Malware Analysis Report

2024-08-06 17:30

Sample ID 240628-ngsbbswhlg
Target lab_samples.zip
SHA256 596263884d5474c2d3bb01238718eb30ce2c8539c99f66fa26b92171c6786c26
Tags
guest16 darkcomet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

596263884d5474c2d3bb01238718eb30ce2c8539c99f66fa26b92171c6786c26

Threat Level: Known bad

The file lab_samples.zip was found to be: Known bad.

Malicious Activity Summary

guest16 darkcomet

Darkcomet family

Executes dropped EXE

Unsigned PE

Program crash

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 11:22

Signatures

Darkcomet family

darkcomet

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 11:22

Reported

2024-06-28 11:24

Platform

win11-20240508-en

Max time kernel

72s

Max time network

73s

Command Line

"C:\Users\Admin\AppData\Local\Temp\lab_samples\b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\lab_samples\b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
PID 4076 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\lab_samples\b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
PID 4076 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\lab_samples\b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe
PID 2160 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe C:\Windows\SYSTEM32\svchost.exe
PID 2160 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe C:\Windows\SYSTEM32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\lab_samples\b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe

"C:\Users\Admin\AppData\Local\Temp\lab_samples\b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7.exe"

C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe

C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe

C:\Windows\SYSTEM32\svchost.exe

svchost.exe -k netsvcs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2160 -ip 2160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 632

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
GB 2.18.66.57:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 2.18.66.57:443 tcp
GB 2.18.66.57:443 tcp
GB 2.18.66.80:443 tcp
US 8.8.8.8:53 udp

Files

memory/4076-0-0x0000000002200000-0x0000000002201000-memory.dmp

memory/4076-1-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/4076-2-0x0000000002250000-0x000000000228C000-memory.dmp

memory/4076-4-0x0000000000400000-0x00000000004AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\winapp\a2a2aa408cc23a822a0a8810ea804dbaa4bd21b23760a18a4712a4a0ec3c8eb6.exe

MD5 b3dc48d13f7d541fa583bf964c0603bf
SHA1 1dbaa68adc0a592508f7ad715bfcdf79c17990d6
SHA256 b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7
SHA512 193bda0656a9d1be54dc655d9af3224ddccb78fc26aa77618fba1e3c36005a0368a200960cc28facc280df667f51a26bbef62282bbf8837cc036a41bfb8525f4

memory/2160-9-0x00000000020A0000-0x00000000020A1000-memory.dmp

memory/2160-10-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2160-11-0x0000000002450000-0x000000000248C000-memory.dmp

memory/2160-12-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2160-17-0x0000000000400000-0x00000000004AD000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 e9aa12ff0be6d995ed86f8cf88678158
SHA1 e5ee38fc2ebef0fcbc3059dee29b39f7daf21931
SHA256 f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561
SHA512 95a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc