Analysis
-
max time kernel
154s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
-
submitted
31-07-2022 03:09
General
-
Target
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe
-
Size
936KB
-
MD5
0ffaf327f35853510f27ba129227fafd
-
SHA1
68bd72e8e3d5873d0db9311b382b3dfe3d6fae3d
-
SHA256
60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c
-
SHA512
aeffb0e88acd1cbf8cd84c92ef2d75d3b893fd02cd88edc304543088c499ebb36345121f78f56e406f3f11a99c4fd90cea0c070c4ef32807ca9f62846e3aa822
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 12 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe"C:\Users\Admin\AppData\Local\Temp\60d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
2Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
5Disabling Security Tools
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windupdt\winupdate.exeFilesize
936KB
MD50ffaf327f35853510f27ba129227fafd
SHA168bd72e8e3d5873d0db9311b382b3dfe3d6fae3d
SHA25660d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c
SHA512aeffb0e88acd1cbf8cd84c92ef2d75d3b893fd02cd88edc304543088c499ebb36345121f78f56e406f3f11a99c4fd90cea0c070c4ef32807ca9f62846e3aa822
-
C:\Windupdt\winupdate.exeFilesize
936KB
MD50ffaf327f35853510f27ba129227fafd
SHA168bd72e8e3d5873d0db9311b382b3dfe3d6fae3d
SHA25660d1c5bc537150e4378ebd085eb162ae890f857f9b7a5229d31bd7bd1239bc1c
SHA512aeffb0e88acd1cbf8cd84c92ef2d75d3b893fd02cd88edc304543088c499ebb36345121f78f56e406f3f11a99c4fd90cea0c070c4ef32807ca9f62846e3aa822
-
memory/1076-54-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1076-55-0x00000000750B1000-0x00000000750B3000-memory.dmpFilesize
8KB
-
memory/1076-56-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1076-57-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1076-68-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1076-61-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-63-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-65-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-66-0x0000000013200014-mapping.dmp
-
memory/1472-69-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-70-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-72-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1472-75-0x0000000013141000-0x000000001318D000-memory.dmpFilesize
304KB
-
memory/1472-76-0x0000000013140000-0x000000001334C000-memory.dmpFilesize
2.0MB
-
memory/1536-58-0x0000000000000000-mapping.dmp
-
memory/1912-73-0x0000000000000000-mapping.dmp