Overview

overview

10

Static

static

7

702cf7fee8...2N.exe

windows7-x64

10

702cf7fee8...2N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322N.exe

  • Size

    1.4MB

  • MD5

    2757f76e73f89a394adf37eb339e6c70

  • SHA1

    4cc4c9df20096da522837e090df80e64acd9d09c

  • SHA256

    702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322

  • SHA512

    abc0689984c20c7a8d6922ec9403288630dbb0032b6d0e6613579c48d12038e4ac41df6430db4e5608a1bbb44a1cc24f8b8b982a4fa45c29de373fd1c52c8064

  • SSDEEP

    24576:TuqOgwfRJz5LEHyxoR9yLE8QOXXncn5GJMD0QZh9uRcHo8ChYY5nQe:TuqOgYRJzdEH3Senn5WXRcHoD3

Score
10/10
darkcometdiscoveryevasionpersistenceratthemidatrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 4 IoCs
  • Themida packer 38 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322N.exe
    "C:\Users\Admin\AppData\Local\Temp\702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2220
    • C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
      "C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE"
      2⤵
      • Executes dropped EXE
      PID:1800
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
        "C:\Users\Admin\AppData\Local\Temp\NOTEPAD.EXE"
        3⤵
        • Executes dropped EXE
        PID:1736
    • C:\Windows\Windupdt\svchost.exe
      "C:\Windows\Windupdt\svchost.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Windupdt\svchost.exe
    Filesize

    1.4MB

    MD5

    2757f76e73f89a394adf37eb339e6c70

    SHA1

    4cc4c9df20096da522837e090df80e64acd9d09c

    SHA256

    702cf7fee8a42c80e295d6629f564bae2075f152415fe1c2756c35fa8d71b322

    SHA512

    abc0689984c20c7a8d6922ec9403288630dbb0032b6d0e6613579c48d12038e4ac41df6430db4e5608a1bbb44a1cc24f8b8b982a4fa45c29de373fd1c52c8064

    Download Submit

  • \Users\Admin\AppData\Local\Temp\NOTEPAD.EXE
    Filesize

    189KB

    MD5

    f2c7bb8acc97f92e987a2d4087d021b1

    SHA1

    7eb0139d2175739b3ccb0d1110067820be6abd29

    SHA256

    142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

    SHA512

    2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

    Download Submit

  • memory/2220-4-0x00000000000C0000-0x00000000000C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-30-0x00000000002B0000-0x00000000002B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2292-91-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2292-88-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-60-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-55-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-44-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-43-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-42-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2584-47-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-51-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-56-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-66-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-69-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-68-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-64-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-63-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-62-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-61-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-95-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-59-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-58-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-45-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-54-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-53-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-52-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-65-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-57-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-50-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-49-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-48-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-46-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-67-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-70-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-71-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-38-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2584-72-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2628-89-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2628-1-0x0000000013141000-0x00000000131F2000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2628-2-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2628-90-0x0000000013141000-0x00000000131F2000-memory.dmp

    Filesize

    708KB

    Download

  • memory/2628-0-0x0000000013140000-0x000000001333F000-memory.dmp

    Filesize

    2.0MB

    Download