Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2022, 14:11

General

  • Target

    a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe

  • Size

    427KB

  • MD5

    a10a571e2ede354e506dbc197124cf00

  • SHA1

    f906f361516ccac006b8e54ccb4bbb8fbba38a26

  • SHA256

    a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

  • SHA512

    5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

  • SSDEEP

    12288:6rE8cPDVurpbwA4VcjBNo4r1ex6tAmhZwwKo:bhurpbwALx1EaAmDwno

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
    "C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
      C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe
        "C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe
          C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:336

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe

          Filesize

          427KB

          MD5

          a10a571e2ede354e506dbc197124cf00

          SHA1

          f906f361516ccac006b8e54ccb4bbb8fbba38a26

          SHA256

          a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

          SHA512

          5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

        • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe

          Filesize

          427KB

          MD5

          a10a571e2ede354e506dbc197124cf00

          SHA1

          f906f361516ccac006b8e54ccb4bbb8fbba38a26

          SHA256

          a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

          SHA512

          5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

        • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe

          Filesize

          427KB

          MD5

          a10a571e2ede354e506dbc197124cf00

          SHA1

          f906f361516ccac006b8e54ccb4bbb8fbba38a26

          SHA256

          a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

          SHA512

          5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

        • \Users\Admin\AppData\Local\Temp\jre\smartlogon.exe

          Filesize

          427KB

          MD5

          a10a571e2ede354e506dbc197124cf00

          SHA1

          f906f361516ccac006b8e54ccb4bbb8fbba38a26

          SHA256

          a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

          SHA512

          5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

        • \Users\Admin\AppData\Local\Temp\jre\smartlogon.exe

          Filesize

          427KB

          MD5

          a10a571e2ede354e506dbc197124cf00

          SHA1

          f906f361516ccac006b8e54ccb4bbb8fbba38a26

          SHA256

          a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

          SHA512

          5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

        • \Users\Admin\AppData\Local\Temp\jre\smartlogon.exe

          Filesize

          427KB

          MD5

          a10a571e2ede354e506dbc197124cf00

          SHA1

          f906f361516ccac006b8e54ccb4bbb8fbba38a26

          SHA256

          a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

          SHA512

          5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

        • memory/336-80-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/336-82-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/336-81-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/336-83-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/1232-60-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/1232-68-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/1232-61-0x0000000074E41000-0x0000000074E43000-memory.dmp

          Filesize

          8KB

        • memory/1232-58-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/1232-56-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/1232-63-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/1232-62-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/1368-59-0x0000000000400000-0x000000000052B000-memory.dmp

          Filesize

          1.2MB

        • memory/1504-71-0x0000000000400000-0x000000000052B000-memory.dmp

          Filesize

          1.2MB

        • memory/1504-78-0x0000000000400000-0x000000000052B000-memory.dmp

          Filesize

          1.2MB