Analysis

  • max time kernel
    190s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 18:21

General

  • Target

    e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe

  • Size

    1.2MB

  • MD5

    8c50ed6f779f15cee678f46f767f00b7

  • SHA1

    61ff380eb2544eaea307df43f7f4cdc3fcb93a63

  • SHA256

    e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799

  • SHA512

    16a0548092ebf96a29ca508ed037f32bfe7af0a23457607d5bf697d549d3f2203ab5890cd990ebb950d7b0bc254782665d8e5bb63bce0c7a5fca9fd774b00c7c

  • SSDEEP

    24576:V+lr0S6fNVMPMgvu17YcTHVMqFCoUGksCoUGk:QRqFCobbCob

Score
10/10

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe
    "C:\Users\Admin\AppData\Local\Temp\e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\plugtemp\svhostnr.exe
      C:\Users\Admin\AppData\Local\Temp\\plugtemp\svhostnr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e4adb5aefd0587c877ce970609950566b0b47278fc7302a60bf0eeba50c23799.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • Runs ping.exe
        PID:1640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\plugtemp\svhostnr.exe

    Filesize

    1.1MB

    MD5

    d881de17aa8f2e2c08cbb7b265f928f9

    SHA1

    08936aebc87decf0af6e8eada191062b5e65ac2a

    SHA256

    b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

    SHA512

    5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

  • C:\Users\Admin\AppData\Local\Temp\plugtemp\svhostnr.exe

    Filesize

    1.1MB

    MD5

    d881de17aa8f2e2c08cbb7b265f928f9

    SHA1

    08936aebc87decf0af6e8eada191062b5e65ac2a

    SHA256

    b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

    SHA512

    5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

  • memory/3440-135-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/3440-138-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/3440-139-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/3440-141-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/3440-142-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/3440-143-0x0000000000400000-0x00000000004AF000-memory.dmp

    Filesize

    700KB

  • memory/3500-132-0x0000000075410000-0x00000000759C1000-memory.dmp

    Filesize

    5.7MB

  • memory/3500-133-0x0000000075410000-0x00000000759C1000-memory.dmp

    Filesize

    5.7MB

  • memory/3500-146-0x0000000075410000-0x00000000759C1000-memory.dmp

    Filesize

    5.7MB