darkcomet | 1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362

General

Target

1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
Size

1.5MB
MD5

4bb315fbc47de30e0bb3f0f3551b4970
SHA1

b60c0cc43d6255b70217875acff1ab7f7732a71f
SHA256

1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362
SHA512

cd16b6d52da9863f50432019c2028c5c1ea73cb1f3ec5f6e0a30a54af32aced27ef6c40395edc72ed69cbada85527eb81da09465cf427344566de80f6ac42fa9

Score

10^/10

darkcomet runescape persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Runescape

C2

mrsnickers03.no-ip.biz:340

Mutex

DC_MUTEX-6ZFK11A

Attributes

gencode
uNwew4gojxtu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

ichader.exeichader.exeichader.exe

pid process

3336 ichader.exe
3892 ichader.exe
2468 ichader.exe

pid	process
3336	ichader.exe
3892	ichader.exe
2468	ichader.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1096-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1096-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2468-39-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\IDM\\ichader.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exeichader.exe

description	pid	process	target process
PID 948 set thread context of 1932	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	svchost.exe
PID 948 set thread context of 1096	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
PID 3336 set thread context of 808	3336	ichader.exe	svchost.exe
PID 3336 set thread context of 3892	3336	ichader.exe	ichader.exe
PID 3336 set thread context of 2468	3336	ichader.exe	ichader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

192 1932 WerFault.exe svchost.exe

pid	pid_target	process	target process
192	1932	WerFault.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe
808	svchost.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

ichader.exeichader.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2468	ichader.exe
Token: SeSecurityPrivilege	2468	ichader.exe
Token: SeTakeOwnershipPrivilege	2468	ichader.exe
Token: SeLoadDriverPrivilege	2468	ichader.exe
Token: SeSystemProfilePrivilege	2468	ichader.exe
Token: SeSystemtimePrivilege	2468	ichader.exe
Token: SeProfSingleProcessPrivilege	2468	ichader.exe
Token: SeIncBasePriorityPrivilege	2468	ichader.exe
Token: SeCreatePagefilePrivilege	2468	ichader.exe
Token: SeBackupPrivilege	2468	ichader.exe
Token: SeRestorePrivilege	2468	ichader.exe
Token: SeShutdownPrivilege	2468	ichader.exe
Token: SeDebugPrivilege	2468	ichader.exe
Token: SeSystemEnvironmentPrivilege	2468	ichader.exe
Token: SeChangeNotifyPrivilege	2468	ichader.exe
Token: SeRemoteShutdownPrivilege	2468	ichader.exe
Token: SeUndockPrivilege	2468	ichader.exe
Token: SeManageVolumePrivilege	2468	ichader.exe
Token: SeImpersonatePrivilege	2468	ichader.exe
Token: SeCreateGlobalPrivilege	2468	ichader.exe
Token: 33	2468	ichader.exe
Token: 34	2468	ichader.exe
Token: 35	2468	ichader.exe
Token: 36	2468	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe
Token: SeDebugPrivilege	3892	ichader.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exeichader.exesvchost.exeichader.exeichader.exe

pid	process
948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
1096	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
3336	ichader.exe
808	svchost.exe
3892	ichader.exe
2468	ichader.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.execmd.exeichader.exe

description	pid	process	target process
PID 948 wrote to memory of 1932	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	svchost.exe
PID 948 wrote to memory of 1932	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	svchost.exe
PID 948 wrote to memory of 1932	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	svchost.exe
PID 948 wrote to memory of 1932	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	svchost.exe
PID 948 wrote to memory of 1096	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
PID 948 wrote to memory of 1096	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
PID 948 wrote to memory of 1096	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
PID 948 wrote to memory of 1096	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
PID 948 wrote to memory of 1096	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
PID 948 wrote to memory of 1096	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
PID 948 wrote to memory of 1096	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
PID 948 wrote to memory of 1096	948	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
PID 1096 wrote to memory of 772	1096	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	cmd.exe
PID 1096 wrote to memory of 772	1096	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	cmd.exe
PID 1096 wrote to memory of 772	1096	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	cmd.exe
PID 772 wrote to memory of 1520	772	cmd.exe	reg.exe
PID 772 wrote to memory of 1520	772	cmd.exe	reg.exe
PID 772 wrote to memory of 1520	772	cmd.exe	reg.exe
PID 1096 wrote to memory of 3336	1096	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	ichader.exe
PID 1096 wrote to memory of 3336	1096	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	ichader.exe
PID 1096 wrote to memory of 3336	1096	1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe	ichader.exe
PID 3336 wrote to memory of 808	3336	ichader.exe	svchost.exe
PID 3336 wrote to memory of 808	3336	ichader.exe	svchost.exe
PID 3336 wrote to memory of 808	3336	ichader.exe	svchost.exe
PID 3336 wrote to memory of 808	3336	ichader.exe	svchost.exe
PID 3336 wrote to memory of 808	3336	ichader.exe	svchost.exe
PID 3336 wrote to memory of 808	3336	ichader.exe	svchost.exe
PID 3336 wrote to memory of 808	3336	ichader.exe	svchost.exe
PID 3336 wrote to memory of 808	3336	ichader.exe	svchost.exe
PID 3336 wrote to memory of 808	3336	ichader.exe	svchost.exe
PID 3336 wrote to memory of 3892	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 3892	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 3892	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 3892	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 3892	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 3892	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 3892	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 3892	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 2468	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 2468	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 2468	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 2468	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 2468	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 2468	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 2468	3336	ichader.exe	ichader.exe
PID 3336 wrote to memory of 2468	3336	ichader.exe	ichader.exe

C:\Users\Admin\AppData\Local\Temp\1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
"C:\Users\Admin\AppData\Local\Temp\1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 92
3⤵
- Program crash
PID:192

C:\Users\Admin\AppData\Local\Temp\1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe
"C:\Users\Admin\AppData\Local\Temp\1cc3c44cb2987e697a2c4e3f2b48dfe5555b774dc86efcb06d15f64a9ab14362.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ADTPQ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f
4⤵
- Adds Run key to start application
PID:1520

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:808

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3892

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADTPQ.bat
MD5
92353035f01403e26aa2ff51c3963238

SHA1
d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

SHA256
2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

SHA512
74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
8ed393167cb4a1d029b1d24acff42a7c

SHA1
6ba670807f08941cc8df0d5e7dac8935a9779fb4

SHA256
645e6780fe75371c753a4c99cc7a92fe9d39130b6ed43f75a95b73ad3660a6c1

SHA512
ba25af7b3f9fe3f1a9f23452b843b9ba23c36346896b7c388292640e50927fed9b841fad49f94a7c151bb2f6aa360e79f8135060af9161fa3a9d70db7b0415f7

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
8ed393167cb4a1d029b1d24acff42a7c

SHA1
6ba670807f08941cc8df0d5e7dac8935a9779fb4

SHA256
645e6780fe75371c753a4c99cc7a92fe9d39130b6ed43f75a95b73ad3660a6c1

SHA512
ba25af7b3f9fe3f1a9f23452b843b9ba23c36346896b7c388292640e50927fed9b841fad49f94a7c151bb2f6aa360e79f8135060af9161fa3a9d70db7b0415f7

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
8ed393167cb4a1d029b1d24acff42a7c

SHA1
6ba670807f08941cc8df0d5e7dac8935a9779fb4

SHA256
645e6780fe75371c753a4c99cc7a92fe9d39130b6ed43f75a95b73ad3660a6c1

SHA512
ba25af7b3f9fe3f1a9f23452b843b9ba23c36346896b7c388292640e50927fed9b841fad49f94a7c151bb2f6aa360e79f8135060af9161fa3a9d70db7b0415f7

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe

Download Submit
memory/192-10-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/772-11-0x0000000000000000-mapping.dmp

Download
memory/808-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/808-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/808-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/808-21-0x000000000040B000-mapping.dmp

Download
memory/1096-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1096-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1096-5-0x00000000004085D0-mapping.dmp

Download
memory/1096-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1520-13-0x0000000000000000-mapping.dmp

Download
memory/1932-3-0x000000000040B000-mapping.dmp

Download
memory/2468-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2468-35-0x0000000073570000-0x0000000073603000-memory.dmp

Filesize
588KB

Download
memory/2468-38-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2468-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2468-31-0x00000000004B5210-mapping.dmp

Download
memory/3336-17-0x0000000073570000-0x0000000073603000-memory.dmp

Filesize
588KB

Download
memory/3336-14-0x0000000000000000-mapping.dmp

Download
memory/3892-29-0x0000000073570000-0x0000000073603000-memory.dmp

Filesize
588KB

Download
memory/3892-27-0x00000000004085D0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads