Overview

overview

10

Static

static

10

433eff0c91...bb.exe

windows7-x64

10

433eff0c91...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe

  • Size

    635KB

  • MD5

    f9bb77131d91d3f78bbe5a3451774c5d

  • SHA1

    8fc14ed6bdcee4ccc1371cd4a47a74caea3419f5

  • SHA256

    433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb

  • SHA512

    05d157ed6295e96b42eaff1d74cd2c59d04f8f7b5b4a6aed272e8572212f45325ae42d0b0445ce7cdb0f43f68c34437952e32b463b04a21831a90cda0e0e21aa

  • SSDEEP

    12288:bpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/bB:twAcu99lPzvxP+Bsz2XjWTRMQckkIXnl

Score
10/10
darkcometpersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Drops file in Drivers directory 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe
    "C:\Users\Admin\AppData\Local\Temp\433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1120-55-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1120-58-0x000000000048E85C-mapping.dmp
    Download
  • memory/1120-57-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1120-59-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1120-61-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1120-62-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1120-63-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmp
    Filesize

    8KB

    Download