Overview

overview

10

Static

static

10

eb1eb6f521...a1.exe

windows7-x64

10

eb1eb6f521...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 18:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eb1eb6f521645caa3fb4e55d6c5b737fe99d0c911a6064ec270c39e447d5b2a1.exe

  • Size

    756KB

  • MD5

    0dcb158a26e583d1a6f2b05b290c1982

  • SHA1

    4ec8441e97dc6a378ccb92b8b27b40b28993d5e5

  • SHA256

    eb1eb6f521645caa3fb4e55d6c5b737fe99d0c911a6064ec270c39e447d5b2a1

  • SHA512

    b88862037ebce2d96957180cedce63050d78d608cf90ff0ff4f5bad8db9434ba6fcae616ca9e20c2c134bd98fdf0621b9dab5660d3405ac31417d2a792b46718

  • SSDEEP

    12288:c9AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnKbFIIhIIc:KAQ6Zx9cxTmOrucTIEFSpOGp

Score
10/10
darkcometevasionrattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb1eb6f521645caa3fb4e55d6c5b737fe99d0c911a6064ec270c39e447d5b2a1.exe
    "C:\Users\Admin\AppData\Local\Temp\eb1eb6f521645caa3fb4e55d6c5b737fe99d0c911a6064ec270c39e447d5b2a1.exe"
    1⤵
    • Windows security bypass
    • Checks BIOS information in registry
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Windows security bypass
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1428

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1428-133-0x0000000013140000-0x000000001320F000-memory.dmp

          Filesize

          828KB

          Download

        • memory/1428-134-0x0000000013140000-0x000000001320F000-memory.dmp

          Filesize

          828KB

          Download

        • memory/1428-135-0x0000000013140000-0x000000001320F000-memory.dmp

          Filesize

          828KB

          Download

        • memory/1428-136-0x0000000013140000-0x000000001320F000-memory.dmp

          Filesize

          828KB

          Download

        • memory/1428-137-0x0000000013140000-0x000000001320F000-memory.dmp

          Filesize

          828KB

          Download