Overview

overview

10

Static

static

7

afb84ada3e...0N.exe

windows7-x64

10

afb84ada3e...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afb84ada3e5e78139a799454463b1bf0N.exe

  • Size

    576KB

  • MD5

    afb84ada3e5e78139a799454463b1bf0

  • SHA1

    d8524ab8ad30345be910b1721b804bc921fa50c0

  • SHA256

    90b3e246071d30813341b96321f5f49cdff2cd9584908af69580548c663ebc9e

  • SHA512

    986b0c31e4dfd9eba23ee56352c4002a49f0123a3989ff2ca1368fa557761773319130a6c6e0957082d8b042fca6797fbafe4e121161834dfe6be0199c8a47e1

  • SSDEEP

    12288:+NWPkHlUkErBuxQ4uzi6d6dL/yiXLzeMdK6io8levy0FhVlpzkzDDoSv:+NWPkHlUfBgpuPdWzyuDTifgyWlC

Score
10/10
darkcometdiscoverypersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afb84ada3e5e78139a799454463b1bf0N.exe
    "C:\Users\Admin\AppData\Local\Temp\afb84ada3e5e78139a799454463b1bf0N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\NlLwk.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2744
    • C:\Users\Admin\AppData\Roaming\mcsft.exe
      "C:\Users\Admin\AppData\Roaming\mcsft.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\AppData\Roaming\mcsft.exe
        C:\Users\Admin\AppData\Roaming\mcsft.exe
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NlLwk.bat
    Filesize

    135B

    MD5

    a5feca573884d76f559b996d45e8ad9a

    SHA1

    0e81a993f3af4e31d60653dc2513186f0495f1c8

    SHA256

    c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f

    SHA512

    a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mcsft.exe
    Filesize

    576KB

    MD5

    f42dcc50b350508719529bf9fafac3f9

    SHA1

    a9646d6aa0a3a9d412308871438df73ead866525

    SHA256

    af8a0568d8c1321742983d130982aa09626cc12250aaa741dda015bb12b27c32

    SHA512

    c94763f070c079a6c6742b789ab0786d3bf33c69056f1b99bf4339908eeb22c4cb7ad990bc3c80468e63820765441d7b5f24f4f4f637b20fb6a49b99e8a1bb2e

    Download Submit

  • memory/2228-42-0x0000000003AF0000-0x0000000003EB8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2228-2-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2228-48-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2228-45-0x0000000003AF0000-0x0000000003EB8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2228-44-0x0000000003AF0000-0x0000000003EB8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2228-43-0x0000000003AF0000-0x0000000003EB8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2628-61-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-73-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-78-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-59-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-60-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-62-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-77-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-63-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-65-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-66-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-64-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-67-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-69-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-70-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-71-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-72-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-58-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-74-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-75-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2628-76-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2816-49-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2816-56-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download