Analysis

  • max time kernel
    157s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 13:29

General

  • Target

    39ea357921d1df20a8eb93b8f2d6f818d4ae15b70380c02911ecb32d9124de39.exe

  • Size

    809KB

  • MD5

    91b1b477956f1049e7c759723ae7a460

  • SHA1

    8fbb64e457d8e780f3a721e5f92da3d1a8cb7fdf

  • SHA256

    39ea357921d1df20a8eb93b8f2d6f818d4ae15b70380c02911ecb32d9124de39

  • SHA512

    88dab76ee6989938ae61393131cad3b1031318757f81e1fbd819df267760d7da6470f752c0d895e4b29d858574267a4d7a10fb6d63c01f55181a6cf542f9f074

  • SSDEEP

    24576:GwAcu99lPzvxP+Bsz2XjWTRMQckkIXhw:RAcIzpP+hickkIxw

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies firewall policy service 2 TTPs 6 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39ea357921d1df20a8eb93b8f2d6f818d4ae15b70380c02911ecb32d9124de39.exe
    "C:\Users\Admin\AppData\Local\Temp\39ea357921d1df20a8eb93b8f2d6f818d4ae15b70380c02911ecb32d9124de39.exe"
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Windows security bypass
    • Checks BIOS information in registry
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4936

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1440-132-0x0000000000400000-0x00000000004E3000-memory.dmp

          Filesize

          908KB

        • memory/1440-138-0x0000000000400000-0x00000000004E3000-memory.dmp

          Filesize

          908KB

        • memory/4936-134-0x0000000000400000-0x00000000004E3000-memory.dmp

          Filesize

          908KB

        • memory/4936-135-0x0000000000400000-0x00000000004E3000-memory.dmp

          Filesize

          908KB

        • memory/4936-136-0x0000000000400000-0x00000000004E3000-memory.dmp

          Filesize

          908KB

        • memory/4936-137-0x0000000000400000-0x00000000004E3000-memory.dmp

          Filesize

          908KB

        • memory/4936-139-0x0000000000400000-0x00000000004E3000-memory.dmp

          Filesize

          908KB