Overview

overview

10

Static

static

52603d0f72...e1.exe

windows7_x64

1

52603d0f72...e1.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52603d0f72211c3e083c533fe6ff7dac5a3b220cf65825d379bfba8edced77e1.exe

  • Size

    1.9MB

  • MD5

    bd13d800662e95b5ecb2f7c36768b887

  • SHA1

    4c40b991aeefc705624a51a7b4e7436338796aa8

  • SHA256

    52603d0f72211c3e083c533fe6ff7dac5a3b220cf65825d379bfba8edced77e1

  • SHA512

    38d18e6df4cb5af384948204df6b9f780237c44474b959e9d43d78782a0f785d6b26dbf9ca755920376ad5ba02d10f7816cd89981f1b00edde838a188f763069

Score
10/10
darkcometpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52603d0f72211c3e083c533fe6ff7dac5a3b220cf65825d379bfba8edced77e1.exe
    "C:\Users\Admin\AppData\Local\Temp\52603d0f72211c3e083c533fe6ff7dac5a3b220cf65825d379bfba8edced77e1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\AppData\Local\Temp\52603d0f72211c3e083c533fe6ff7dac5a3b220cf65825d379bfba8edced77e1.exe
      "C:\Users\Admin\AppData\Local\Temp\52603d0f72211c3e083c533fe6ff7dac5a3b220cf65825d379bfba8edced77e1.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSSFH.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3360
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\test\test.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1348
      • C:\Users\Admin\AppData\Roaming\test\test.exe
        "C:\Users\Admin\AppData\Roaming\test\test.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Users\Admin\AppData\Roaming\test\test.exe
          "C:\Users\Admin\AppData\Roaming\test\test.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:8
        • C:\Users\Admin\AppData\Roaming\test\test.exe
          "C:\Users\Admin\AppData\Roaming\test\test.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3464

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DSSFH.bat
    MD5

    527683c48cc4c7190219814c77b72fe0

    SHA1

    d995878a8f4b9824a0508039eeada5376be9a52d

    SHA256

    bbebf3e66136e700d8e3e2e0c8f461cdd9d7e68fe5a18a235afe86344932fb4b

    SHA512

    408a53b240c23fa34153ccc2b2315f28a9741121ecc9b76d50267ee62d78230e65574327369f83c779c781802c0c28f6c578703c01a67de46c3d44f71b814fa6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    862c2e3058ea31de435d1a0b9e9e1fc3

    SHA1

    12d8eb624fee90cf00783c8e574abe88fe6c5208

    SHA256

    1ae89a680e667a4a73d022f0fcb05268f6fc39da217faf7be7bdf775cb9c336e

    SHA512

    cc72cdf3aafc38e89f3bc6c44b91e579078707874e8e0bf01f8de66f0fd5a2c92eba6a29cf53ea5da78f083b66e9569d73a73639ffaa18abce5eae2c6e4ed32f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    862c2e3058ea31de435d1a0b9e9e1fc3

    SHA1

    12d8eb624fee90cf00783c8e574abe88fe6c5208

    SHA256

    1ae89a680e667a4a73d022f0fcb05268f6fc39da217faf7be7bdf775cb9c336e

    SHA512

    cc72cdf3aafc38e89f3bc6c44b91e579078707874e8e0bf01f8de66f0fd5a2c92eba6a29cf53ea5da78f083b66e9569d73a73639ffaa18abce5eae2c6e4ed32f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    862c2e3058ea31de435d1a0b9e9e1fc3

    SHA1

    12d8eb624fee90cf00783c8e574abe88fe6c5208

    SHA256

    1ae89a680e667a4a73d022f0fcb05268f6fc39da217faf7be7bdf775cb9c336e

    SHA512

    cc72cdf3aafc38e89f3bc6c44b91e579078707874e8e0bf01f8de66f0fd5a2c92eba6a29cf53ea5da78f083b66e9569d73a73639ffaa18abce5eae2c6e4ed32f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    862c2e3058ea31de435d1a0b9e9e1fc3

    SHA1

    12d8eb624fee90cf00783c8e574abe88fe6c5208

    SHA256

    1ae89a680e667a4a73d022f0fcb05268f6fc39da217faf7be7bdf775cb9c336e

    SHA512

    cc72cdf3aafc38e89f3bc6c44b91e579078707874e8e0bf01f8de66f0fd5a2c92eba6a29cf53ea5da78f083b66e9569d73a73639ffaa18abce5eae2c6e4ed32f

    Download Submit
  • memory/8-138-0x00000000004085D0-mapping.dmp
    Download
  • memory/1348-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2100-117-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2100-118-0x00000000004085D0-mapping.dmp
    Download
  • memory/2100-127-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2752-145-0x00000000005E0000-0x000000000072A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2752-149-0x00000000005E0000-0x000000000072A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2752-131-0x0000000000000000-mapping.dmp
    Download
  • memory/2752-148-0x00000000005E0000-0x000000000072A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2752-147-0x00000000005E0000-0x000000000072A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2752-146-0x00000000005E0000-0x000000000072A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3360-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3464-141-0x00000000004B5640-mapping.dmp
    Download
  • memory/3464-140-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/3464-153-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/3464-154-0x0000000000A80000-0x0000000000A81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-121-0x00000000005E0000-0x00000000005E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-122-0x00000000007D0000-0x00000000007D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-114-0x0000000000400000-0x000000000054B000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3992-125-0x00000000021A0000-0x00000000021A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-123-0x00000000007E0000-0x00000000007E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-126-0x00000000021C0000-0x00000000021C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-124-0x0000000002190000-0x0000000002191000-memory.dmp
    Filesize

    4KB

    Download