Overview

overview

10

Static

static

10

b5154bba_h...My.exe

windows7_x64

10

b5154bba_h...My.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    08-09-2021 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5154bba_hs6p8854My.exe

  • Size

    658KB

  • MD5

    b5154bba3a9d3648b40164f2ec89e059

  • SHA1

    e37b5718f3da44132e2170dc85e026b9a998f5d9

  • SHA256

    d8b6d9bf469cf33b4effbfc8bcac272a66a01213184580a668a2517df93834a2

  • SHA512

    c21c3e0ed025e97b6dbc0bc9b3f9b8e87306df8177e1638892ecbcb2bf199e828bc186e0fb872dd82c7cd4d3bedb5ff2910584057d34709535a498ca612f5553

Score
10/10
darkcometevasionrattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Disables RegEdit via registry modification
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe
    "C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe"
    1⤵
    • Modifies firewall policy service
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\b5154bba_hs6p8854My.exe" +s +h
        3⤵
        • Views/modifies file attributes
        PID:1520
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Views/modifies file attributes
        PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

2
T1158

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1120-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1520-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1632-52-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1632-57-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1736-53-0x0000000000000000-mapping.dmp
    Download