Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
02-12-2022 22:17
General
-
Target
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe
-
Size
635KB
-
MD5
f9bb77131d91d3f78bbe5a3451774c5d
-
SHA1
8fc14ed6bdcee4ccc1371cd4a47a74caea3419f5
-
SHA256
433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb
-
SHA512
05d157ed6295e96b42eaff1d74cd2c59d04f8f7b5b4a6aed272e8572212f45325ae42d0b0445ce7cdb0f43f68c34437952e32b463b04a21831a90cda0e0e21aa
-
SSDEEP
12288:bpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/bB:twAcu99lPzvxP+Bsz2XjWTRMQckkIXnl
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Drops file in Drivers directory 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe"C:\Users\Admin\AppData\Local\Temp\433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
-
C:\Windows\SysWOW64\Drivers\sys.exe"C:\Windows\system32\Drivers\sys.exe"2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Drivers\sys.exeFilesize
635KB
MD5f9bb77131d91d3f78bbe5a3451774c5d
SHA18fc14ed6bdcee4ccc1371cd4a47a74caea3419f5
SHA256433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb
SHA51205d157ed6295e96b42eaff1d74cd2c59d04f8f7b5b4a6aed272e8572212f45325ae42d0b0445ce7cdb0f43f68c34437952e32b463b04a21831a90cda0e0e21aa
-
C:\Windows\SysWOW64\drivers\sys.exeFilesize
635KB
MD5f9bb77131d91d3f78bbe5a3451774c5d
SHA18fc14ed6bdcee4ccc1371cd4a47a74caea3419f5
SHA256433eff0c911631a3435f3eda62ae2ca1af9dba19ec2c82491718d32e75e012bb
SHA51205d157ed6295e96b42eaff1d74cd2c59d04f8f7b5b4a6aed272e8572212f45325ae42d0b0445ce7cdb0f43f68c34437952e32b463b04a21831a90cda0e0e21aa
-
memory/3304-136-0x0000000000000000-mapping.dmp
-
memory/3304-137-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3304-138-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3304-139-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3304-140-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3304-141-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3552-133-0x0000000000000000-mapping.dmp
-
memory/4720-132-0x0000000000000000-mapping.dmp