824a0508039eeada5376be9a52d

    SHA256

    bbebf3e66136e700d8e3e2e0c8f461cdd9d7e68fe5a18a235afe86344932fb4b

    SHA512

    408a53b240c23fa34153ccc2b2315f28a9741121ecc9b76d50267ee62d78230e65574327369f83c779c781802c0c28f6c578703c01a67de46c3d44f71b814fa6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    ad36a87890b51757f54284fd29c0dced

    SHA1

    3ba7b965c494052c2f6b170f9c65586f4bf4ce44

    SHA256

    779917879ac7660488033bdcd42de5f0cb5c45646beca62942e6707d599f61ba

    SHA512

    344c151ae60792ec3c0a5bc6474844e128c7591db7f230e29dde8d96e77e9bd1985ba01fd728df983767a71cdb7ac2586d0bd74878015d3f170346603020859c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    ad36a87890b51757f54284fd29c0dced

    SHA1

    3ba7b965c494052c2f6b170f9c65586f4bf4ce44

    SHA256

    779917879ac7660488033bdcd42de5f0cb5c45646beca62942e6707d599f61ba

    SHA512

    344c151ae60792ec3c0a5bc6474844e128c7591db7f230e29dde8d96e77e9bd1985ba01fd728df983767a71cdb7ac2586d0bd74878015d3f170346603020859c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    ad36a87890b51757f54284fd29c0dced

    SHA1

    3ba7b965c494052c2f6b170f9c65586f4bf4ce44

    SHA256

    779917879ac7660488033bdcd42de5f0cb5c45646beca62942e6707d599f61ba

    SHA512

    344c151ae60792ec3c0a5bc6474844e128c7591db7f230e29dde8d96e77e9bd1985ba01fd728df983767a71cdb7ac2586d0bd74878015d3f170346603020859c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    ad36a87890b51757f54284fd29c0dced

    SHA1

    3ba7b965c494052c2f6b170f9c65586f4bf4ce44

    SHA256

    779917879ac7660488033bdcd42de5f0cb5c45646beca62942e6707d599f61ba

    SHA512

    344c151ae60792ec3c0a5bc6474844e128c7591db7f230e29dde8d96e77e9bd1985ba01fd728df983767a71cdb7ac2586d0bd74878015d3f170346603020859c

    Download Submit
  • memory/212-127-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/212-120-0x00000000004085D0-mapping.dmp
    Download
  • memory/212-119-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/700-141-0x00000000004B5640-mapping.dmp
    Download
  • memory/700-140-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/700-153-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/700-154-0x0000000000560000-0x000000000060E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/1300-138-0x00000000004085D0-mapping.dmp
    Download
  • memory/2128-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2552-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3172-126-0x0000000002940000-0x0000000002941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3172-117-0x0000000000690000-0x00000000007DA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3172-125-0x0000000000850000-0x0000000000851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3172-114-0x0000000000400000-0x000000000054B000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3172-123-0x0000000000810000-0x0000000000811000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3172-124-0x0000000000820000-0x0000000000821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3172-118-0x00000000007F0000-0x00000000007F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4072-146-0x0000000000610000-0x000000000075A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4072-147-0x0000000000610000-0x000000000075A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4072-148-0x0000000000610000-0x000000000075A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4072-149-0x0000000000610000-0x000000000075A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4072-150-0x0000000000610000-0x000000000075A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4072-131-0x0000000000000000-mapping.dmp
    Download
  • memory/4072-145-0x00000000005F0000-0x00000000005F1000-memory.dmp
    Filesize

    4KB

    Download