Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25/02/2024, 06:34

General

  • Target

    a31eb81d21c6dcc0a03de89b6b43fc68.exe

  • Size

    339KB

  • MD5

    a31eb81d21c6dcc0a03de89b6b43fc68

  • SHA1

    60f928956ac652b151be85de46369f22bde0f506

  • SHA256

    01a5dd39fb485319940f0ebdfd0209a560641a6da385a074bbc0337a6bc3d3a8

  • SHA512

    b0e5d13b4acb3bf0e9d2c07e07cdcafc70e0596b735c89c08b140570be8e978371bfd9d8ff160748bf5a2b61dbb6349efc348a290b2eead7f89e4345b3ecf1c1

  • SSDEEP

    6144:PCSlrcTxfNKm9mCfjEOZhpfLTuKAOm6esFE70HkWnpQZh9h:PZcV79mGjZhBjm/Ck0QZh9

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies firewall policy service 2 TTPs 6 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a31eb81d21c6dcc0a03de89b6b43fc68.exe
    "C:\Users\Admin\AppData\Local\Temp\a31eb81d21c6dcc0a03de89b6b43fc68.exe"
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Checks BIOS information in registry
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2208
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1848-9-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1848-15-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1848-2-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1848-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1848-6-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1848-16-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1848-11-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1848-10-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1848-14-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1848-12-0x0000000000120000-0x0000000000121000-memory.dmp

    Filesize

    4KB

  • memory/1848-13-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/2208-1-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/2208-0-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/2208-8-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB