Analysis

  • max time kernel
    159s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 04:51

General

  • Target

    a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe

  • Size

    811KB

  • MD5

    17c23bc043edc7413d8f8e09fd7d322b

  • SHA1

    eacb3548cb1f816334afb8889a68f007ca824f64

  • SHA256

    a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8

  • SHA512

    7fe6fa6cf2f6892d9b6c8b674dcba8e6dceb1c235ffc5929b909cc2a7c2cbeb8529044b3f66d7a7d07aa1654d1efc6748eec6decac12971ed8dd75ed2e79a16f

  • SSDEEP

    24576:MwU/UwhWvVXZpSRSJo2xYU4+gd3EqmM4R:MZU8WPgSe+gd3u

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe
    "C:\Users\Admin\AppData\Local\Temp\a8431bf347263a38c282c01f7e91c3ab2787dc9454fed8b6b8acbeed965a2ca8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Users\Admin\AppData\Roaming\7za.exe
        "C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
        3⤵
        • Executes dropped EXE
        PID:1416
    • C:\Users\Admin\AppData\Roaming\Server.exe
      C:\Users\Admin\AppData\Roaming\Server.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3768
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Roaming" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4276
      • C:\Windows\Settings\Default\Defender.exe
        "C:\Windows\Settings\Default\Defender.exe"
        3⤵
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2768
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Roaming\Server.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3284
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          4⤵
          • Runs ping.exe
          PID:3988

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\server.exe

          Filesize

          324KB

          MD5

          95bd901b4f98d5a8808ea83ccc241f96

          SHA1

          34e717f505454e275724f1fe4eddf56603f6f5df

          SHA256

          3c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6

          SHA512

          6092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849

        • C:\Users\Admin\AppData\Roaming\7za.exe

          Filesize

          574KB

          MD5

          42badc1d2f03a8b1e4875740d3d49336

          SHA1

          cee178da1fb05f99af7a3547093122893bd1eb46

          SHA256

          c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

          SHA512

          6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

        • C:\Users\Admin\AppData\Roaming\7za.exe

          Filesize

          574KB

          MD5

          42badc1d2f03a8b1e4875740d3d49336

          SHA1

          cee178da1fb05f99af7a3547093122893bd1eb46

          SHA256

          c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

          SHA512

          6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

        • C:\Users\Admin\AppData\Roaming\Server.7z

          Filesize

          240KB

          MD5

          61d5a8b12b8fe537fa48fe2952b685d5

          SHA1

          a19742e04e216291b0023719be3fb7b66eed6ad6

          SHA256

          60db39b6a9d10b00ab9e9b5557089db0b2ae9ec511d709285492a8d829c67de3

          SHA512

          5141193b428b05ff09f5d20303029400c3689899c5a5cd8479757f4ee013af553ed134ac14c655c0491ed24d71531b61bca749dc9ed64cc3a19e6937cbec415c

        • C:\Users\Admin\AppData\Roaming\Server.exe

          Filesize

          324KB

          MD5

          95bd901b4f98d5a8808ea83ccc241f96

          SHA1

          34e717f505454e275724f1fe4eddf56603f6f5df

          SHA256

          3c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6

          SHA512

          6092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849

        • C:\Windows\Settings\Default\Defender.exe

          Filesize

          324KB

          MD5

          95bd901b4f98d5a8808ea83ccc241f96

          SHA1

          34e717f505454e275724f1fe4eddf56603f6f5df

          SHA256

          3c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6

          SHA512

          6092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849

        • C:\Windows\Settings\Default\Defender.exe

          Filesize

          324KB

          MD5

          95bd901b4f98d5a8808ea83ccc241f96

          SHA1

          34e717f505454e275724f1fe4eddf56603f6f5df

          SHA256

          3c7648d4ea2e14ce7a58cded0add16c588a1e1e158fb230430c1c9d273d1fea6

          SHA512

          6092d94dbb2053e0db74190302cc7317b4f6682a7ffc4b79c8a8af90526dbf7411b874cf582fab6d35d927d189bcf7d67e9ea1c2b2c36deb6febb0c0210ac849

        • memory/2256-132-0x0000000000400000-0x0000000000494000-memory.dmp

          Filesize

          592KB

        • memory/2256-144-0x0000000000400000-0x0000000000494000-memory.dmp

          Filesize

          592KB

        • memory/2256-133-0x0000000000400000-0x0000000000494000-memory.dmp

          Filesize

          592KB

        • memory/2768-157-0x0000000000400000-0x00000000004E7000-memory.dmp

          Filesize

          924KB

        • memory/2768-154-0x0000000000400000-0x00000000004E7000-memory.dmp

          Filesize

          924KB

        • memory/2768-155-0x0000000000610000-0x0000000000613000-memory.dmp

          Filesize

          12KB

        • memory/2908-143-0x00000000005D0000-0x00000000005D3000-memory.dmp

          Filesize

          12KB

        • memory/2908-142-0x0000000000400000-0x00000000004E7000-memory.dmp

          Filesize

          924KB

        • memory/2908-156-0x0000000000400000-0x00000000004E7000-memory.dmp

          Filesize

          924KB