darkcomet | cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
06-11-2020 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
Size

3.9MB
MD5

f779b9615b86f9dded7f6de1e5c3178c
SHA1

932bb2bb8ee87f26726f0cfd01113fbe65936271
SHA256

cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d
SHA512

710b974627772a4fbf600fb0417690bbc4b956d4d25debae2748f23be473ce17f5356df9f37d17a3b65bcfd462f3bb8377d21af001f9f5e619ff01a2cfcbf500

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

Soundcrd.exeSoundcrd.exeSoundcrd.exe

pid process

1676 Soundcrd.exe
308 Soundcrd.exe
412 Soundcrd.exe

pid	process
1676	Soundcrd.exe
308	Soundcrd.exe
412	Soundcrd.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

yara_rule
upx
\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
C:\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
C:\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
behavioral1/memory/308-15-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
behavioral1/memory/308-18-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/412-19-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/308-21-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/412-23-0x0000000000400000-0x0000000000409000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
behavioral1/memory/412-24-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Soundcrd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Soundcrd.exe

Loads dropped DLL 5 IoCs

Processes:

cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe

pid	process
1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Soundcrd.exe

description	pid	process	target process
PID 1676 set thread context of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 set thread context of 412	1676	Soundcrd.exe	Soundcrd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Soundcrd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Soundcrd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

Soundcrd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Soundcrd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Soundcrd.exeSoundcrd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	308	Soundcrd.exe
Token: SeSecurityPrivilege	308	Soundcrd.exe
Token: SeTakeOwnershipPrivilege	308	Soundcrd.exe
Token: SeLoadDriverPrivilege	308	Soundcrd.exe
Token: SeSystemProfilePrivilege	308	Soundcrd.exe
Token: SeSystemtimePrivilege	308	Soundcrd.exe
Token: SeProfSingleProcessPrivilege	308	Soundcrd.exe
Token: SeIncBasePriorityPrivilege	308	Soundcrd.exe
Token: SeCreatePagefilePrivilege	308	Soundcrd.exe
Token: SeBackupPrivilege	308	Soundcrd.exe
Token: SeRestorePrivilege	308	Soundcrd.exe
Token: SeShutdownPrivilege	308	Soundcrd.exe
Token: SeDebugPrivilege	308	Soundcrd.exe
Token: SeSystemEnvironmentPrivilege	308	Soundcrd.exe
Token: SeChangeNotifyPrivilege	308	Soundcrd.exe
Token: SeRemoteShutdownPrivilege	308	Soundcrd.exe
Token: SeUndockPrivilege	308	Soundcrd.exe
Token: SeManageVolumePrivilege	308	Soundcrd.exe
Token: SeImpersonatePrivilege	308	Soundcrd.exe
Token: SeCreateGlobalPrivilege	308	Soundcrd.exe
Token: 33	308	Soundcrd.exe
Token: 34	308	Soundcrd.exe
Token: 35	308	Soundcrd.exe
Token: SeDebugPrivilege	412	Soundcrd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exeSoundcrd.exeSoundcrd.exe

pid process

1924 cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
1676 Soundcrd.exe
412 Soundcrd.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.execmd.exeSoundcrd.exe

description	pid	process	target process
PID 1924 wrote to memory of 1588	1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe	cmd.exe
PID 1924 wrote to memory of 1588	1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe	cmd.exe
PID 1924 wrote to memory of 1588	1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe	cmd.exe
PID 1924 wrote to memory of 1588	1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe	cmd.exe
PID 1588 wrote to memory of 1740	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1740	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1740	1588	cmd.exe	reg.exe
PID 1588 wrote to memory of 1740	1588	cmd.exe	reg.exe
PID 1924 wrote to memory of 1676	1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe	Soundcrd.exe
PID 1924 wrote to memory of 1676	1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe	Soundcrd.exe
PID 1924 wrote to memory of 1676	1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe	Soundcrd.exe
PID 1924 wrote to memory of 1676	1924	cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe	Soundcrd.exe
PID 1676 wrote to memory of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 308	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 412	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 412	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 412	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 412	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 412	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 412	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 412	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 412	1676	Soundcrd.exe	Soundcrd.exe
PID 1676 wrote to memory of 412	1676	Soundcrd.exe	Soundcrd.exe

C:\Users\Admin\AppData\Local\Temp\cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe
"C:\Users\Admin\AppData\Local\Temp\cc82575926b314176e0b3ef9926d7a332f1c4de6adac1d9d26677206f457557d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OBUeR.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
3⤵
- Adds Run key to start application
PID:1740

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OBUeR.bat
MD5
173bcce4810d4901872d0ef4f0bfea4e

SHA1
561b03fdfe68b6419fddf57f32e1aab9a6126a2f

SHA256
10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

SHA512
2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

Download Submit
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
MD5
deed7415c8e748f5c86c1f3eb6bcc642

SHA1
f057bbc36d6edf9064e2e040826fee4b0b81d74c

SHA256
2bff6693c6f373f9ae94714de03ea3617de7f264f33327dfa2702686b732e509

SHA512
44e2242dfcfdf05142130c95ca45b00db362b8f8bef73271cdbb2c60115966db094f68cb31401ea38d9c1bba836ad6c975ad3964c72f64688a22aea123bceb39

Download Submit
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
MD5
deed7415c8e748f5c86c1f3eb6bcc642

SHA1
f057bbc36d6edf9064e2e040826fee4b0b81d74c

SHA256
2bff6693c6f373f9ae94714de03ea3617de7f264f33327dfa2702686b732e509

SHA512
44e2242dfcfdf05142130c95ca45b00db362b8f8bef73271cdbb2c60115966db094f68cb31401ea38d9c1bba836ad6c975ad3964c72f64688a22aea123bceb39

Download Submit
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
MD5
deed7415c8e748f5c86c1f3eb6bcc642

SHA1
f057bbc36d6edf9064e2e040826fee4b0b81d74c

SHA256
2bff6693c6f373f9ae94714de03ea3617de7f264f33327dfa2702686b732e509

SHA512
44e2242dfcfdf05142130c95ca45b00db362b8f8bef73271cdbb2c60115966db094f68cb31401ea38d9c1bba836ad6c975ad3964c72f64688a22aea123bceb39

Download Submit
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
MD5
deed7415c8e748f5c86c1f3eb6bcc642

SHA1
f057bbc36d6edf9064e2e040826fee4b0b81d74c

SHA256
2bff6693c6f373f9ae94714de03ea3617de7f264f33327dfa2702686b732e509

SHA512
44e2242dfcfdf05142130c95ca45b00db362b8f8bef73271cdbb2c60115966db094f68cb31401ea38d9c1bba836ad6c975ad3964c72f64688a22aea123bceb39

Download Submit
\Users\Admin\AppData\Roaming\Soundcrd.exe
MD5
deed7415c8e748f5c86c1f3eb6bcc642

SHA1
f057bbc36d6edf9064e2e040826fee4b0b81d74c

SHA256
2bff6693c6f373f9ae94714de03ea3617de7f264f33327dfa2702686b732e509

SHA512
44e2242dfcfdf05142130c95ca45b00db362b8f8bef73271cdbb2c60115966db094f68cb31401ea38d9c1bba836ad6c975ad3964c72f64688a22aea123bceb39

Download Submit
\Users\Admin\AppData\Roaming\Soundcrd.exe
MD5
deed7415c8e748f5c86c1f3eb6bcc642

SHA1
f057bbc36d6edf9064e2e040826fee4b0b81d74c

SHA256
2bff6693c6f373f9ae94714de03ea3617de7f264f33327dfa2702686b732e509

SHA512
44e2242dfcfdf05142130c95ca45b00db362b8f8bef73271cdbb2c60115966db094f68cb31401ea38d9c1bba836ad6c975ad3964c72f64688a22aea123bceb39

Download Submit
\Users\Admin\AppData\Roaming\Soundcrd.exe
MD5
deed7415c8e748f5c86c1f3eb6bcc642

SHA1
f057bbc36d6edf9064e2e040826fee4b0b81d74c

SHA256
2bff6693c6f373f9ae94714de03ea3617de7f264f33327dfa2702686b732e509

SHA512
44e2242dfcfdf05142130c95ca45b00db362b8f8bef73271cdbb2c60115966db094f68cb31401ea38d9c1bba836ad6c975ad3964c72f64688a22aea123bceb39

Download Submit
\Users\Admin\AppData\Roaming\Soundcrd.exe
MD5
deed7415c8e748f5c86c1f3eb6bcc642

SHA1
f057bbc36d6edf9064e2e040826fee4b0b81d74c

SHA256
2bff6693c6f373f9ae94714de03ea3617de7f264f33327dfa2702686b732e509

SHA512
44e2242dfcfdf05142130c95ca45b00db362b8f8bef73271cdbb2c60115966db094f68cb31401ea38d9c1bba836ad6c975ad3964c72f64688a22aea123bceb39

Download Submit
\Users\Admin\AppData\Roaming\Soundcrd.exe
MD5
deed7415c8e748f5c86c1f3eb6bcc642

SHA1
f057bbc36d6edf9064e2e040826fee4b0b81d74c

SHA256
2bff6693c6f373f9ae94714de03ea3617de7f264f33327dfa2702686b732e509

SHA512
44e2242dfcfdf05142130c95ca45b00db362b8f8bef73271cdbb2c60115966db094f68cb31401ea38d9c1bba836ad6c975ad3964c72f64688a22aea123bceb39

Download Submit
memory/308-18-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/308-15-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/308-16-0x00000000004B3310-mapping.dmp

Download
memory/308-21-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/412-19-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/412-20-0x0000000000407450-mapping.dmp

Download
memory/412-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/412-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1588-2-0x0000000000000000-mapping.dmp

Download
memory/1676-10-0x0000000000000000-mapping.dmp

Download
memory/1740-4-0x0000000000000000-mapping.dmp

Download