Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2024, 20:19

General

  • Target

    a2a9aa7d747dc872400ced400f162bfa.exe

  • Size

    1.1MB

  • MD5

    a2a9aa7d747dc872400ced400f162bfa

  • SHA1

    c7c900a9b5341975beef45d15acaf24d93e0e42d

  • SHA256

    f5f0bd9714c7b145305035b817957668e9ac5f1aac855ae82a638011e6860488

  • SHA512

    8ee2ed9b131091fb6ab2103117fbc69f7337dd2d1bf7db2c0dd30d12ac637a4302b1c86350232259a9a81fd3601f222b75731759a69528e0cf3d60383678c053

  • SSDEEP

    24576:fi/ilk3kas5dc3N9rN6s0lcdEE+6hkknUnk3nnUm:6ek3kas5CNhN6RlcdELQ

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2a9aa7d747dc872400ced400f162bfa.exe
    "C:\Users\Admin\AppData\Local\Temp\a2a9aa7d747dc872400ced400f162bfa.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      PID:2392
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 92
        3⤵
        • Program crash
        PID:2616
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HYDRANGEAS.JPG

    Filesize

    26KB

    MD5

    b8a5444c4c6265114d28c257acf8fedc

    SHA1

    c0c62d4b07a9e6123438a1f3b8f71dfb698fae0c

    SHA256

    2c0d316e5a9cf5ed7b80750330e4086a89c0156871cfdf6b6c672387434ae826

    SHA512

    8b90c41655ce2015c830f4c2ede060d7e8100bec9d88320c726663989f2df3d43ce22dc2958674c530f65c57505992b1be7e356937a17c6f2f32859b12358cde

  • memory/2180-9-0x0000000076F61000-0x0000000076F62000-memory.dmp

    Filesize

    4KB

  • memory/2180-12-0x0000000013140000-0x00000000132BC000-memory.dmp

    Filesize

    1.5MB

  • memory/2180-4-0x0000000076F60000-0x0000000076F61000-memory.dmp

    Filesize

    4KB

  • memory/2180-5-0x0000000076F5F000-0x0000000076F60000-memory.dmp

    Filesize

    4KB

  • memory/2180-7-0x0000000001DE0000-0x0000000001DF0000-memory.dmp

    Filesize

    64KB

  • memory/2180-6-0x0000000001FD0000-0x0000000001FE0000-memory.dmp

    Filesize

    64KB

  • memory/2180-10-0x0000000076F98000-0x0000000076F99000-memory.dmp

    Filesize

    4KB

  • memory/2180-56-0x0000000013140000-0x00000000132BC000-memory.dmp

    Filesize

    1.5MB

  • memory/2180-1-0x0000000013140000-0x00000000132BC000-memory.dmp

    Filesize

    1.5MB

  • memory/2180-8-0x0000000076760000-0x0000000076870000-memory.dmp

    Filesize

    1.1MB

  • memory/2180-11-0x0000000000530000-0x0000000000540000-memory.dmp

    Filesize

    64KB

  • memory/2180-13-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB

  • memory/2180-2-0x00000000001B0000-0x00000000001B4000-memory.dmp

    Filesize

    16KB

  • memory/2180-3-0x0000000000290000-0x00000000002C9000-memory.dmp

    Filesize

    228KB

  • memory/2180-45-0x00000000027D0000-0x00000000027D2000-memory.dmp

    Filesize

    8KB

  • memory/2180-57-0x0000000076760000-0x0000000076870000-memory.dmp

    Filesize

    1.1MB

  • memory/2180-60-0x0000000000290000-0x00000000002C9000-memory.dmp

    Filesize

    228KB

  • memory/2180-58-0x0000000013140000-0x00000000132BC000-memory.dmp

    Filesize

    1.5MB

  • memory/2392-41-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

    Filesize

    4KB

  • memory/2392-15-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/2572-52-0x0000000013140000-0x00000000132BC000-memory.dmp

    Filesize

    1.5MB

  • memory/2572-54-0x0000000013140000-0x00000000132BC000-memory.dmp

    Filesize

    1.5MB

  • memory/2572-55-0x0000000013140000-0x00000000132BC000-memory.dmp

    Filesize

    1.5MB

  • memory/2572-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2572-48-0x0000000013140000-0x00000000132BC000-memory.dmp

    Filesize

    1.5MB

  • memory/2572-61-0x0000000013140000-0x00000000132BC000-memory.dmp

    Filesize

    1.5MB

  • memory/2900-47-0x00000000007B0000-0x00000000007B1000-memory.dmp

    Filesize

    4KB

  • memory/2900-46-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

  • memory/2900-63-0x00000000007B0000-0x00000000007B1000-memory.dmp

    Filesize

    4KB