Analysis

  • max time kernel
    176s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 15:24

General

  • Target

    ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe

  • Size

    722KB

  • MD5

    90ac06a2414f7e75aed6dcb016eb41b0

  • SHA1

    8b2a95f7626309bdf010e90b7319f46ea6f96a4f

  • SHA256

    ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

  • SHA512

    0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

  • SSDEEP

    12288:wXqEOatU3laKYngXav2lhGicknX2ZChoJNrlcknBckn:wpt4laKvXavUcicShWpc2c

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
    "C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\cmd.exe
      "cmd"
      2⤵
      • NTFS ADS
      PID:4984
    • C:\Users\Admin\AppData\Local\Temp\ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
      ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782.exe
      2⤵
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\SysWOW64\notepad.exe
        3⤵
          PID:2032
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5000
          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe
            wmpmetwk.exe
            4⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:3964

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe

            Filesize

            9KB

            MD5

            ee0f561c8a6410b492f0cc3a79547c1e

            SHA1

            14995bc4eb36ba5169053fb1dba755cbba2bc386

            SHA256

            9f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba

            SHA512

            ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335

          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\audiodgi.exe

            Filesize

            9KB

            MD5

            ee0f561c8a6410b492f0cc3a79547c1e

            SHA1

            14995bc4eb36ba5169053fb1dba755cbba2bc386

            SHA256

            9f99ed2c4a40cf80d40682cbc75553396be44fad5ad9c9c4013170d24cb279ba

            SHA512

            ab8a2cf54d63c1553c532b299ab9dbae630660115e8dd51c28e1a50544bd42904e224fcee18026fe467f87c2ef8f58ecd50f31cf3cab3e0b9050a61552d9c335

          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe

            Filesize

            722KB

            MD5

            90ac06a2414f7e75aed6dcb016eb41b0

            SHA1

            8b2a95f7626309bdf010e90b7319f46ea6f96a4f

            SHA256

            ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

            SHA512

            0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe

            Filesize

            722KB

            MD5

            90ac06a2414f7e75aed6dcb016eb41b0

            SHA1

            8b2a95f7626309bdf010e90b7319f46ea6f96a4f

            SHA256

            ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

            SHA512

            0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Credentials\wmpmetwk.exe

            Filesize

            722KB

            MD5

            90ac06a2414f7e75aed6dcb016eb41b0

            SHA1

            8b2a95f7626309bdf010e90b7319f46ea6f96a4f

            SHA256

            ed4473bf72c40216fed4b6ea51e772b4c9847b24a44423adabff5c5dea3fe782

            SHA512

            0b221f4abf897863eed2cd0c7e74f7c89dcc03efd268e1b4a5dcda5c702baece726b037e0063c97693233b62c799cfa656d094994fbf27686de1a88358ecbed4

          • memory/900-156-0x0000000075310000-0x00000000758C1000-memory.dmp

            Filesize

            5.7MB

          • memory/900-132-0x0000000075310000-0x00000000758C1000-memory.dmp

            Filesize

            5.7MB

          • memory/4216-135-0x0000000013140000-0x000000001320B000-memory.dmp

            Filesize

            812KB

          • memory/4216-139-0x0000000013140000-0x000000001320B000-memory.dmp

            Filesize

            812KB

          • memory/4216-138-0x0000000013140000-0x000000001320B000-memory.dmp

            Filesize

            812KB

          • memory/4216-137-0x0000000013140000-0x000000001320B000-memory.dmp

            Filesize

            812KB

          • memory/4216-136-0x0000000013140000-0x000000001320B000-memory.dmp

            Filesize

            812KB

          • memory/4604-154-0x0000000075310000-0x00000000758C1000-memory.dmp

            Filesize

            5.7MB

          • memory/4604-157-0x0000000075310000-0x00000000758C1000-memory.dmp

            Filesize

            5.7MB

          • memory/5000-155-0x0000000075310000-0x00000000758C1000-memory.dmp

            Filesize

            5.7MB

          • memory/5000-158-0x0000000075310000-0x00000000758C1000-memory.dmp

            Filesize

            5.7MB