Analysis

  • max time kernel
    168s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2022, 15:24

General

  • Target

    ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe

  • Size

    722KB

  • MD5

    90ac06a2414f7e75aed6dcb016eb41b0

  • SHA1

    8b2a95f7626309bdf010e90b7319f46ea6f96a4f

  • SHA256

    ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

  • SHA512

    0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

  • SSDEEP

    12288:wXqEOatU3laKYngXav2lhGicknX2ZChoJNrlcknBckn:wpt4laKvXavUcicShWpc2c

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
    "C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
        PID:2004
      • C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
        ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
        2⤵
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\notepad.exe
          C:\Windows\SysWOW64\notepad.exe
          3⤵
            PID:364
        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1676
          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:880
            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe
              wmpmetwk.exe
              4⤵
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Checks processor information in registry
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              PID:804

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe

              Filesize

              9KB

              MD5

              ee0f561c8a6410b492f0cc3a79547c1e

              SHA1

              14995bc4eb36ba5169053fb1dba755cbba2bc386

              SHA256

              9f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba

              SHA512

              ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe

              Filesize

              9KB

              MD5

              ee0f561c8a6410b492f0cc3a79547c1e

              SHA1

              14995bc4eb36ba5169053fb1dba755cbba2bc386

              SHA256

              9f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba

              SHA512

              ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe

              Filesize

              722KB

              MD5

              90ac06a2414f7e75aed6dcb016eb41b0

              SHA1

              8b2a95f7626309bdf010e90b7319f46ea6f96a4f

              SHA256

              ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

              SHA512

              0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe

              Filesize

              722KB

              MD5

              90ac06a2414f7e75aed6dcb016eb41b0

              SHA1

              8b2a95f7626309bdf010e90b7319f46ea6f96a4f

              SHA256

              ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

              SHA512

              0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe

              Filesize

              722KB

              MD5

              90ac06a2414f7e75aed6dcb016eb41b0

              SHA1

              8b2a95f7626309bdf010e90b7319f46ea6f96a4f

              SHA256

              ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

              SHA512

              0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

            • \Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe

              Filesize

              9KB

              MD5

              ee0f561c8a6410b492f0cc3a79547c1e

              SHA1

              14995bc4eb36ba5169053fb1dba755cbba2bc386

              SHA256

              9f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba

              SHA512

              ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335

            • \Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe

              Filesize

              722KB

              MD5

              90ac06a2414f7e75aed6dcb016eb41b0

              SHA1

              8b2a95f7626309bdf010e90b7319f46ea6f96a4f

              SHA256

              ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

              SHA512

              0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

            • \Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe

              Filesize

              722KB

              MD5

              90ac06a2414f7e75aed6dcb016eb41b0

              SHA1

              8b2a95f7626309bdf010e90b7319f46ea6f96a4f

              SHA256

              ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

              SHA512

              0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

            • memory/804-99-0x00000000131C6000-0x0000000013202000-memory.dmp

              Filesize

              240KB

            • memory/880-87-0x0000000074360000-0x000000007490B000-memory.dmp

              Filesize

              5.7MB

            • memory/880-103-0x0000000074360000-0x000000007490B000-memory.dmp

              Filesize

              5.7MB

            • memory/880-90-0x0000000074360000-0x000000007490B000-memory.dmp

              Filesize

              5.7MB

            • memory/1364-82-0x00000000131C6000-0x0000000013202000-memory.dmp

              Filesize

              240KB

            • memory/1364-68-0x0000000013140000-0x000000001320B000-memory.dmp

              Filesize

              812KB

            • memory/1364-62-0x0000000013140000-0x000000001320B000-memory.dmp

              Filesize

              812KB

            • memory/1364-66-0x0000000013140000-0x000000001320B000-memory.dmp

              Filesize

              812KB

            • memory/1364-60-0x0000000013140000-0x000000001320B000-memory.dmp

              Filesize

              812KB

            • memory/1364-58-0x0000000013140000-0x000000001320B000-memory.dmp

              Filesize

              812KB

            • memory/1364-101-0x00000000131C6000-0x0000000013202000-memory.dmp

              Filesize

              240KB

            • memory/1364-67-0x0000000013140000-0x000000001320B000-memory.dmp

              Filesize

              812KB

            • memory/1364-64-0x0000000013140000-0x000000001320B000-memory.dmp

              Filesize

              812KB

            • memory/1364-57-0x0000000013140000-0x000000001320B000-memory.dmp

              Filesize

              812KB

            • memory/1676-84-0x0000000074360000-0x000000007490B000-memory.dmp

              Filesize

              5.7MB

            • memory/1676-102-0x0000000074360000-0x000000007490B000-memory.dmp

              Filesize

              5.7MB

            • memory/2024-54-0x0000000076031000-0x0000000076033000-memory.dmp

              Filesize

              8KB

            • memory/2024-100-0x0000000074360000-0x000000007490B000-memory.dmp

              Filesize

              5.7MB

            • memory/2024-55-0x0000000074360000-0x000000007490B000-memory.dmp

              Filesize

              5.7MB