Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 18:33

General

  • Target

    a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

  • Size

    252KB

  • MD5

    532a6afb45c841f08a0ff9f104559334

  • SHA1

    2fe9463e271b50907d72174992f4adf5c5c5eace

  • SHA256

    a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

  • SHA512

    313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
    "C:\Users\Admin\AppData\Local\Temp\a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4120
    • C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe
      "C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe"
      2⤵
      • Modifies firewall policy service
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4900
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe
    Filesize

    252KB

    MD5

    532a6afb45c841f08a0ff9f104559334

    SHA1

    2fe9463e271b50907d72174992f4adf5c5c5eace

    SHA256

    a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

    SHA512

    313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

  • C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe
    Filesize

    252KB

    MD5

    532a6afb45c841f08a0ff9f104559334

    SHA1

    2fe9463e271b50907d72174992f4adf5c5c5eace

    SHA256

    a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

    SHA512

    313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

  • memory/4900-130-0x0000000000000000-mapping.dmp