Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2024, 21:25

General

  • Target

    6b83823e49a39f298c15c3ff547fa406.exe

  • Size

    746KB

  • MD5

    6b83823e49a39f298c15c3ff547fa406

  • SHA1

    87a6d44cfe44f3d452465ca8512b1a06041d92dd

  • SHA256

    3f19fa1892210bd294995f2a1a35487161f1dc17ec665565cc30353a7c4f3966

  • SHA512

    7aac8200aab701757e8bb05e2d2b49933f263e406f8782a8e9a94ba81a5763c088bee70a69db7720c6e1474ea1e1f6c470d00dd3e8f28449c921e0757dc34c99

  • SSDEEP

    12288:B6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh3svv:kAmBpVKHu0Mu9Xo20VGLVP5cvv

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b83823e49a39f298c15c3ff547fa406.exe
    "C:\Users\Admin\AppData\Local\Temp\6b83823e49a39f298c15c3ff547fa406.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windupdt\winupdate.exe
      "C:\Windupdt\winupdate.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2076
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\6b83823e49a39f298c15c3ff547fa406.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2708
  • C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    1⤵
    • Runs ping.exe
    PID:2928

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Windupdt\winupdate.exe

          Filesize

          746KB

          MD5

          6b83823e49a39f298c15c3ff547fa406

          SHA1

          87a6d44cfe44f3d452465ca8512b1a06041d92dd

          SHA256

          3f19fa1892210bd294995f2a1a35487161f1dc17ec665565cc30353a7c4f3966

          SHA512

          7aac8200aab701757e8bb05e2d2b49933f263e406f8782a8e9a94ba81a5763c088bee70a69db7720c6e1474ea1e1f6c470d00dd3e8f28449c921e0757dc34c99

        • memory/2076-13-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

        • memory/2076-15-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB

        • memory/2440-0-0x0000000000260000-0x0000000000261000-memory.dmp

          Filesize

          4KB

        • memory/2440-12-0x0000000000400000-0x00000000004CC000-memory.dmp

          Filesize

          816KB