Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 15:15

General

  • Target

    GOlfito.exe

  • Size

    1.2MB

  • MD5

    3bf77085d3cc3631dd2a29770f4d844e

  • SHA1

    6049321e1ccb8d594ed3a9db7740b2aef1b0bed3

  • SHA256

    ce26affefbe19a456afd7df6ebae922bc6d295195746130d32d7705a2954bb1b

  • SHA512

    ccd7b8d07e41901b440e71bbf94c7ea2ebff3e0ab8b6b2406abede0b10acb57247fe5bd5af3b6bc1b8780a5f406434256bdef1766eade339a66b135e62159518

  • SSDEEP

    24576:gHXBnBDLfLLK6Imt5SVxQRq1uGNmZ4sZPoy/yTL5Wdju7VuafQl5s4Uapw:gHRnxLfL2bmtQVxQM1uSaOBZ25s4UaG

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GOlfito.exe
    "C:\Users\Admin\AppData\Local\Temp\GOlfito.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\GOlfito.exe
      "C:\Users\Admin\AppData\Local\Temp\GOlfito.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Users\Admin\AppData\Local\Temp\MINIGOLF.EXE
        "C:\Users\Admin\AppData\Local\Temp\MINIGOLF.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1176
      • C:\Windows\Windupdt\winupdate.exe
        "C:\Windows\Windupdt\winupdate.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Windows\Windupdt\winupdate.exe
          "C:\Windows\Windupdt\winupdate.exe"
          4⤵
          • Modifies security service
          • Windows security bypass
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4852
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x424 0x470
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MINIGOLF.EXE

    Filesize

    609KB

    MD5

    1c689f0a57ae6034b57ae03f90d14554

    SHA1

    acb756e5d26121f862794c069a4703ee636f8c8a

    SHA256

    b5ff6fc4cb240f5071e160b28745747a015e81c0e34994ff84bf4a7593f5c7e7

    SHA512

    d5b94d5f46c584568c5f400bd65c31df02885c5c7f2b51307e17d05b02ebb8b779fc25db76f47426e8268e3c681356dbc00c8391c6aa125a48b4590ebd7726b9

  • C:\Windows\Windupdt\winupdate.exe

    Filesize

    1.2MB

    MD5

    3bf77085d3cc3631dd2a29770f4d844e

    SHA1

    6049321e1ccb8d594ed3a9db7740b2aef1b0bed3

    SHA256

    ce26affefbe19a456afd7df6ebae922bc6d295195746130d32d7705a2954bb1b

    SHA512

    ccd7b8d07e41901b440e71bbf94c7ea2ebff3e0ab8b6b2406abede0b10acb57247fe5bd5af3b6bc1b8780a5f406434256bdef1766eade339a66b135e62159518

  • memory/3756-2-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/3756-4-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/3756-3-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/3756-6-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/3756-7-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/3756-5-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/3756-79-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-90-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-96-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-93-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-92-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-91-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-87-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-89-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-94-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-95-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-88-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-97-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-98-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-99-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-100-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-101-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-102-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-103-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-104-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-105-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB

  • memory/4852-106-0x0000000000400000-0x0000000000561000-memory.dmp

    Filesize

    1.4MB