Overview

overview

10

Static

static

10

0fc3af1121...04.exe

windows7-x64

10

0fc3af1121...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 16:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fc3af1121b633c79be228f58cc004062a3188ef2e8e6db1851d7494f7d7de04.exe

  • Size

    477KB

  • MD5

    34e4111287c0af6b8c72167016a1f9f0

  • SHA1

    61b9719f5efd4fc88daee199b0adf8fd454058a3

  • SHA256

    0fc3af1121b633c79be228f58cc004062a3188ef2e8e6db1851d7494f7d7de04

  • SHA512

    56fc07a2db806b4907ed8bc2ad645c44b98722f0ce5c0eb14672acf8840475bb82253b6fbc9cae3c88f51e6e95469356d5423a3ab6a1ad729e9477ba974dc747

  • SSDEEP

    12288:XwkHcpSHY7VSrfT2/czO3Hx+p7aPZcByrH1Ia2aRTiua:Xh8uYxSrDzwRmAZcB+H1Y

Score
10/10
darkcometevasionpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 16 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fc3af1121b633c79be228f58cc004062a3188ef2e8e6db1851d7494f7d7de04.exe
    "C:\Users\Admin\AppData\Local\Temp\0fc3af1121b633c79be228f58cc004062a3188ef2e8e6db1851d7494f7d7de04.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      PID:4120
    • C:\Users\Admin\AppData\Local\Temp\TUNATIC.EXE
      "C:\Users\Admin\AppData\Local\Temp\TUNATIC.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        • Drops file in System32 directory
        PID:628
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Windows security bypass
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2808
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Windows security bypass
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\SysWOW64\notepad.exe
        3⤵
          PID:2764

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TUNATIC.EXE
      Filesize

      659KB

      MD5

      6dfc5ab3bb5702b5c59500d3750d81c1

      SHA1

      aac989b2f6b2be811e818d0e8a3201a0e25e55c5

      SHA256

      8c5ba747805bf8cc41958b7e0d69b11355980de344743701803eabec7349317c

      SHA512

      97749ddc6b231ddefad7fb329ef4af3e2f2b02af73a5aee1a3d555af834343c6462c53295b3fdc3122e82d1cd40c2d0cef09f61ea89ebd39fc61bd0822e30d71

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TUNATIC.EXE
      Filesize

      659KB

      MD5

      6dfc5ab3bb5702b5c59500d3750d81c1

      SHA1

      aac989b2f6b2be811e818d0e8a3201a0e25e55c5

      SHA256

      8c5ba747805bf8cc41958b7e0d69b11355980de344743701803eabec7349317c

      SHA512

      97749ddc6b231ddefad7fb329ef4af3e2f2b02af73a5aee1a3d555af834343c6462c53295b3fdc3122e82d1cd40c2d0cef09f61ea89ebd39fc61bd0822e30d71

      Download Submit

    • C:\Windows\SysWOW64\winlogon.exe
      Filesize

      477KB

      MD5

      34e4111287c0af6b8c72167016a1f9f0

      SHA1

      61b9719f5efd4fc88daee199b0adf8fd454058a3

      SHA256

      0fc3af1121b633c79be228f58cc004062a3188ef2e8e6db1851d7494f7d7de04

      SHA512

      56fc07a2db806b4907ed8bc2ad645c44b98722f0ce5c0eb14672acf8840475bb82253b6fbc9cae3c88f51e6e95469356d5423a3ab6a1ad729e9477ba974dc747

      Download Submit

    • memory/628-137-0x0000000000000000-mapping.dmp

      Download

    • memory/1456-134-0x0000000000000000-mapping.dmp

      Download

    • memory/2100-143-0x0000000013140000-0x00000000132D2000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2100-144-0x0000000013140000-0x00000000132D2000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2100-151-0x0000000013140000-0x00000000132D2000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2100-140-0x0000000000000000-mapping.dmp

      Download

    • memory/2100-141-0x0000000013140000-0x00000000132D2000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2764-147-0x0000000000000000-mapping.dmp

      Download

    • memory/2808-145-0x0000000000000000-mapping.dmp

      Download

    • memory/2808-146-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2808-148-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2808-149-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2808-150-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/2876-132-0x0000000013140000-0x00000000132D2000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2876-139-0x0000000013140000-0x00000000132D2000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2876-152-0x0000000013140000-0x00000000132D2000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4120-133-0x0000000000000000-mapping.dmp

      Download