Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 20:19

General

  • Target

    a2a9aa7d747dc872400ced400f162bfa.exe

  • Size

    1.1MB

  • MD5

    a2a9aa7d747dc872400ced400f162bfa

  • SHA1

    c7c900a9b5341975beef45d15acaf24d93e0e42d

  • SHA256

    f5f0bd9714c7b145305035b817957668e9ac5f1aac855ae82a638011e6860488

  • SHA512

    8ee2ed9b131091fb6ab2103117fbc69f7337dd2d1bf7db2c0dd30d12ac637a4302b1c86350232259a9a81fd3601f222b75731759a69528e0cf3d60383678c053

  • SSDEEP

    24576:fi/ilk3kas5dc3N9rN6s0lcdEE+6hkknUnk3nnUm:6ek3kas5CNhN6RlcdELQ

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2a9aa7d747dc872400ced400f162bfa.exe
    "C:\Users\Admin\AppData\Local\Temp\a2a9aa7d747dc872400ced400f162bfa.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      PID:2244
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
        PID:4528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 252
          3⤵
          • Program crash
          PID:1980
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4528 -ip 4528
      1⤵
        PID:1768

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windupdt\winupdate.exe

        Filesize

        1.1MB

        MD5

        a2a9aa7d747dc872400ced400f162bfa

        SHA1

        c7c900a9b5341975beef45d15acaf24d93e0e42d

        SHA256

        f5f0bd9714c7b145305035b817957668e9ac5f1aac855ae82a638011e6860488

        SHA512

        8ee2ed9b131091fb6ab2103117fbc69f7337dd2d1bf7db2c0dd30d12ac637a4302b1c86350232259a9a81fd3601f222b75731759a69528e0cf3d60383678c053

      • memory/1660-10-0x00000000021E0000-0x00000000021F0000-memory.dmp

        Filesize

        64KB

      • memory/1660-12-0x00000000023C0000-0x00000000023C1000-memory.dmp

        Filesize

        4KB

      • memory/1660-4-0x00000000023D0000-0x00000000023E0000-memory.dmp

        Filesize

        64KB

      • memory/1660-0-0x0000000013140000-0x00000000132BC000-memory.dmp

        Filesize

        1.5MB

      • memory/1660-5-0x0000000002570000-0x0000000002580000-memory.dmp

        Filesize

        64KB

      • memory/1660-6-0x0000000077062000-0x0000000077063000-memory.dmp

        Filesize

        4KB

      • memory/1660-8-0x0000000077063000-0x0000000077064000-memory.dmp

        Filesize

        4KB

      • memory/1660-7-0x0000000075C00000-0x0000000075CF0000-memory.dmp

        Filesize

        960KB

      • memory/1660-9-0x0000000077053000-0x0000000077054000-memory.dmp

        Filesize

        4KB

      • memory/1660-1-0x0000000013140000-0x00000000132BC000-memory.dmp

        Filesize

        1.5MB

      • memory/1660-3-0x0000000002180000-0x00000000021B9000-memory.dmp

        Filesize

        228KB

      • memory/1660-25-0x0000000075C00000-0x0000000075CF0000-memory.dmp

        Filesize

        960KB

      • memory/1660-11-0x0000000013140000-0x00000000132BC000-memory.dmp

        Filesize

        1.5MB

      • memory/1660-2-0x00000000005C0000-0x00000000005C4000-memory.dmp

        Filesize

        16KB

      • memory/1660-22-0x0000000002180000-0x00000000021B9000-memory.dmp

        Filesize

        228KB

      • memory/1660-20-0x0000000013140000-0x00000000132BC000-memory.dmp

        Filesize

        1.5MB

      • memory/2244-13-0x0000000000940000-0x0000000000941000-memory.dmp

        Filesize

        4KB

      • memory/4528-18-0x0000000013140000-0x00000000132BC000-memory.dmp

        Filesize

        1.5MB

      • memory/4528-21-0x0000000013140000-0x00000000132BC000-memory.dmp

        Filesize

        1.5MB

      • memory/4528-27-0x0000000013140000-0x00000000132BC000-memory.dmp

        Filesize

        1.5MB

      • memory/4528-24-0x0000000013140000-0x00000000132BC000-memory.dmp

        Filesize

        1.5MB