Overview

overview

10

Static

static

8

43bbe26ae8...28.exe

windows7_x64

10

43bbe26ae8...28.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-05-2021 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe

  • Size

    1.3MB

  • MD5

    64b79967a225599df24a4bc187dfa825

  • SHA1

    aa8520f7e61df4cdf3d26ae4339b72fa67b4742b

  • SHA256

    43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28

  • SHA512

    d4ab3a6c1784c8fe2d1b048b400aaac580e2bce21d751a17e20bbcac602fbfa07d00d01e5d9d8c2caee781e47acbe4e64eea0391519bc03d4d369a5f5b2adb54

Score
10/10
darkcometevasionpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe
    "C:\Users\Admin\AppData\Local\Temp\43bbe26ae8e84675abd49903be937783f94822a4e53608c57ed4201dd06a1c28.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Users\Admin\AppData\Roaming\7za.exe
        "C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
        3⤵
        • Executes dropped EXE
        PID:3932
    • C:\Users\Admin\AppData\Roaming\Server.exe
      C:\Users\Admin\AppData\Roaming\Server.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Users\Admin\AppData\Local\Temp\1.exe
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        3⤵
        • Executes dropped EXE
        PID:1960
      • C:\Users\Admin\AppData\Local\Temp\2.exe
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:748
          • C:\Users\Admin\AppData\Roaming\7za.exe
            "C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
            5⤵
            • Executes dropped EXE
            PID:1420
        • C:\Users\Admin\AppData\Roaming\Server.exe
          C:\Users\Admin\AppData\Roaming\Server.exe
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Windows security modification
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3792
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h
              6⤵
              • Views/modifies file attributes
              PID:3204
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3980
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Users\Admin\AppData\Roaming" +s +h
              6⤵
              • Views/modifies file attributes
              PID:4000

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    MD5

    7fe12174838117f5d005e89212ea4c2b

    SHA1

    8a1595ae7d46568feebfb7cd527cab9aa2f15054

    SHA256

    c469b11a725f9f7e888f488a88ab1d1d2dd622de8212cdfc58e77224d52f5d13

    SHA512

    c36ade83736c666fcb57520d0587ac1c56c073a9a61db056110c4c4555228f5e2179db67159b3847184d1117e8e3ccc14baf79d2e09bd8314ea2ea8b02594a2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\1.exe
    MD5

    7fe12174838117f5d005e89212ea4c2b

    SHA1

    8a1595ae7d46568feebfb7cd527cab9aa2f15054

    SHA256

    c469b11a725f9f7e888f488a88ab1d1d2dd622de8212cdfc58e77224d52f5d13

    SHA512

    c36ade83736c666fcb57520d0587ac1c56c073a9a61db056110c4c4555228f5e2179db67159b3847184d1117e8e3ccc14baf79d2e09bd8314ea2ea8b02594a2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\2.exe
    MD5

    6473095bd2dd08c83d0c00c2797c18e9

    SHA1

    6134dfef47b7e77220c1d2bd93f741089bd36543

    SHA256

    e3b0136f3e4ae1379516df2cd142f573e1a96635fd378f0569ca0aa92064ad6f

    SHA512

    5debe141f5f95fdccf0bdf450d707d662988851c2295edc7b092e3100f2fa72dd518a2c8f97a9fe998283b46c6913331d3c743e9e0ea23a63942a4ac208bad06

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\2.exe
    MD5

    6473095bd2dd08c83d0c00c2797c18e9

    SHA1

    6134dfef47b7e77220c1d2bd93f741089bd36543

    SHA256

    e3b0136f3e4ae1379516df2cd142f573e1a96635fd378f0569ca0aa92064ad6f

    SHA512

    5debe141f5f95fdccf0bdf450d707d662988851c2295edc7b092e3100f2fa72dd518a2c8f97a9fe998283b46c6913331d3c743e9e0ea23a63942a4ac208bad06

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    MD5

    354b9d3773f9f2d7c259f9db24748e56

    SHA1

    1a09005a6fee7c59094b90b35f753664d001cfe0

    SHA256

    3926887bb943104bffdc018d9324dff4a1be9730050f7552fe44ef8838c0a31f

    SHA512

    7cb52ab25ce527b71dba729660abcbfccebf7d634a960c440f5ae4748d27fc820a500ab24ec3c4ac1dfa77921cc22126eeacc085d5797bbcdefbb03623cb7515

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    MD5

    3f972991396ba33161eeedc5bf3ceb30

    SHA1

    f2a0ddb29dfbaefc337e730894e6d94ee3eb8ba7

    SHA256

    efc6956cb8bdc30b27a126a340e8c2571200d0756bd5e1fad909d4e6d9193c9a

    SHA512

    c5623c5d572af7fff5c3b9c9cda7c6cf23ebca99ab3ac5e6585797b2708c7e16b00422d3c17d057cef7265a28c6fc86b748aa3a4ba0f8719a5140755cb5aed46

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7za.exe
    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7za.exe
    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7za.exe
    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7za.exe
    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Server.7z
    MD5

    90860dfd93be99d4ec902a80902ab0a7

    SHA1

    8dd0a644201da189f4de7c91e82c8645f48704cb

    SHA256

    f99cbf507206427127e2bc34d1c5f2809abc253cd3af12e73a89fc927ab45ae9

    SHA512

    fed208841e1db6a9e74264d4ad2de02eaf29de492f73921183c43dff64338d10acdea62ec6275dee83a154f78b9e7915715bd6effcaf6ed144c5c17e2538619a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Server.7z
    MD5

    8671c40dd1af5ea83847cd470c950c71

    SHA1

    5bc2e0a63bc29168cdd06692c50c1f79410322be

    SHA256

    9af8ea85d0b0a38251dac9d06eb3392376ad6aaa75448f34c1f0b90133496a47

    SHA512

    76afe6d4805bddf5de0998e99ef3fdab9203fc3b7ac7efcb087fa070682c4168324ff969ab9d48a3c7cd5eeb4da757f5f6059651d248e267435fcaac219c33d0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Server.exe
    MD5

    354b9d3773f9f2d7c259f9db24748e56

    SHA1

    1a09005a6fee7c59094b90b35f753664d001cfe0

    SHA256

    3926887bb943104bffdc018d9324dff4a1be9730050f7552fe44ef8838c0a31f

    SHA512

    7cb52ab25ce527b71dba729660abcbfccebf7d634a960c440f5ae4748d27fc820a500ab24ec3c4ac1dfa77921cc22126eeacc085d5797bbcdefbb03623cb7515

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Server.exe
    MD5

    3f972991396ba33161eeedc5bf3ceb30

    SHA1

    f2a0ddb29dfbaefc337e730894e6d94ee3eb8ba7

    SHA256

    efc6956cb8bdc30b27a126a340e8c2571200d0756bd5e1fad909d4e6d9193c9a

    SHA512

    c5623c5d572af7fff5c3b9c9cda7c6cf23ebca99ab3ac5e6585797b2708c7e16b00422d3c17d057cef7265a28c6fc86b748aa3a4ba0f8719a5140755cb5aed46

    Download Submit
  • memory/748-129-0x0000000000000000-mapping.dmp
    Download
  • memory/1420-130-0x0000000000000000-mapping.dmp
    Download
  • memory/1960-123-0x0000000000000000-mapping.dmp
    Download
  • memory/1960-140-0x0000000000FD5000-0x0000000000FD6000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-133-0x0000000000FD0000-0x0000000000FD2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2104-122-0x0000000002BB0000-0x0000000002BB2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2104-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2812-126-0x0000000000000000-mapping.dmp
    Download
  • memory/3048-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3048-137-0x0000000000780000-0x0000000000781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3204-141-0x0000000000000000-mapping.dmp
    Download
  • memory/3792-138-0x0000000000000000-mapping.dmp
    Download
  • memory/3932-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3960-114-0x0000000000000000-mapping.dmp
    Download
  • memory/3980-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4000-142-0x0000000000000000-mapping.dmp
    Download