Analysis

  • max time kernel
    199s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:18

General

  • Target

    ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe

  • Size

    1.1MB

  • MD5

    59df407b5467a284a67e83f4d4d7f26f

  • SHA1

    53fe26ffc354d7db21e7d347f39d65cced74d3df

  • SHA256

    ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832

  • SHA512

    720c57394af736c0f74723e0bbc6efad7e3baec16c09aca0f217e1df2ffdecc55b4deb1b768f0a00295fb9ed321b800448640968880f2d67d6a75db77c102511

  • SSDEEP

    12288:eZC95zlFQ4KHeyDuP+xQV1K0eNnG+8tAVAO2BQgeMCDvRdPQGUDBbRe:eu5xzKLF01teNIAZeQgeM4FQGgQ

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
    "C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3756
    • C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe
      "C:\Users\Admin\AppData\Local\Temp\ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        PID:2520
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:3636
        • C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3508
          • C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe"
            4⤵
            • Modifies firewall policy service
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:2416

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe

      Filesize

      1.1MB

      MD5

      59df407b5467a284a67e83f4d4d7f26f

      SHA1

      53fe26ffc354d7db21e7d347f39d65cced74d3df

      SHA256

      ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832

      SHA512

      720c57394af736c0f74723e0bbc6efad7e3baec16c09aca0f217e1df2ffdecc55b4deb1b768f0a00295fb9ed321b800448640968880f2d67d6a75db77c102511

    • C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe

      Filesize

      1.1MB

      MD5

      59df407b5467a284a67e83f4d4d7f26f

      SHA1

      53fe26ffc354d7db21e7d347f39d65cced74d3df

      SHA256

      ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832

      SHA512

      720c57394af736c0f74723e0bbc6efad7e3baec16c09aca0f217e1df2ffdecc55b4deb1b768f0a00295fb9ed321b800448640968880f2d67d6a75db77c102511

    • C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe

      Filesize

      1.1MB

      MD5

      59df407b5467a284a67e83f4d4d7f26f

      SHA1

      53fe26ffc354d7db21e7d347f39d65cced74d3df

      SHA256

      ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832

      SHA512

      720c57394af736c0f74723e0bbc6efad7e3baec16c09aca0f217e1df2ffdecc55b4deb1b768f0a00295fb9ed321b800448640968880f2d67d6a75db77c102511

    • C:\Users\Admin\AppData\Roaming\Microsoft\WinUpdater.exe

      Filesize

      1.1MB

      MD5

      59df407b5467a284a67e83f4d4d7f26f

      SHA1

      53fe26ffc354d7db21e7d347f39d65cced74d3df

      SHA256

      ba2c5c13128c441ab9bda29e9836e3ebae03ed62f90bba9fb1ad85e8a358c832

      SHA512

      720c57394af736c0f74723e0bbc6efad7e3baec16c09aca0f217e1df2ffdecc55b4deb1b768f0a00295fb9ed321b800448640968880f2d67d6a75db77c102511

    • memory/2416-156-0x0000000013140000-0x00000000131FE000-memory.dmp

      Filesize

      760KB

    • memory/2416-155-0x0000000013140000-0x00000000131FE000-memory.dmp

      Filesize

      760KB

    • memory/2416-154-0x0000000013140000-0x00000000131FE000-memory.dmp

      Filesize

      760KB

    • memory/2416-150-0x0000000000000000-mapping.dmp

    • memory/2520-137-0x0000000000000000-mapping.dmp

    • memory/3508-147-0x0000000000000000-mapping.dmp

    • memory/3636-141-0x0000000000000000-mapping.dmp

    • memory/3636-144-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

    • memory/3636-143-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

    • memory/3636-145-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

    • memory/3636-146-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

    • memory/3636-142-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

    • memory/4144-132-0x0000000000000000-mapping.dmp

    • memory/4144-149-0x0000000013140000-0x00000000131FE000-memory.dmp

      Filesize

      760KB

    • memory/4144-140-0x0000000013140000-0x00000000131FE000-memory.dmp

      Filesize

      760KB

    • memory/4144-136-0x0000000013140000-0x00000000131FE000-memory.dmp

      Filesize

      760KB

    • memory/4144-135-0x0000000013140000-0x00000000131FE000-memory.dmp

      Filesize

      760KB

    • memory/4144-134-0x0000000013140000-0x00000000131FE000-memory.dmp

      Filesize

      760KB

    • memory/4144-133-0x0000000013140000-0x00000000131FE000-memory.dmp

      Filesize

      760KB