Malware Analysis Report

2024-08-06 19:34

Sample ID 220612-wh1m4aabgq
Target c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335
SHA256 c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335
Tags
msupdateg20 darkcomet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335

Threat Level: Known bad

The file c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335 was found to be: Known bad.

Malicious Activity Summary

msupdateg20 darkcomet

Darkcomet family

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-06-12 17:56

Signatures

Darkcomet family

darkcomet

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-12 17:56

Reported

2022-06-12 22:27

Platform

win7-20220414-en

Max time kernel

138s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe"

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe

"C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 updservice.dnsdynamic.com udp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp

Files

memory/852-54-0x0000000076781000-0x0000000076783000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-12 17:56

Reported

2022-06-12 22:28

Platform

win10v2004-20220414-en

Max time kernel

92s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe"

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe

"C:\Users\Admin\AppData\Local\Temp\c5f1daaa4d35896b13cdd1e3024ba61ec6fb0ff557dc8594233a46827054c335.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 updservice.dnsdynamic.com udp
US 104.16.132.229:80 updservice.dnsdynamic.com tcp
NL 20.190.160.67:443 tcp
US 52.182.143.208:443 tcp
NL 20.190.160.136:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 87.248.202.1:80 tcp
NL 20.190.160.71:443 tcp

Files

N/A