Overview

overview

10

Static

static

10

58bc9b0c5e...f2.exe

windows7-x64

10

58bc9b0c5e...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe

  • Size

    756KB

  • MD5

    29576b605f9b997bbb7bb7290dc63a8b

  • SHA1

    a4ece5227c704039ac4556d8b2d5832404239f93

  • SHA256

    58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2

  • SHA512

    c6d246ca7126a4cd6e828ba6b283c446530d513f8be5ef546fba4e13061e39dad2dfc40c408129999af23960f3a6de3250caac56920f8499d2fcd711e7272b96

Score
10/10
darkcometevasionrattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
    "C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe"
    1⤵
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:968
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1840
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      2⤵
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:2028

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Hidden Files and Directories

    2
    T1158

    Privilege Escalation

    Defense Evasion

    Disabling Security Tools

    2
    T1089

    Modify Registry

    2
    T1112

    Hidden Files and Directories

    2
    T1158

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/968-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1352-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1572-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1840-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1896-54-0x0000000076081000-0x0000000076083000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2028-59-0x0000000000000000-mapping.dmp
      Download