Overview

overview

10

Static

static

c8bf059ebf...6e.exe

windows7_x64

10

c8bf059ebf...6e.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-05-2021 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8bf059ebf4161fe3a8edb1430389c89a09425089e5ccf2587d88ebb1ef5cb6e.exe

  • Size

    1.9MB

  • MD5

    bfff1c43fa84308b29894cfc0e4e3c8b

  • SHA1

    cb7997b5749bc85627ccbb1ba8c168b437555e63

  • SHA256

    c8bf059ebf4161fe3a8edb1430389c89a09425089e5ccf2587d88ebb1ef5cb6e

  • SHA512

    0a9d24f1a0918f1d2b90e184302a1637938d378bf8f35519d06aebb62d52de676ab9758c94a5651d74bbf6670ffceed4c22dcea001123e4e5b2ee07aa695a315

Score
10/10
darkcometpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8bf059ebf4161fe3a8edb1430389c89a09425089e5ccf2587d88ebb1ef5cb6e.exe
    "C:\Users\Admin\AppData\Local\Temp\c8bf059ebf4161fe3a8edb1430389c89a09425089e5ccf2587d88ebb1ef5cb6e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Local\Temp\c8bf059ebf4161fe3a8edb1430389c89a09425089e5ccf2587d88ebb1ef5cb6e.exe
      "C:\Users\Admin\AppData\Local\Temp\c8bf059ebf4161fe3a8edb1430389c89a09425089e5ccf2587d88ebb1ef5cb6e.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CUMID.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\test\test.exe" /f
          4⤵
          • Adds Run key to start application
          PID:1100
      • C:\Users\Admin\AppData\Roaming\test\test.exe
        "C:\Users\Admin\AppData\Roaming\test\test.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Users\Admin\AppData\Roaming\test\test.exe
          "C:\Users\Admin\AppData\Roaming\test\test.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1016
        • C:\Users\Admin\AppData\Roaming\test\test.exe
          "C:\Users\Admin\AppData\Roaming\test\test.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CUMID.bat
    MD5

    527683c48cc4c7190219814c77b72fe0

    SHA1

    d995878a8f4b9824a0508039eeada5376be9a52d

    SHA256

    bbebf3e66136e700d8e3e2e0c8f461cdd9d7e68fe5a18a235afe86344932fb4b

    SHA512

    408a53b240c23fa34153ccc2b2315f28a9741121ecc9b76d50267ee62d78230e65574327369f83c779c781802c0c28f6c578703c01a67de46c3d44f71b814fa6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    238597c06f843952b439355d40946d6c

    SHA1

    4ade6d4246434aedbfd8094b97d53e484cdecfa8

    SHA256

    da2d7212019b8e978852f1ea93502be7a94216f16d5ab8edca10fc92a2ec64b6

    SHA512

    dae97c9125f2edf5af7f05878b4e28a21abf4e595a9e6fb2b6abee3eed97b8b20180efedc1c6c5431a10b3068b415c119460bf27cf381f1c4c651ae016dc9750

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    238597c06f843952b439355d40946d6c

    SHA1

    4ade6d4246434aedbfd8094b97d53e484cdecfa8

    SHA256

    da2d7212019b8e978852f1ea93502be7a94216f16d5ab8edca10fc92a2ec64b6

    SHA512

    dae97c9125f2edf5af7f05878b4e28a21abf4e595a9e6fb2b6abee3eed97b8b20180efedc1c6c5431a10b3068b415c119460bf27cf381f1c4c651ae016dc9750

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    238597c06f843952b439355d40946d6c

    SHA1

    4ade6d4246434aedbfd8094b97d53e484cdecfa8

    SHA256

    da2d7212019b8e978852f1ea93502be7a94216f16d5ab8edca10fc92a2ec64b6

    SHA512

    dae97c9125f2edf5af7f05878b4e28a21abf4e595a9e6fb2b6abee3eed97b8b20180efedc1c6c5431a10b3068b415c119460bf27cf381f1c4c651ae016dc9750

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test\test.exe
    MD5

    238597c06f843952b439355d40946d6c

    SHA1

    4ade6d4246434aedbfd8094b97d53e484cdecfa8

    SHA256

    da2d7212019b8e978852f1ea93502be7a94216f16d5ab8edca10fc92a2ec64b6

    SHA512

    dae97c9125f2edf5af7f05878b4e28a21abf4e595a9e6fb2b6abee3eed97b8b20180efedc1c6c5431a10b3068b415c119460bf27cf381f1c4c651ae016dc9750

    Download Submit
  • \Users\Admin\AppData\Roaming\test\test.exe
    MD5

    238597c06f843952b439355d40946d6c

    SHA1

    4ade6d4246434aedbfd8094b97d53e484cdecfa8

    SHA256

    da2d7212019b8e978852f1ea93502be7a94216f16d5ab8edca10fc92a2ec64b6

    SHA512

    dae97c9125f2edf5af7f05878b4e28a21abf4e595a9e6fb2b6abee3eed97b8b20180efedc1c6c5431a10b3068b415c119460bf27cf381f1c4c651ae016dc9750

    Download Submit
  • \Users\Admin\AppData\Roaming\test\test.exe
    MD5

    238597c06f843952b439355d40946d6c

    SHA1

    4ade6d4246434aedbfd8094b97d53e484cdecfa8

    SHA256

    da2d7212019b8e978852f1ea93502be7a94216f16d5ab8edca10fc92a2ec64b6

    SHA512

    dae97c9125f2edf5af7f05878b4e28a21abf4e595a9e6fb2b6abee3eed97b8b20180efedc1c6c5431a10b3068b415c119460bf27cf381f1c4c651ae016dc9750

    Download Submit
  • \Users\Admin\AppData\Roaming\test\test.exe
    MD5

    238597c06f843952b439355d40946d6c

    SHA1

    4ade6d4246434aedbfd8094b97d53e484cdecfa8

    SHA256

    da2d7212019b8e978852f1ea93502be7a94216f16d5ab8edca10fc92a2ec64b6

    SHA512

    dae97c9125f2edf5af7f05878b4e28a21abf4e595a9e6fb2b6abee3eed97b8b20180efedc1c6c5431a10b3068b415c119460bf27cf381f1c4c651ae016dc9750

    Download Submit
  • \Users\Admin\AppData\Roaming\test\test.exe
    MD5

    238597c06f843952b439355d40946d6c

    SHA1

    4ade6d4246434aedbfd8094b97d53e484cdecfa8

    SHA256

    da2d7212019b8e978852f1ea93502be7a94216f16d5ab8edca10fc92a2ec64b6

    SHA512

    dae97c9125f2edf5af7f05878b4e28a21abf4e595a9e6fb2b6abee3eed97b8b20180efedc1c6c5431a10b3068b415c119460bf27cf381f1c4c651ae016dc9750

    Download Submit
  • \Users\Admin\AppData\Roaming\test\test.exe
    MD5

    238597c06f843952b439355d40946d6c

    SHA1

    4ade6d4246434aedbfd8094b97d53e484cdecfa8

    SHA256

    da2d7212019b8e978852f1ea93502be7a94216f16d5ab8edca10fc92a2ec64b6

    SHA512

    dae97c9125f2edf5af7f05878b4e28a21abf4e595a9e6fb2b6abee3eed97b8b20180efedc1c6c5431a10b3068b415c119460bf27cf381f1c4c651ae016dc9750

    Download Submit
  • memory/748-72-0x0000000000340000-0x0000000000341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-63-0x0000000000401000-0x0000000000546000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/748-62-0x0000000000401000-0x0000000000546000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/748-77-0x0000000000370000-0x0000000000371000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-79-0x0000000000390000-0x0000000000391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-78-0x0000000000380000-0x0000000000381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-65-0x0000000000401000-0x0000000000546000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/748-66-0x0000000000401000-0x0000000000546000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/748-67-0x0000000000401000-0x0000000000546000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/748-70-0x0000000000310000-0x0000000000311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-68-0x0000000000401000-0x0000000000546000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/748-59-0x0000000000400000-0x000000000054B000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/748-71-0x0000000000320000-0x0000000000321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-69-0x0000000000401000-0x0000000000546000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1016-105-0x00000000004085D0-mapping.dmp
    Download
  • memory/1100-84-0x0000000000000000-mapping.dmp
    Download
  • memory/1580-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1612-107-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/1612-108-0x00000000004B5640-mapping.dmp
    Download
  • memory/1612-122-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-121-0x0000000000400000-0x00000000004B7000-memory.dmp
    Filesize

    732KB

    Download
  • memory/1684-81-0x0000000075451000-0x0000000075453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1684-80-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1684-73-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1684-74-0x00000000004085D0-mapping.dmp
    Download
  • memory/1828-90-0x0000000000000000-mapping.dmp
    Download