Analysis

  • max time kernel
    153s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 14:11

General

  • Target

    a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe

  • Size

    427KB

  • MD5

    a10a571e2ede354e506dbc197124cf00

  • SHA1

    f906f361516ccac006b8e54ccb4bbb8fbba38a26

  • SHA256

    a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

  • SHA512

    5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

  • SSDEEP

    12288:6rE8cPDVurpbwA4VcjBNo4r1ex6tAmhZwwKo:bhurpbwALx1EaAmDwno

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
    "C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
      C:\Users\Admin\AppData\Local\Temp\a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe
        "C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4044
        • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe
          C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4808

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe

          Filesize

          427KB

          MD5

          a10a571e2ede354e506dbc197124cf00

          SHA1

          f906f361516ccac006b8e54ccb4bbb8fbba38a26

          SHA256

          a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

          SHA512

          5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

        • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe

          Filesize

          427KB

          MD5

          a10a571e2ede354e506dbc197124cf00

          SHA1

          f906f361516ccac006b8e54ccb4bbb8fbba38a26

          SHA256

          a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

          SHA512

          5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

        • C:\Users\Admin\AppData\Local\Temp\jre\smartlogon.exe

          Filesize

          427KB

          MD5

          a10a571e2ede354e506dbc197124cf00

          SHA1

          f906f361516ccac006b8e54ccb4bbb8fbba38a26

          SHA256

          a4ed046324f40aacd4f57b7dd09df4312a12860a4749be9722dff12af6c7aece

          SHA512

          5a5ba67b7d1fb032a8dad105dfdf3dce55943003bb71bbafe480b2282d4b327f5f176063b3802e79d7732b5f85c0fd74cd835b1603589c78e0b0d40fd08f7342

        • memory/4044-153-0x0000000000400000-0x000000000052B000-memory.dmp

          Filesize

          1.2MB

        • memory/4044-148-0x0000000000400000-0x000000000052B000-memory.dmp

          Filesize

          1.2MB

        • memory/4808-154-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4808-158-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4808-156-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4808-157-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4808-155-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4868-137-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4868-136-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4868-141-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4868-147-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4868-139-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4868-140-0x0000000000400000-0x00000000004C5000-memory.dmp

          Filesize

          788KB

        • memory/4916-134-0x0000000000400000-0x000000000052B000-memory.dmp

          Filesize

          1.2MB

        • memory/4916-138-0x0000000000400000-0x000000000052B000-memory.dmp

          Filesize

          1.2MB