Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2024, 10:13

General

  • Target

    6a27d634d60cf8f2b9271c185cf76da2.exe

  • Size

    1.3MB

  • MD5

    6a27d634d60cf8f2b9271c185cf76da2

  • SHA1

    ac96a1b10ce298ee5b2a95fdf3a2eeaf200ed3b0

  • SHA256

    1d2e094fb574bb2d941f69394e1324fce3247cdfa8c5e09fee9c18a906b1e88d

  • SHA512

    9e348a29794381ac72ca20eb72f32c1f02d49011296c472e273287187364a77453573753422eed0b3f1c073b6981376474353d25b9977511622a4de1c021cdaa

  • SSDEEP

    24576:MdwQH6icoECFpWylHAy8IYQoRJCSrG1mxMJaFjEx4AFcxsv:YluoE0pWylgy8DQozCcycMJJxtFciv

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a27d634d60cf8f2b9271c185cf76da2.exe
    "C:\Users\Admin\AppData\Local\Temp\6a27d634d60cf8f2b9271c185cf76da2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\6a27d634d60cf8f2b9271c185cf76da2.exe
      C:\Users\Admin\AppData\Local\Temp\6a27d634d60cf8f2b9271c185cf76da2.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:880
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 424
            4⤵
            • Program crash
            PID:4880
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 428
            4⤵
            • Program crash
            PID:4504
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
          • Adds Run key to start application
          PID:4548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 880 -ip 880
      1⤵
        PID:3104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 880 -ip 880
        1⤵
          PID:3044

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windupdt\winupdate.exe

                Filesize

                551KB

                MD5

                6645f3c89747d9bc1431e3f1e63d180e

                SHA1

                5961aae00e2704c2990f9f82949800fc8d942b46

                SHA256

                b141f1846303e0e06b25b39a11e964ea4dfcd4ef2a213fce562ac85e7465faf3

                SHA512

                6b0650c162cfe853782d0f6ea486a76adbb5cf612bfc2cbcdf920bd85a3e5f67ac988afa7acf848a2cc0f4489618f59fc965b0687e1e742cc0f6b859ec2debc1

              • C:\Windupdt\winupdate.exe

                Filesize

                570KB

                MD5

                4e6007d7c78943ebac012ffea154fc6f

                SHA1

                819497a5d71304194804b7e83d88b84815ca796e

                SHA256

                478cf4e506d591245aa432fe7bd743753b78f9f62efa7c53a3fcb6a4d8719b85

                SHA512

                7d6b2acebc2455f755ca7a5adf00ab716e15039a97c1009360f0a205d3907991a7e1e12d49eb8b90797b9e60d5106b68dfd0312f129c1c01952269ee17aee453

              • memory/880-19-0x0000000000400000-0x00000000007BF000-memory.dmp

                Filesize

                3.7MB

              • memory/880-17-0x0000000000400000-0x00000000007BF000-memory.dmp

                Filesize

                3.7MB

              • memory/3572-0-0x0000000000400000-0x00000000007BF000-memory.dmp

                Filesize

                3.7MB

              • memory/3572-7-0x0000000000400000-0x00000000007BF000-memory.dmp

                Filesize

                3.7MB

              • memory/4548-11-0x0000000000750000-0x0000000000751000-memory.dmp

                Filesize

                4KB

              • memory/5036-6-0x0000000013140000-0x00000000131F6000-memory.dmp

                Filesize

                728KB

              • memory/5036-9-0x00000000024C0000-0x00000000024C1000-memory.dmp

                Filesize

                4KB

              • memory/5036-20-0x0000000013140000-0x00000000131F6000-memory.dmp

                Filesize

                728KB

              • memory/5036-5-0x0000000013140000-0x00000000131F6000-memory.dmp

                Filesize

                728KB

              • memory/5036-4-0x0000000013140000-0x00000000131F6000-memory.dmp

                Filesize

                728KB

              • memory/5036-8-0x0000000013140000-0x00000000131F6000-memory.dmp

                Filesize

                728KB