Overview

overview

10

Static

static

3

79f037b4ad...2d.exe

windows7-x64

3

79f037b4ad...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2024, 09:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    79f037b4ad9b668ed7825b681f26a32d.exe

  • Size

    808KB

  • MD5

    79f037b4ad9b668ed7825b681f26a32d

  • SHA1

    89335227923a78eb089fdd1a7935220930b80587

  • SHA256

    261f6096b399657d161ad0b03a7bb2468ef0973c95ef773d08f3b143de79723f

  • SHA512

    792a7e82170e291e89210208f9b08de599013569a853c71685973b3fe36a65b8dd23c0e5f8689d7fddc80192a6490a2359a58aa371b9c8513e4844074d7f440c

  • SSDEEP

    24576:5pbvPk+0gYUM1zRuC/WL56enKiuF4U3Jv/0:5GngYV1AC/AQGKisZv/0

Score
10/10
darkcometpersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79f037b4ad9b668ed7825b681f26a32d.exe
    "C:\Users\Admin\AppData\Local\Temp\79f037b4ad9b668ed7825b681f26a32d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\79f037b4ad9b668ed7825b681f26a32d.exe
      C:\Users\Admin\AppData\Local\Temp\79f037b4ad9b668ed7825b681f26a32d.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Users\Admin\AppData\Roaming\GoogleUpdater\GoogleUpdater.exe
        "C:\Users\Admin\AppData\Roaming\GoogleUpdater\GoogleUpdater.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Users\Admin\AppData\Roaming\GoogleUpdater\GoogleUpdater.exe
          C:\Users\Admin\AppData\Roaming\GoogleUpdater\GoogleUpdater.exe
          4⤵
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1240
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4424
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:4892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat
    Filesize

    105B

    MD5

    3639b7a23a11c05f0e2a103b63fd2953

    SHA1

    f1d84bfddeea02ec1abef99ae65b354712783bc3

    SHA256

    0fc839bfc2d7a480ea1b4e5f4a8ad38af0a60eced479ef8a04e63b57af22cdc6

    SHA512

    a58d0fb379e2104058446c0c96dd761cd0dbab64fcee6c00d7cb29a4959f4eed753f72901ceb2481b24ed2a6670569b6e2a07a14f48c29fca72fa08988444d59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GoogleUpdater\GoogleUpdater.exe
    Filesize

    808KB

    MD5

    79f037b4ad9b668ed7825b681f26a32d

    SHA1

    89335227923a78eb089fdd1a7935220930b80587

    SHA256

    261f6096b399657d161ad0b03a7bb2468ef0973c95ef773d08f3b143de79723f

    SHA512

    792a7e82170e291e89210208f9b08de599013569a853c71685973b3fe36a65b8dd23c0e5f8689d7fddc80192a6490a2359a58aa371b9c8513e4844074d7f440c

    Download Submit

  • memory/1240-65-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-56-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-73-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-72-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-71-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-54-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-70-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-69-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-68-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-55-0x00000000023C0000-0x00000000023C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1240-57-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-66-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-59-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-58-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-67-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-52-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-61-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-60-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-53-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-62-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-63-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1240-64-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/1988-2-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/3952-0-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/3952-3-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/3952-1-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/3952-44-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/3952-6-0x0000000002400000-0x0000000002401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3952-5-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/3952-4-0x0000000000400000-0x00000000004C8000-memory.dmp

    Filesize

    800KB

    Download

  • memory/4832-50-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download