Analysis Overview
SHA256
b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc
Threat Level: Known bad
The file b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-10-19 13:59
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-19 13:59
Reported
2022-10-19 14:58
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
144s
Command Line
Signatures
Darkcomet
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1368 set thread context of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| PID 1368 set thread context of 5092 | N/A | C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe | C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe
"C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe"
C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe
C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| FR | 40.79.150.121:443 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:1604 | tcp |
Files
memory/2496-132-0x0000000000000000-mapping.dmp
memory/1368-133-0x0000000002340000-0x0000000002344000-memory.dmp
memory/5092-134-0x0000000000000000-mapping.dmp
memory/5092-135-0x0000000000400000-0x00000000004CA000-memory.dmp
memory/5092-136-0x0000000000400000-0x00000000004CA000-memory.dmp
memory/5092-137-0x0000000000400000-0x00000000004CA000-memory.dmp
memory/4644-138-0x0000000000000000-mapping.dmp
memory/5092-139-0x0000000000400000-0x00000000004CA000-memory.dmp
memory/5032-140-0x0000000000000000-mapping.dmp
memory/5092-141-0x0000000000400000-0x00000000004CA000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-19 13:59
Reported
2022-10-19 14:58
Platform
win7-20220901-en
Max time kernel
43s
Max time network
48s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe
"C:\Users\Admin\AppData\Local\Temp\b31ed8fbfb5cb3d7cbbd6ed6833612d58dc2f8134dba21abfbf52cebabc6b6cc.exe"
Network
Files
memory/1712-54-0x00000000765B1000-0x00000000765B3000-memory.dmp
memory/1712-55-0x0000000000340000-0x0000000000344000-memory.dmp