Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2024, 14:11

General

  • Target

    6aa399068d8103d8e7e44c76a04a927f.exe

  • Size

    852KB

  • MD5

    6aa399068d8103d8e7e44c76a04a927f

  • SHA1

    286e985bbbb1aa4568bcc4f36d2c55c80cdc7e34

  • SHA256

    3d849011f1bda6edb5e9eebfb1c639fb0d5d4dc20cfc7605401e661a0ef1ebd2

  • SHA512

    3606ee585d4efee337b69b259c2179e021eb79fc1f76139502c1b4d4ff3a68f6f507af583c1686701f1835747b48a042fb19ddfdda0a916e2f76e1887e4f30e3

  • SSDEEP

    12288:6Ull2QkqHQOzbACXu2eq0yKcRENhm3k60doCcuesI+J2a0gwiKgfpZpjn8kNBDXo:66vNXuain63k60uro2FgwONDBBrCbM2

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe
    "C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops file in Drivers directory
      • Checks BIOS information in registry
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe
        "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe"
        3⤵
        • Executes dropped EXE
        PID:1552

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

          Filesize

          17KB

          MD5

          66e265ca827a401294e0064082a71e29

          SHA1

          d2dee7d9b7415b89f866d557aee69c7e74cc15a7

          SHA256

          8de30cb4c4be2b0f508ad074be04fdca829e7530f062319cc35da16dcb581f54

          SHA512

          3107dd5f5604f5fcbab46e6cc72e77a4d0565ecca06ba234022022c037604c40c918d233442b028716694cafa3a755c4f0bc2960ecc49810e9eb9bcdeb1aa891

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

          Filesize

          477KB

          MD5

          8e39fd2e9d75384394c5d6a8b36fe59a

          SHA1

          ca665be11d79e27916e1672a3ecab3ae868da50a

          SHA256

          abed5d6051f25910572df226c0c9aa26a26993507edc554f0c93b51af0e8310a

          SHA512

          a90e19d14fd945f67645aed436bfe46fad9e37dbc6d9d13b2d55041209cbdf378ead883cec767570704a452165a60093007e506822f6c8c0bd1e4ed5c02b8f88

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe

          Filesize

          524KB

          MD5

          3a3ba4b6373bde1843d01d10e1b6ee64

          SHA1

          d9aa125d1b58ccb3d0fec336629e860f8e028a8a

          SHA256

          968809fd7feeecdfcf8bf29a88ccc55c3f95d15aca6b7a2afbdbeaf757152600

          SHA512

          1d5fc30e00f36a308467ed74f4e3d6e8463278b82c93076e2ad8131d66adac50ea57da2f93b53abcf5f5b81fa5ef427e9137589d870bab15282f6c796f11477e

        • memory/2776-1-0x00000000014D0000-0x00000000014E0000-memory.dmp

          Filesize

          64KB

        • memory/2776-0-0x00000000748C0000-0x0000000074E71000-memory.dmp

          Filesize

          5.7MB

        • memory/2776-2-0x00000000748C0000-0x0000000074E71000-memory.dmp

          Filesize

          5.7MB

        • memory/2776-10-0x00000000748C0000-0x0000000074E71000-memory.dmp

          Filesize

          5.7MB

        • memory/4520-4-0x0000000000400000-0x00000000004D9000-memory.dmp

          Filesize

          868KB

        • memory/4520-12-0x0000000000400000-0x00000000004D9000-memory.dmp

          Filesize

          868KB

        • memory/4520-13-0x00000000021F0000-0x00000000021F1000-memory.dmp

          Filesize

          4KB

        • memory/4520-11-0x0000000000400000-0x00000000004D9000-memory.dmp

          Filesize

          868KB

        • memory/4520-74-0x0000000000400000-0x00000000004D9000-memory.dmp

          Filesize

          868KB

        • memory/4520-5-0x0000000000400000-0x00000000004D9000-memory.dmp

          Filesize

          868KB

        • memory/4520-3-0x0000000000400000-0x00000000004D9000-memory.dmp

          Filesize

          868KB