Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 02:20

General

  • Target

    0dbbf8345aaf2a9d57bd4ced5b456cb34f789ae813206a8eb18abeb5dadd6eab.exe

  • Size

    691KB

  • MD5

    4dfe8edec4def757572fe47433f62f17

  • SHA1

    90c20928fb44120b61c74566ffa8da677a76467a

  • SHA256

    0dbbf8345aaf2a9d57bd4ced5b456cb34f789ae813206a8eb18abeb5dadd6eab

  • SHA512

    9078bb932543b7f639ce22f3681e0a7554bde23934a9a9053cc0446e59363c76aa68a0d9ae8aa0da2e3c35f9eeb596874d169520199ccd752f5defa210b7a19b

  • SSDEEP

    12288:19AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnK2B:zAQ6Zx9cxTmOrucTIEFSpOG

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dbbf8345aaf2a9d57bd4ced5b456cb34f789ae813206a8eb18abeb5dadd6eab.exe
    "C:\Users\Admin\AppData\Local\Temp\0dbbf8345aaf2a9d57bd4ced5b456cb34f789ae813206a8eb18abeb5dadd6eab.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      PID:5020
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\SysWOW64\notepad.exe
        3⤵
          PID:2292

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/3624-134-0x0000000013140000-0x00000000131FF000-memory.dmp

            Filesize

            764KB

          • memory/3624-135-0x0000000013140000-0x00000000131FF000-memory.dmp

            Filesize

            764KB

          • memory/3624-136-0x0000000013140000-0x00000000131FF000-memory.dmp

            Filesize

            764KB

          • memory/3624-138-0x0000000013140000-0x00000000131FF000-memory.dmp

            Filesize

            764KB

          • memory/3624-139-0x0000000013140000-0x00000000131FF000-memory.dmp

            Filesize

            764KB