Analysis

  • max time kernel
    150s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 06:06

General

  • Target

    6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe

  • Size

    382KB

  • MD5

    1ebf9166d9b0e6bc0415f665f7fcd626

  • SHA1

    dd172a3834de7cf3af5d19500559996d3b0ace49

  • SHA256

    6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311

  • SHA512

    86daa80e18ff3d7a3785f6f89f97c2c664ca32ac4f4a373a3bd311f7cb4b1f0c7ce4312590756cea3db998881a6a78b3147f1ecb78a5cb02bb9836a67380f433

  • SSDEEP

    6144:8lb6SDOiIN4o2cOMayarS0IjX7n6wXmzbBFXm6d/p:80Siiu2cOMayaZerXXmhFXmyh

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
    "C:\Users\Admin\AppData\Local\Temp\6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\AppData\Local\Temp\6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe" +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1724
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      2⤵
        PID:1728
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
          PID:2004

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Hidden Files and Directories

      2
      T1158

      Defense Evasion

      Hidden Files and Directories

      2
      T1158

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
        Filesize

        119B

        MD5

        be05b49f5290e39bea8f5845c8954d2d

        SHA1

        9e10a04d4520b40ecbd4a6baced3637588835215

        SHA256

        bddde9bec40e0032ebf4a886a3edf64e35209a88b0f1ab30f080e373aef6630e

        SHA512

        e4fcb83393feeb90ea24c30902874002d9de286b3ad1bb8537dbab20a88d1e800cb81a671890b32a834c49e1bf31fb0cc49654ffca7be9061070a8f63e704b71

      • memory/1028-54-0x0000000075021000-0x0000000075023000-memory.dmp
        Filesize

        8KB

      • memory/1028-55-0x0000000000400000-0x00000000004F9000-memory.dmp
        Filesize

        996KB

      • memory/1028-59-0x0000000000400000-0x00000000004F9000-memory.dmp
        Filesize

        996KB

      • memory/1076-56-0x0000000000000000-mapping.dmp
      • memory/1724-58-0x0000000000000000-mapping.dmp