darkcomet | c5e37df6c487b736d8d99416fe6199c425cfd713b633f15e2d7f4c379331d712

Analysis

max time kernel
150s
max time network
145s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

006252b08e8a073c31d43cc03e1df107.exe
Size

2.7MB
MD5

7744c06d0fea9cd0180167b9e5de2494
SHA1

7dce7ae675e3239682b3a510566f4eff257622ce
SHA256

c5e37df6c487b736d8d99416fe6199c425cfd713b633f15e2d7f4c379331d712
SHA512

bba7331960bf703d3a7384fd80bfb44549a54d659309d12559cf38601f8f273f7e90706aa55364951d1f2d9fb420efbaff3423f12400d49da62b5da3b7288eb6

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

y4wizt5q.gsa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\Label\\System.exe"	y4wizt5q.gsa.exe

Executes dropped EXE 6 IoCs

Processes:

Install.sfx.exeInstall.exey4wizt5q.gsa.exeeiqowt2n.3pa.exeeiqowt2n.3pa.tmpSystem.exe

pid process

3292 Install.sfx.exe
2800 Install.exe
2844 y4wizt5q.gsa.exe
3728 eiqowt2n.3pa.exe
3340 eiqowt2n.3pa.tmp
1300 System.exe

pid	process
3292	Install.sfx.exe
2800	Install.exe
2844	y4wizt5q.gsa.exe
3728	eiqowt2n.3pa.exe
3340	eiqowt2n.3pa.tmp
1300	System.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\y4wizt5q.gsa.exe	upx
C:\Users\Admin\AppData\Local\Temp\y4wizt5q.gsa.exe	upx
C:\Users\Admin\Documents\Label\System.exe	upx
C:\Users\Admin\Documents\Label\System.exe	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y4wizt5q.gsa.exeSystem.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\Documents\\Label\\System.exe"	y4wizt5q.gsa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\Documents\\Label\\System.exe"	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

y4wizt5q.gsa.exeSystem.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2844	y4wizt5q.gsa.exe
Token: SeSecurityPrivilege	2844	y4wizt5q.gsa.exe
Token: SeTakeOwnershipPrivilege	2844	y4wizt5q.gsa.exe
Token: SeLoadDriverPrivilege	2844	y4wizt5q.gsa.exe
Token: SeSystemProfilePrivilege	2844	y4wizt5q.gsa.exe
Token: SeSystemtimePrivilege	2844	y4wizt5q.gsa.exe
Token: SeProfSingleProcessPrivilege	2844	y4wizt5q.gsa.exe
Token: SeIncBasePriorityPrivilege	2844	y4wizt5q.gsa.exe
Token: SeCreatePagefilePrivilege	2844	y4wizt5q.gsa.exe
Token: SeBackupPrivilege	2844	y4wizt5q.gsa.exe
Token: SeRestorePrivilege	2844	y4wizt5q.gsa.exe
Token: SeShutdownPrivilege	2844	y4wizt5q.gsa.exe
Token: SeDebugPrivilege	2844	y4wizt5q.gsa.exe
Token: SeSystemEnvironmentPrivilege	2844	y4wizt5q.gsa.exe
Token: SeChangeNotifyPrivilege	2844	y4wizt5q.gsa.exe
Token: SeRemoteShutdownPrivilege	2844	y4wizt5q.gsa.exe
Token: SeUndockPrivilege	2844	y4wizt5q.gsa.exe
Token: SeManageVolumePrivilege	2844	y4wizt5q.gsa.exe
Token: SeImpersonatePrivilege	2844	y4wizt5q.gsa.exe
Token: SeCreateGlobalPrivilege	2844	y4wizt5q.gsa.exe
Token: 33	2844	y4wizt5q.gsa.exe
Token: 34	2844	y4wizt5q.gsa.exe
Token: 35	2844	y4wizt5q.gsa.exe
Token: 36	2844	y4wizt5q.gsa.exe
Token: SeIncreaseQuotaPrivilege	1300	System.exe
Token: SeSecurityPrivilege	1300	System.exe
Token: SeTakeOwnershipPrivilege	1300	System.exe
Token: SeLoadDriverPrivilege	1300	System.exe
Token: SeSystemProfilePrivilege	1300	System.exe
Token: SeSystemtimePrivilege	1300	System.exe
Token: SeProfSingleProcessPrivilege	1300	System.exe
Token: SeIncBasePriorityPrivilege	1300	System.exe
Token: SeCreatePagefilePrivilege	1300	System.exe
Token: SeBackupPrivilege	1300	System.exe
Token: SeRestorePrivilege	1300	System.exe
Token: SeShutdownPrivilege	1300	System.exe
Token: SeDebugPrivilege	1300	System.exe
Token: SeSystemEnvironmentPrivilege	1300	System.exe
Token: SeChangeNotifyPrivilege	1300	System.exe
Token: SeRemoteShutdownPrivilege	1300	System.exe
Token: SeUndockPrivilege	1300	System.exe
Token: SeManageVolumePrivilege	1300	System.exe
Token: SeImpersonatePrivilege	1300	System.exe
Token: SeCreateGlobalPrivilege	1300	System.exe
Token: 33	1300	System.exe
Token: 34	1300	System.exe
Token: 35	1300	System.exe
Token: 36	1300	System.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

System.exe

pid process

1300 System.exe

pid	process
1300	System.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

006252b08e8a073c31d43cc03e1df107.execmd.exeInstall.sfx.exeInstall.exeeiqowt2n.3pa.exey4wizt5q.gsa.exeSystem.exe

description	pid	process	target process
PID 2208 wrote to memory of 3448	2208	006252b08e8a073c31d43cc03e1df107.exe	cmd.exe
PID 2208 wrote to memory of 3448	2208	006252b08e8a073c31d43cc03e1df107.exe	cmd.exe
PID 2208 wrote to memory of 3448	2208	006252b08e8a073c31d43cc03e1df107.exe	cmd.exe
PID 3448 wrote to memory of 3292	3448	cmd.exe	Install.sfx.exe
PID 3448 wrote to memory of 3292	3448	cmd.exe	Install.sfx.exe
PID 3448 wrote to memory of 3292	3448	cmd.exe	Install.sfx.exe
PID 3292 wrote to memory of 2800	3292	Install.sfx.exe	Install.exe
PID 3292 wrote to memory of 2800	3292	Install.sfx.exe	Install.exe
PID 3292 wrote to memory of 2800	3292	Install.sfx.exe	Install.exe
PID 2800 wrote to memory of 2844	2800	Install.exe	y4wizt5q.gsa.exe
PID 2800 wrote to memory of 2844	2800	Install.exe	y4wizt5q.gsa.exe
PID 2800 wrote to memory of 2844	2800	Install.exe	y4wizt5q.gsa.exe
PID 2800 wrote to memory of 3728	2800	Install.exe	eiqowt2n.3pa.exe
PID 2800 wrote to memory of 3728	2800	Install.exe	eiqowt2n.3pa.exe
PID 2800 wrote to memory of 3728	2800	Install.exe	eiqowt2n.3pa.exe
PID 3728 wrote to memory of 3340	3728	eiqowt2n.3pa.exe	eiqowt2n.3pa.tmp
PID 3728 wrote to memory of 3340	3728	eiqowt2n.3pa.exe	eiqowt2n.3pa.tmp
PID 3728 wrote to memory of 3340	3728	eiqowt2n.3pa.exe	eiqowt2n.3pa.tmp
PID 2844 wrote to memory of 1300	2844	y4wizt5q.gsa.exe	System.exe
PID 2844 wrote to memory of 1300	2844	y4wizt5q.gsa.exe	System.exe
PID 2844 wrote to memory of 1300	2844	y4wizt5q.gsa.exe	System.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 1300 wrote to memory of 3132	1300	System.exe	notepad.exe
PID 3448 wrote to memory of 3852	3448	cmd.exe	cmd.exe
PID 3448 wrote to memory of 3852	3448	cmd.exe	cmd.exe
PID 3448 wrote to memory of 3852	3448	cmd.exe	cmd.exe
PID 3448 wrote to memory of 2292	3448	cmd.exe	xcopy.exe
PID 3448 wrote to memory of 2292	3448	cmd.exe	xcopy.exe
PID 3448 wrote to memory of 2292	3448	cmd.exe	xcopy.exe

C:\Users\Admin\AppData\Local\Temp\006252b08e8a073c31d43cc03e1df107.exe
"C:\Users\Admin\AppData\Local\Temp\006252b08e8a073c31d43cc03e1df107.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Decrypt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.sfx.exe
Install.sfx.exe -pdingdingdingdogdomgngfjnsjnfg -d\Users\Admin\AppData\Roaming\
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\y4wizt5q.gsa.exe
"C:\Users\Admin\AppData\Local\Temp\y4wizt5q.gsa.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\Documents\Label\System.exe
"C:\Users\Admin\Documents\Label\System.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\eiqowt2n.3pa.exe
"C:\Users\Admin\AppData\Local\Temp\eiqowt2n.3pa.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728

C:\Users\Admin\AppData\Local\Temp\is-AS1EG.tmp\eiqowt2n.3pa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AS1EG.tmp\eiqowt2n.3pa.tmp" /SL5="$10204,56832,0,C:\Users\Admin\AppData\Local\Temp\eiqowt2n.3pa.exe"
6⤵
- Executes dropped EXE
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO Y "
3⤵
PID:3852

C:\Windows\SysWOW64\xcopy.exe
xcopy /s "\Users\Admin\AppData\Roaming\Install.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
3⤵
- Enumerates system info in registry
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Decrypt.bat
MD5
9fa23714d07fb86619910d2ec534b0bb

SHA1
b0ea0f623f0e4b0a4672e748618bee254677cc4e

SHA256
d4c16e0a78390f4896e43753daf9a88e55119fb11f46db100e7478b7a71c1973

SHA512
253fe7e331b80d39714ce26709810d0980c30bd6755d970c6ce87e8dbaa362f90876d7f0231b238b5a83edc534d10d769e7e547df6876243afdc815122192fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.sfx.exe
MD5
fbb4dbb9e9a16e815835967796ad1ad1

SHA1
c292bed8147bde727624d3ebb88e802042fab982

SHA256
6846870c61ae1fa37920189095f53d6bd46eb762d43682a50a12d453476606ec

SHA512
16587311ed6ca829b69facf2dff0b7da48265702c88c890cc6341450e7bebe4f906fd6f2dcabcda52d0dce5559f6ef13c3c2d7fd0d87e3379bf5a728bf0dc9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.sfx.exe
MD5
fbb4dbb9e9a16e815835967796ad1ad1

SHA1
c292bed8147bde727624d3ebb88e802042fab982

SHA256
6846870c61ae1fa37920189095f53d6bd46eb762d43682a50a12d453476606ec

SHA512
16587311ed6ca829b69facf2dff0b7da48265702c88c890cc6341450e7bebe4f906fd6f2dcabcda52d0dce5559f6ef13c3c2d7fd0d87e3379bf5a728bf0dc9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
MD5
0b9601c5d801de1ce0414855e52af119

SHA1
12d14e2c9b3d999270f6bae8ea373382aff0389a

SHA256
14cbd55c2eb162235a78c42f61941ac6d64c28ab770eb0395f8a7d6de85ac48e

SHA512
804da68b6567b7511bf0ecfb936de9534342ca94e74a39f262bb171f8547eb62c6dc7cb84c3d797fdeb6699bf1a127b1ede9a77f0b2fa0ffd2433865f60dfb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
MD5
0b9601c5d801de1ce0414855e52af119

SHA1
12d14e2c9b3d999270f6bae8ea373382aff0389a

SHA256
14cbd55c2eb162235a78c42f61941ac6d64c28ab770eb0395f8a7d6de85ac48e

SHA512
804da68b6567b7511bf0ecfb936de9534342ca94e74a39f262bb171f8547eb62c6dc7cb84c3d797fdeb6699bf1a127b1ede9a77f0b2fa0ffd2433865f60dfb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiqowt2n.3pa.exe
MD5
3bb4d7274a9e76c55e4816be94117c41

SHA1
a77a9f9d438514cd986b9002a29cff70b26522e5

SHA256
23b50fdc5d7cebb068f60ad28205577cd6bfd4b35e1c273423e55e01c75a103e

SHA512
d9ed4e4a7c6b3568a0d897ac12db4800283451c128530cca4ac03e8b0c38e78b3e60c2c9bc059416ebd38bb75f693c007ecf07c7576769647d49c7adc81bee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiqowt2n.3pa.exe
MD5
3bb4d7274a9e76c55e4816be94117c41

SHA1
a77a9f9d438514cd986b9002a29cff70b26522e5

SHA256
23b50fdc5d7cebb068f60ad28205577cd6bfd4b35e1c273423e55e01c75a103e

SHA512
d9ed4e4a7c6b3568a0d897ac12db4800283451c128530cca4ac03e8b0c38e78b3e60c2c9bc059416ebd38bb75f693c007ecf07c7576769647d49c7adc81bee2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AS1EG.tmp\eiqowt2n.3pa.tmp
MD5
a2c4d52c66b4b399facadb8cc8386745

SHA1
c326304c56a52a3e5bfbdce2fef54604a0c653e0

SHA256
6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a

SHA512
2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AS1EG.tmp\eiqowt2n.3pa.tmp
MD5
a2c4d52c66b4b399facadb8cc8386745

SHA1
c326304c56a52a3e5bfbdce2fef54604a0c653e0

SHA256
6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a

SHA512
2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\y4wizt5q.gsa.exe
MD5
d1cfbc0f04971a4b80cdad65aa7b54a3

SHA1
e562a1ed9650a750847171780efd14ac57e941e0

SHA256
ef1fd20bf82f64e45f52176ee0521b456975bf62970671cc6f1bc2dd8c388341

SHA512
2eb5f6a051efad1fabc627f607d3c3acc16f17d29e12a9e8315e3ce83ccf139b74c277d55895e229b698aaeb7014795a88014724cf1247bd3502a9c5df76634d

Download Submit
C:\Users\Admin\AppData\Local\Temp\y4wizt5q.gsa.exe
MD5
d1cfbc0f04971a4b80cdad65aa7b54a3

SHA1
e562a1ed9650a750847171780efd14ac57e941e0

SHA256
ef1fd20bf82f64e45f52176ee0521b456975bf62970671cc6f1bc2dd8c388341

SHA512
2eb5f6a051efad1fabc627f607d3c3acc16f17d29e12a9e8315e3ce83ccf139b74c277d55895e229b698aaeb7014795a88014724cf1247bd3502a9c5df76634d

Download Submit
C:\Users\Admin\Documents\Label\System.exe
MD5
d1cfbc0f04971a4b80cdad65aa7b54a3

SHA1
e562a1ed9650a750847171780efd14ac57e941e0

SHA256
ef1fd20bf82f64e45f52176ee0521b456975bf62970671cc6f1bc2dd8c388341

SHA512
2eb5f6a051efad1fabc627f607d3c3acc16f17d29e12a9e8315e3ce83ccf139b74c277d55895e229b698aaeb7014795a88014724cf1247bd3502a9c5df76634d

Download Submit
C:\Users\Admin\Documents\Label\System.exe
MD5
d1cfbc0f04971a4b80cdad65aa7b54a3

SHA1
e562a1ed9650a750847171780efd14ac57e941e0

SHA256
ef1fd20bf82f64e45f52176ee0521b456975bf62970671cc6f1bc2dd8c388341

SHA512
2eb5f6a051efad1fabc627f607d3c3acc16f17d29e12a9e8315e3ce83ccf139b74c277d55895e229b698aaeb7014795a88014724cf1247bd3502a9c5df76634d

Download Submit
memory/1300-17-0x0000000000000000-mapping.dmp

Download
memory/2292-24-0x0000000000000000-mapping.dmp

Download
memory/2800-5-0x0000000000000000-mapping.dmp

Download
memory/2844-8-0x0000000000000000-mapping.dmp

Download
memory/3132-20-0x0000000000000000-mapping.dmp

Download
memory/3132-21-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/3132-22-0x0000000000000000-mapping.dmp

Download
memory/3292-2-0x0000000000000000-mapping.dmp

Download
memory/3340-14-0x0000000000000000-mapping.dmp

Download
memory/3448-0-0x0000000000000000-mapping.dmp

Download
memory/3728-11-0x0000000000000000-mapping.dmp

Download
memory/3852-23-0x0000000000000000-mapping.dmp

Download