Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 20:50

General

  • Target

    89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe

  • Size

    416KB

  • MD5

    9539e0727dd07c8c9ac33b199c23771e

  • SHA1

    b3d6376f44c8463ea7e24b84587c0d88de73f70a

  • SHA256

    89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c

  • SHA512

    c902098a4b7dd5b584351edabf685aef0df81d5b27a02d20ea6d20f6e87712903349f3803b5682b948ffc9fbad13f3ee2eb59f5125efc4f01ee1742babf36c89

  • SSDEEP

    12288:ENktTWDAyUNh/lMQo1cr/Ihi2TOsfKJcZLTsEJqPKe:dAO/ML10IhiCOsKJcZLgnPKe

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Windows security bypass 2 TTPs 2 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Windows security modification 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
    "C:\Users\Admin\AppData\Local\Temp\89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Users\Admin\AppData\Local\Temp\89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
      "C:\Users\Admin\AppData\Local\Temp\89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe"
      2⤵
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Checks BIOS information in registry
      • Windows security modification
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          4⤵
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Checks BIOS information in registry
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:636

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

2
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/636-78-0x00000000131F9040-mapping.dmp
  • memory/636-86-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/636-85-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/636-84-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/636-83-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/904-74-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

  • memory/904-73-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

  • memory/904-82-0x0000000000401000-0x0000000000508000-memory.dmp
    Filesize

    1.0MB

  • memory/904-80-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

  • memory/904-65-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

  • memory/904-68-0x000000000050C008-mapping.dmp
  • memory/904-70-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

  • memory/904-72-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

  • memory/960-60-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

  • memory/2008-71-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/2008-62-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/2008-56-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/2008-64-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

  • memory/2008-61-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/2008-63-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/2008-59-0x00000000757A1000-0x00000000757A3000-memory.dmp
    Filesize

    8KB

  • memory/2008-58-0x0000000013140000-0x00000000131FB000-memory.dmp
    Filesize

    748KB

  • memory/2008-57-0x00000000131F9040-mapping.dmp