Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2024 17:36

General

  • Target

    44083ccdc05f57a3b919d0e38f374f2f.exe

  • Size

    659KB

  • MD5

    44083ccdc05f57a3b919d0e38f374f2f

  • SHA1

    2ed4195ff0713494a575661faf7098c77cbdf8f1

  • SHA256

    85a021577c2ae040ae90d5bf7fa0fa9e0b97060fb2a8d2dada64d32c6ff75d6d

  • SHA512

    90d05d2887067d71bd2688331f372c8506feecd3054707eeaf8254a1413c28ae50f70888be45b3ee79b3230843784b13e51631fd2d4e5d87e510679aed5f3987

  • SSDEEP

    12288:59AFlAd0Z+89cxTGzO4AucTD8QP2lmFSrVs9LqnK9:/AQ6Zx9cxTmOrucTIEFSpOGg

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44083ccdc05f57a3b919d0e38f374f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\44083ccdc05f57a3b919d0e38f374f2f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Modifies security service
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\notepad.exe
        C:\Windows\SysWOW64\notepad.exe
        3⤵
          PID:2856
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        2⤵
        • Adds Run key to start application
        PID:1132

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1132-2-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

    • memory/1132-31-0x0000000000790000-0x0000000000791000-memory.dmp

      Filesize

      4KB

    • memory/1820-38-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

    • memory/1820-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

      Filesize

      4KB

    • memory/2716-42-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

    • memory/2716-39-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

    • memory/2716-37-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

    • memory/2716-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2716-33-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

    • memory/2716-40-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

    • memory/2716-44-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

    • memory/2716-72-0x0000000013140000-0x00000000131F6000-memory.dmp

      Filesize

      728KB

    • memory/2856-68-0x0000000000500000-0x0000000000501000-memory.dmp

      Filesize

      4KB