darkcomet | 6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559

General

Target

6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
Size

1.5MB
MD5

5e0c56aa4d8ab74ab7c1401c05720f15
SHA1

b4f0cfd99d686ce6f724e4328d21edec5f56dd1b
SHA256

6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559
SHA512

f73bbc8d8cdfd5f8a18f624ea5aee83ce05d6566ad018fd5dd7541202f0d033feb7bf60afcd1f80ea601f2efd0477b1f05feeaa09883f6ce1b3210d5d323e44e

Score

10^/10

darkcomet runescape persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

C2

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes

gencode
uNwew4gojxtu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

ichader.exeichader.exeichader.exe

pid process

4080 ichader.exe
3692 ichader.exe
3972 ichader.exe

pid	process
4080	ichader.exe
3692	ichader.exe
3972	ichader.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/324-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/324-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/324-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3972-30-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3972-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3972-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\IDM\\ichader.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exeichader.exe

description	pid	process	target process
PID 1100 set thread context of 3752	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	svchost.exe
PID 1100 set thread context of 324	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
PID 4080 set thread context of 3848	4080	ichader.exe	svchost.exe
PID 4080 set thread context of 3692	4080	ichader.exe	ichader.exe
PID 4080 set thread context of 3972	4080	ichader.exe	ichader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

960 3752 WerFault.exe svchost.exe

pid	pid_target	process	target process
960	3752	WerFault.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe
3848	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ichader.exeichader.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3972	ichader.exe
Token: SeSecurityPrivilege	3972	ichader.exe
Token: SeTakeOwnershipPrivilege	3972	ichader.exe
Token: SeLoadDriverPrivilege	3972	ichader.exe
Token: SeSystemProfilePrivilege	3972	ichader.exe
Token: SeSystemtimePrivilege	3972	ichader.exe
Token: SeProfSingleProcessPrivilege	3972	ichader.exe
Token: SeIncBasePriorityPrivilege	3972	ichader.exe
Token: SeCreatePagefilePrivilege	3972	ichader.exe
Token: SeBackupPrivilege	3972	ichader.exe
Token: SeRestorePrivilege	3972	ichader.exe
Token: SeShutdownPrivilege	3972	ichader.exe
Token: SeDebugPrivilege	3972	ichader.exe
Token: SeSystemEnvironmentPrivilege	3972	ichader.exe
Token: SeChangeNotifyPrivilege	3972	ichader.exe
Token: SeRemoteShutdownPrivilege	3972	ichader.exe
Token: SeUndockPrivilege	3972	ichader.exe
Token: SeManageVolumePrivilege	3972	ichader.exe
Token: SeImpersonatePrivilege	3972	ichader.exe
Token: SeCreateGlobalPrivilege	3972	ichader.exe
Token: 33	3972	ichader.exe
Token: 34	3972	ichader.exe
Token: 35	3972	ichader.exe
Token: 36	3972	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe
Token: SeDebugPrivilege	3692	ichader.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exeichader.exesvchost.exeichader.exeichader.exe

pid	process
1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
324	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
4080	ichader.exe
3848	svchost.exe
3692	ichader.exe
3972	ichader.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.execmd.exeichader.exe

description	pid	process	target process
PID 1100 wrote to memory of 3752	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	svchost.exe
PID 1100 wrote to memory of 3752	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	svchost.exe
PID 1100 wrote to memory of 3752	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	svchost.exe
PID 1100 wrote to memory of 3752	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	svchost.exe
PID 1100 wrote to memory of 324	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
PID 1100 wrote to memory of 324	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
PID 1100 wrote to memory of 324	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
PID 1100 wrote to memory of 324	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
PID 1100 wrote to memory of 324	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
PID 1100 wrote to memory of 324	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
PID 1100 wrote to memory of 324	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
PID 1100 wrote to memory of 324	1100	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
PID 324 wrote to memory of 1920	324	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	cmd.exe
PID 324 wrote to memory of 1920	324	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	cmd.exe
PID 324 wrote to memory of 1920	324	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	cmd.exe
PID 1920 wrote to memory of 976	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 976	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 976	1920	cmd.exe	reg.exe
PID 324 wrote to memory of 4080	324	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	ichader.exe
PID 324 wrote to memory of 4080	324	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	ichader.exe
PID 324 wrote to memory of 4080	324	6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe	ichader.exe
PID 4080 wrote to memory of 3848	4080	ichader.exe	svchost.exe
PID 4080 wrote to memory of 3848	4080	ichader.exe	svchost.exe
PID 4080 wrote to memory of 3848	4080	ichader.exe	svchost.exe
PID 4080 wrote to memory of 3848	4080	ichader.exe	svchost.exe
PID 4080 wrote to memory of 3848	4080	ichader.exe	svchost.exe
PID 4080 wrote to memory of 3848	4080	ichader.exe	svchost.exe
PID 4080 wrote to memory of 3848	4080	ichader.exe	svchost.exe
PID 4080 wrote to memory of 3848	4080	ichader.exe	svchost.exe
PID 4080 wrote to memory of 3848	4080	ichader.exe	svchost.exe
PID 4080 wrote to memory of 3692	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3692	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3692	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3692	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3692	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3692	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3692	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3692	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3972	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3972	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3972	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3972	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3972	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3972	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3972	4080	ichader.exe	ichader.exe
PID 4080 wrote to memory of 3972	4080	ichader.exe	ichader.exe

C:\Users\Admin\AppData\Local\Temp\6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
"C:\Users\Admin\AppData\Local\Temp\6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 92
3⤵
- Program crash
PID:960

C:\Users\Admin\AppData\Local\Temp\6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe
"C:\Users\Admin\AppData\Local\Temp\6710915f32e35614181300eba4f4b49e24bbda5774f31abf84b78552565a8559.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IRYJF.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f
4⤵
- Adds Run key to start application
PID:976

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3848

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRYJF.bat
MD5
92353035f01403e26aa2ff51c3963238

SHA1
d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

SHA256
2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

SHA512
74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
40ac4f7238cf48af41ea8f8f96848df4

SHA1
9251cd0bea50bf1c4d133d535ccf7eda3def7a07

SHA256
8ba6888fed3fbb5f1b919adb139cb2d5faeeeb934663ad9fcb8058e95d25e444

SHA512
056838ae89ef29401a189fe0d697e5604dec1b66686be6344c6ae3503b26d298a76bf558d45415ca0d399e724d249bf99e0a9113c44827a98a3c03c9a81c2a92

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
40ac4f7238cf48af41ea8f8f96848df4

SHA1
9251cd0bea50bf1c4d133d535ccf7eda3def7a07

SHA256
8ba6888fed3fbb5f1b919adb139cb2d5faeeeb934663ad9fcb8058e95d25e444

SHA512
056838ae89ef29401a189fe0d697e5604dec1b66686be6344c6ae3503b26d298a76bf558d45415ca0d399e724d249bf99e0a9113c44827a98a3c03c9a81c2a92

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
40ac4f7238cf48af41ea8f8f96848df4

SHA1
9251cd0bea50bf1c4d133d535ccf7eda3def7a07

SHA256
8ba6888fed3fbb5f1b919adb139cb2d5faeeeb934663ad9fcb8058e95d25e444

SHA512
056838ae89ef29401a189fe0d697e5604dec1b66686be6344c6ae3503b26d298a76bf558d45415ca0d399e724d249bf99e0a9113c44827a98a3c03c9a81c2a92

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
40ac4f7238cf48af41ea8f8f96848df4

SHA1
9251cd0bea50bf1c4d133d535ccf7eda3def7a07

SHA256
8ba6888fed3fbb5f1b919adb139cb2d5faeeeb934663ad9fcb8058e95d25e444

SHA512
056838ae89ef29401a189fe0d697e5604dec1b66686be6344c6ae3503b26d298a76bf558d45415ca0d399e724d249bf99e0a9113c44827a98a3c03c9a81c2a92

Download Submit
memory/324-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/324-5-0x00000000004085D0-mapping.dmp

Download
memory/324-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/324-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/960-8-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/976-13-0x0000000000000000-mapping.dmp

Download
memory/1920-11-0x0000000000000000-mapping.dmp

Download
memory/3692-29-0x00000000735D0000-0x0000000073663000-memory.dmp

Filesize
588KB

Download
memory/3692-27-0x00000000004085D0-mapping.dmp

Download
memory/3752-3-0x000000000040B000-mapping.dmp

Download
memory/3848-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3848-21-0x000000000040B000-mapping.dmp

Download
memory/3848-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3848-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3972-31-0x00000000004B5210-mapping.dmp

Download
memory/3972-34-0x00000000735D0000-0x0000000073663000-memory.dmp

Filesize
588KB

Download
memory/3972-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3972-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3972-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4080-17-0x00000000735D0000-0x0000000073663000-memory.dmp

Filesize
588KB

Download
memory/4080-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads