Analysis
-
max time kernel
151s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-05-2021 02:58
General
-
Target
8a494b49ce0694448248a9a0ac26ee5d1fd285cde560ce5153742c0788f3e33c.exe
-
Size
1.9MB
-
MD5
b6ce6f433f8fb8aa757c7d1ba1e16e41
-
SHA1
b10137e51748a67198f6fa0aa0f4d159a8ce20bd
-
SHA256
8a494b49ce0694448248a9a0ac26ee5d1fd285cde560ce5153742c0788f3e33c
-
SHA512
dab515d1548d464204b5e98dff9e16cb459f3cc9d5e80edeab5726e7e4345454beff8dd8eb46a51ad7b742d21e9063c446b0aee6b02f9e44f698c4ddef2ad72c
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Executes dropped EXE 3 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a494b49ce0694448248a9a0ac26ee5d1fd285cde560ce5153742c0788f3e33c.exe"C:\Users\Admin\AppData\Local\Temp\8a494b49ce0694448248a9a0ac26ee5d1fd285cde560ce5153742c0788f3e33c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8a494b49ce0694448248a9a0ac26ee5d1fd285cde560ce5153742c0788f3e33c.exe"C:\Users\Admin\AppData\Local\Temp\8a494b49ce0694448248a9a0ac26ee5d1fd285cde560ce5153742c0788f3e33c.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\XLBOK.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\test\test.exe" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\test\test.exe"C:\Users\Admin\AppData\Roaming\test\test.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\test\test.exe"C:\Users\Admin\AppData\Roaming\test\test.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\test\test.exe"C:\Users\Admin\AppData\Roaming\test\test.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XLBOK.batMD5
527683c48cc4c7190219814c77b72fe0
SHA1d995878a8f4b9824a0508039eeada5376be9a52d
SHA256bbebf3e66136e700d8e3e2e0c8f461cdd9d7e68fe5a18a235afe86344932fb4b
SHA512408a53b240c23fa34153ccc2b2315f28a9741121ecc9b76d50267ee62d78230e65574327369f83c779c781802c0c28f6c578703c01a67de46c3d44f71b814fa6
-
C:\Users\Admin\AppData\Roaming\test\test.exeMD5
53157215e614e6f5a9db082e1f9652e1
SHA1f80f265554c1dd357c617f102928a456c29d93ae
SHA25655830870c12ba1b03404da46da10d5fde932615e0447054341f280d1e2a11bcf
SHA512734b9e74e9390c2fefe42e94c6ee82fceb78aaaec5b5e8ed42ae06100acaa6e8c75789c36b46f68d0e07c8946b2d72835f4c5cd9eba12e07c8c87a467bdc3f5b
-
C:\Users\Admin\AppData\Roaming\test\test.exeMD5
53157215e614e6f5a9db082e1f9652e1
SHA1f80f265554c1dd357c617f102928a456c29d93ae
SHA25655830870c12ba1b03404da46da10d5fde932615e0447054341f280d1e2a11bcf
SHA512734b9e74e9390c2fefe42e94c6ee82fceb78aaaec5b5e8ed42ae06100acaa6e8c75789c36b46f68d0e07c8946b2d72835f4c5cd9eba12e07c8c87a467bdc3f5b
-
C:\Users\Admin\AppData\Roaming\test\test.exeMD5
53157215e614e6f5a9db082e1f9652e1
SHA1f80f265554c1dd357c617f102928a456c29d93ae
SHA25655830870c12ba1b03404da46da10d5fde932615e0447054341f280d1e2a11bcf
SHA512734b9e74e9390c2fefe42e94c6ee82fceb78aaaec5b5e8ed42ae06100acaa6e8c75789c36b46f68d0e07c8946b2d72835f4c5cd9eba12e07c8c87a467bdc3f5b
-
C:\Users\Admin\AppData\Roaming\test\test.exeMD5
53157215e614e6f5a9db082e1f9652e1
SHA1f80f265554c1dd357c617f102928a456c29d93ae
SHA25655830870c12ba1b03404da46da10d5fde932615e0447054341f280d1e2a11bcf
SHA512734b9e74e9390c2fefe42e94c6ee82fceb78aaaec5b5e8ed42ae06100acaa6e8c75789c36b46f68d0e07c8946b2d72835f4c5cd9eba12e07c8c87a467bdc3f5b
-
\Users\Admin\AppData\Roaming\test\test.exeMD5
53157215e614e6f5a9db082e1f9652e1
SHA1f80f265554c1dd357c617f102928a456c29d93ae
SHA25655830870c12ba1b03404da46da10d5fde932615e0447054341f280d1e2a11bcf
SHA512734b9e74e9390c2fefe42e94c6ee82fceb78aaaec5b5e8ed42ae06100acaa6e8c75789c36b46f68d0e07c8946b2d72835f4c5cd9eba12e07c8c87a467bdc3f5b
-
\Users\Admin\AppData\Roaming\test\test.exeMD5
53157215e614e6f5a9db082e1f9652e1
SHA1f80f265554c1dd357c617f102928a456c29d93ae
SHA25655830870c12ba1b03404da46da10d5fde932615e0447054341f280d1e2a11bcf
SHA512734b9e74e9390c2fefe42e94c6ee82fceb78aaaec5b5e8ed42ae06100acaa6e8c75789c36b46f68d0e07c8946b2d72835f4c5cd9eba12e07c8c87a467bdc3f5b
-
\Users\Admin\AppData\Roaming\test\test.exeMD5
53157215e614e6f5a9db082e1f9652e1
SHA1f80f265554c1dd357c617f102928a456c29d93ae
SHA25655830870c12ba1b03404da46da10d5fde932615e0447054341f280d1e2a11bcf
SHA512734b9e74e9390c2fefe42e94c6ee82fceb78aaaec5b5e8ed42ae06100acaa6e8c75789c36b46f68d0e07c8946b2d72835f4c5cd9eba12e07c8c87a467bdc3f5b
-
\Users\Admin\AppData\Roaming\test\test.exeMD5
53157215e614e6f5a9db082e1f9652e1
SHA1f80f265554c1dd357c617f102928a456c29d93ae
SHA25655830870c12ba1b03404da46da10d5fde932615e0447054341f280d1e2a11bcf
SHA512734b9e74e9390c2fefe42e94c6ee82fceb78aaaec5b5e8ed42ae06100acaa6e8c75789c36b46f68d0e07c8946b2d72835f4c5cd9eba12e07c8c87a467bdc3f5b
-
\Users\Admin\AppData\Roaming\test\test.exeMD5
53157215e614e6f5a9db082e1f9652e1
SHA1f80f265554c1dd357c617f102928a456c29d93ae
SHA25655830870c12ba1b03404da46da10d5fde932615e0447054341f280d1e2a11bcf
SHA512734b9e74e9390c2fefe42e94c6ee82fceb78aaaec5b5e8ed42ae06100acaa6e8c75789c36b46f68d0e07c8946b2d72835f4c5cd9eba12e07c8c87a467bdc3f5b
-
memory/328-91-0x0000000000000000-mapping.dmp
-
memory/572-83-0x0000000000000000-mapping.dmp
-
memory/680-108-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/680-123-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/680-122-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/680-111-0x00000000004B5640-mapping.dmp
-
memory/1084-70-0x0000000000401000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1084-69-0x0000000000401000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1084-60-0x0000000000400000-0x000000000054B000-memory.dmpFilesize
1.3MB
-
memory/1084-79-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1084-78-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1084-80-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1084-77-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1084-63-0x0000000000401000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1084-76-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1084-75-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1084-68-0x0000000000401000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1084-67-0x0000000000401000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1084-66-0x0000000000401000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1084-64-0x0000000000401000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1484-106-0x00000000004085D0-mapping.dmp
-
memory/1744-82-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1744-81-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1744-71-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1744-72-0x00000000004085D0-mapping.dmp
-
memory/1964-85-0x0000000000000000-mapping.dmp