Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2024, 06:34

General

  • Target

    a31eb81d21c6dcc0a03de89b6b43fc68.exe

  • Size

    339KB

  • MD5

    a31eb81d21c6dcc0a03de89b6b43fc68

  • SHA1

    60f928956ac652b151be85de46369f22bde0f506

  • SHA256

    01a5dd39fb485319940f0ebdfd0209a560641a6da385a074bbc0337a6bc3d3a8

  • SHA512

    b0e5d13b4acb3bf0e9d2c07e07cdcafc70e0596b735c89c08b140570be8e978371bfd9d8ff160748bf5a2b61dbb6349efc348a290b2eead7f89e4345b3ecf1c1

  • SSDEEP

    6144:PCSlrcTxfNKm9mCfjEOZhpfLTuKAOm6esFE70HkWnpQZh9h:PZcV79mGjZhBjm/Ck0QZh9

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies firewall policy service 2 TTPs 6 IoCs
  • Modifies security service 2 TTPs 2 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a31eb81d21c6dcc0a03de89b6b43fc68.exe
    "C:\Users\Admin\AppData\Local\Temp\a31eb81d21c6dcc0a03de89b6b43fc68.exe"
    1⤵
    • Modifies firewall policy service
    • Modifies security service
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Checks BIOS information in registry
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1040
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Modifies firewall policy service
      • Modifies security service
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/232-2-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/232-4-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/232-7-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/232-8-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/232-9-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

    Filesize

    4KB

  • memory/232-10-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/232-11-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/232-12-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1040-0-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB

  • memory/1040-1-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

    Filesize

    4KB

  • memory/1040-5-0x0000000013140000-0x000000001322E000-memory.dmp

    Filesize

    952KB