Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12-12-2024 17:15
General
-
Target
digit_by_helkin86-d377w81/DiGiT/DiGiT/Instructions.exe
-
Size
880KB
-
MD5
ba480da41b6ec6f00fc0d7caf9f11cb3
-
SHA1
f924f6baa35057ea88154faed0213c154eadcfa0
-
SHA256
47256456d9897ef71eb4a944fbde08aa388aabb85645b5b79ba6dc0c9a106124
-
SHA512
adfa3b2c264d1bcfa82e2d94187a073905cfe55aa08690a1d9e79d9a6a8bc7fe523e49d8bcbd43beec5ab62e26c558e57e7ff72e46d1aa5973fd77d5a39a0b9f
-
SSDEEP
24576:9+6LCb7OdjFbdRGe9PiuImyEaNCXhgtNz5WhCdSjD4kbQsbq7480/uSUsQ6F:9pnCe9qIeNCqfb4j1bT
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Darkcomet family
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\digit_by_helkin86-d377w81\DiGiT\DiGiT\Instructions.exe"C:\Users\Admin\AppData\Local\Temp\digit_by_helkin86-d377w81\DiGiT\DiGiT\Instructions.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\crypted.exe"C:\Users\Admin\AppData\Local\Temp\crypted.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\crypted.exe"C:\Users\Admin\AppData\Local\Temp\crypted.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Instructions.txt2⤵
- Opens file in notepad (likely ransom note)
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360B
MD5036d4adeb724a007fb00011734b5a3e2
SHA11d0f70d7b442bee1741702394dcc917cb13c9064
SHA256e1a0dcf6046381884d91d8e70b48b76548520f2f3fb87391d14b6af0d9609036
SHA5125d02f692e8ff7927498ef750091da86ae2b85b4f73f7ee29721207b1fb4055c0b47f38333dc0e2eaf7b0bca6a50f0291d68826637d4b7d467965c19866979d2f
-
Filesize
645KB
MD5d2612794fd2d21874ffb92b2bfef2407
SHA1a74255beeb2a61ef598dd10fd50f8e1ba25a574b
SHA2566eb607fa53c977d8fbd3ad8578f574dad83bebd5daf865a04df0a8afb9daee33
SHA512e0c594217064ac12cc6e780aa4e0b171103d974fbb59113ad9f7763601e24c7f8a91a607dc43179b5e28bab27bf47ee7c16598b1f9569620fc6ef0f83f7accfd
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB