Analysis
-
max time kernel
134s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-10-2022 12:53
General
-
Target
8ec50a96c6112fc5972b8879d94655091321004fb192060c637a35f026101efa.exe
-
Size
999KB
-
MD5
5648f68e4a0011dafe8d998faa6ceae9
-
SHA1
a8faf3b312ce52629042f1270f2fa8c2344b04b1
-
SHA256
8ec50a96c6112fc5972b8879d94655091321004fb192060c637a35f026101efa
-
SHA512
e6b47b83e2352bca850f807a23b8fdeae49702f5d6c76a8fcb22165ca1334cf25bd2f8200e1eaa1b8c0193b8f852a74632205c93381f90ed7962df288985fda7
-
SSDEEP
24576:fCUEkTgHq2qJ1W489MripDn7qvdJsj3z9AGOXoYZ7Yeefds:fCVkTB2wW489Mrkn7qvoeGO4Yaeea
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ec50a96c6112fc5972b8879d94655091321004fb192060c637a35f026101efa.exe"C:\Users\Admin\AppData\Local\Temp\8ec50a96c6112fc5972b8879d94655091321004fb192060c637a35f026101efa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8ec50a96c6112fc5972b8879d94655091321004fb192060c637a35f026101efa.exe"C:\Users\Admin\AppData\Local\Temp\8ec50a96c6112fc5972b8879d94655091321004fb192060c637a35f026101efa.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"C:\Users\Admin\AppData\Local\Temp\STEALER.EXE"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=explorer.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.04⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\STEALER.EXEFilesize
90KB
MD5b2bbb3edba708953fde6536961ecadb6
SHA1a97ded595e565350f9cf7e08a200416a31bca47a
SHA256914165ef4146ac775809b7a2d0c6fb89e15854357841dadf4dd38836360e8b50
SHA5122bcc984e51cd360fd6a88bc5b35abeb32443bebcd6d20763e4d895d86697d17c1cfaa07f4169840472401677074272c26c4e37a6bbe4153c29956c7005b321c9
-
C:\Users\Admin\AppData\Local\Temp\STEALER.EXEFilesize
90KB
MD5b2bbb3edba708953fde6536961ecadb6
SHA1a97ded595e565350f9cf7e08a200416a31bca47a
SHA256914165ef4146ac775809b7a2d0c6fb89e15854357841dadf4dd38836360e8b50
SHA5122bcc984e51cd360fd6a88bc5b35abeb32443bebcd6d20763e4d895d86697d17c1cfaa07f4169840472401677074272c26c4e37a6bbe4153c29956c7005b321c9
-
C:\Users\Admin\AppData\Local\Temp\STEALER.EXEFilesize
90KB
MD5b2bbb3edba708953fde6536961ecadb6
SHA1a97ded595e565350f9cf7e08a200416a31bca47a
SHA256914165ef4146ac775809b7a2d0c6fb89e15854357841dadf4dd38836360e8b50
SHA5122bcc984e51cd360fd6a88bc5b35abeb32443bebcd6d20763e4d895d86697d17c1cfaa07f4169840472401677074272c26c4e37a6bbe4153c29956c7005b321c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VNSCUVRB.txtFilesize
608B
MD5c2a068245c490f8ca75b2406f659511f
SHA169fb9371202f7950032dbaa9da87ce75e98dec68
SHA256a593a962697d5b8b03e4b7def0943abb7493b338213952ea06d830490aa4a9f1
SHA512b987a765a4e44389209af0890779fe7c7789af12b6f925e75136657c6cbcc109b3945de819ff826492df115558fd7e18fe2b69e286e3e8789312ab623d20e076
-
\Users\Admin\AppData\Local\Temp\STEALER.EXEFilesize
90KB
MD5b2bbb3edba708953fde6536961ecadb6
SHA1a97ded595e565350f9cf7e08a200416a31bca47a
SHA256914165ef4146ac775809b7a2d0c6fb89e15854357841dadf4dd38836360e8b50
SHA5122bcc984e51cd360fd6a88bc5b35abeb32443bebcd6d20763e4d895d86697d17c1cfaa07f4169840472401677074272c26c4e37a6bbe4153c29956c7005b321c9
-
\Users\Admin\AppData\Local\Temp\STEALER.EXEFilesize
90KB
MD5b2bbb3edba708953fde6536961ecadb6
SHA1a97ded595e565350f9cf7e08a200416a31bca47a
SHA256914165ef4146ac775809b7a2d0c6fb89e15854357841dadf4dd38836360e8b50
SHA5122bcc984e51cd360fd6a88bc5b35abeb32443bebcd6d20763e4d895d86697d17c1cfaa07f4169840472401677074272c26c4e37a6bbe4153c29956c7005b321c9
-
\Users\Admin\AppData\Local\Temp\STEALER.EXEFilesize
90KB
MD5b2bbb3edba708953fde6536961ecadb6
SHA1a97ded595e565350f9cf7e08a200416a31bca47a
SHA256914165ef4146ac775809b7a2d0c6fb89e15854357841dadf4dd38836360e8b50
SHA5122bcc984e51cd360fd6a88bc5b35abeb32443bebcd6d20763e4d895d86697d17c1cfaa07f4169840472401677074272c26c4e37a6bbe4153c29956c7005b321c9
-
memory/1104-106-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/1104-104-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/1104-100-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/1104-101-0x00000000004E6626-mapping.dmp
-
memory/1104-98-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/1152-91-0x0000000073AE0000-0x000000007408B000-memory.dmpFilesize
5.7MB
-
memory/1152-78-0x0000000000000000-mapping.dmp
-
memory/1340-61-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-56-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-70-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-75-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-71-0x000000000048E85C-mapping.dmp
-
memory/1340-68-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-66-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-57-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-103-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-59-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-63-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-72-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-95-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1340-65-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/1960-96-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1960-86-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1960-84-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1960-83-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1960-87-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1960-107-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/1960-88-0x00000000004011D0-mapping.dmp
-
memory/2040-54-0x00000000762F1000-0x00000000762F3000-memory.dmpFilesize
8KB
-
memory/2040-55-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB
-
memory/2040-74-0x0000000074DE0000-0x000000007538B000-memory.dmpFilesize
5.7MB