darkcomet | 554711ee1f28155e4b972efff5299f79a054d31eeb18a5ce64f1617982eaeeae

General

Target

JOIN.exe
Size

848KB
MD5

ff65699609255332366bf5416fb38869
SHA1

80e9e78f4c4be3daa256ba1e37235a7f159bd25a
SHA256

554711ee1f28155e4b972efff5299f79a054d31eeb18a5ce64f1617982eaeeae
SHA512

0e5a383e6332aee7c31c0ab60ad9d9d1e427dbe28836837a994b0ebac0eb2fe0b9741accfcb386000eb5fd19ac87adcbf86744802886b410c42887a277e9c262

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

cvcvsdf.execvcvsdf.exe

pid process

772 cvcvsdf.exe
4024 cvcvsdf.exe

pid	process
772	cvcvsdf.exe
4024	cvcvsdf.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4024-9-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4024-12-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

JOIN.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	JOIN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	JOIN.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cvcvsdf.exe

description pid process target process

PID 772 set thread context of 4024 772 cvcvsdf.exe cvcvsdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 772 set thread context of 4024	772	cvcvsdf.exe	cvcvsdf.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

cvcvsdf.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4024	cvcvsdf.exe
Token: SeSecurityPrivilege	4024	cvcvsdf.exe
Token: SeTakeOwnershipPrivilege	4024	cvcvsdf.exe
Token: SeLoadDriverPrivilege	4024	cvcvsdf.exe
Token: SeSystemProfilePrivilege	4024	cvcvsdf.exe
Token: SeSystemtimePrivilege	4024	cvcvsdf.exe
Token: SeProfSingleProcessPrivilege	4024	cvcvsdf.exe
Token: SeIncBasePriorityPrivilege	4024	cvcvsdf.exe
Token: SeCreatePagefilePrivilege	4024	cvcvsdf.exe
Token: SeBackupPrivilege	4024	cvcvsdf.exe
Token: SeRestorePrivilege	4024	cvcvsdf.exe
Token: SeShutdownPrivilege	4024	cvcvsdf.exe
Token: SeDebugPrivilege	4024	cvcvsdf.exe
Token: SeSystemEnvironmentPrivilege	4024	cvcvsdf.exe
Token: SeChangeNotifyPrivilege	4024	cvcvsdf.exe
Token: SeRemoteShutdownPrivilege	4024	cvcvsdf.exe
Token: SeUndockPrivilege	4024	cvcvsdf.exe
Token: SeManageVolumePrivilege	4024	cvcvsdf.exe
Token: SeImpersonatePrivilege	4024	cvcvsdf.exe
Token: SeCreateGlobalPrivilege	4024	cvcvsdf.exe
Token: 33	4024	cvcvsdf.exe
Token: 34	4024	cvcvsdf.exe
Token: 35	4024	cvcvsdf.exe
Token: 36	4024	cvcvsdf.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

JOIN.execvcvsdf.execvcvsdf.exe

pid process

3116 JOIN.exe
772 cvcvsdf.exe
4024 cvcvsdf.exe

pid	process
3116	JOIN.exe
772	cvcvsdf.exe
4024	cvcvsdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

JOIN.execvcvsdf.exe

description	pid	process	target process
PID 3116 wrote to memory of 772	3116	JOIN.exe	cvcvsdf.exe
PID 3116 wrote to memory of 772	3116	JOIN.exe	cvcvsdf.exe
PID 3116 wrote to memory of 772	3116	JOIN.exe	cvcvsdf.exe
PID 772 wrote to memory of 4024	772	cvcvsdf.exe	cvcvsdf.exe
PID 772 wrote to memory of 4024	772	cvcvsdf.exe	cvcvsdf.exe
PID 772 wrote to memory of 4024	772	cvcvsdf.exe	cvcvsdf.exe
PID 772 wrote to memory of 4024	772	cvcvsdf.exe	cvcvsdf.exe
PID 772 wrote to memory of 4024	772	cvcvsdf.exe	cvcvsdf.exe
PID 772 wrote to memory of 4024	772	cvcvsdf.exe	cvcvsdf.exe
PID 772 wrote to memory of 4024	772	cvcvsdf.exe	cvcvsdf.exe
PID 772 wrote to memory of 4024	772	cvcvsdf.exe	cvcvsdf.exe

C:\Users\Admin\AppData\Local\Temp\JOIN.exe
"C:\Users\Admin\AppData\Local\Temp\JOIN.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

MD5
ff65699609255332366bf5416fb38869

SHA1
80e9e78f4c4be3daa256ba1e37235a7f159bd25a

SHA256
554711ee1f28155e4b972efff5299f79a054d31eeb18a5ce64f1617982eaeeae

SHA512
0e5a383e6332aee7c31c0ab60ad9d9d1e427dbe28836837a994b0ebac0eb2fe0b9741accfcb386000eb5fd19ac87adcbf86744802886b410c42887a277e9c262

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

MD5
ff65699609255332366bf5416fb38869

SHA1
80e9e78f4c4be3daa256ba1e37235a7f159bd25a

SHA256
554711ee1f28155e4b972efff5299f79a054d31eeb18a5ce64f1617982eaeeae

SHA512
0e5a383e6332aee7c31c0ab60ad9d9d1e427dbe28836837a994b0ebac0eb2fe0b9741accfcb386000eb5fd19ac87adcbf86744802886b410c42887a277e9c262

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

MD5
ff65699609255332366bf5416fb38869

SHA1
80e9e78f4c4be3daa256ba1e37235a7f159bd25a

SHA256
554711ee1f28155e4b972efff5299f79a054d31eeb18a5ce64f1617982eaeeae

SHA512
0e5a383e6332aee7c31c0ab60ad9d9d1e427dbe28836837a994b0ebac0eb2fe0b9741accfcb386000eb5fd19ac87adcbf86744802886b410c42887a277e9c262

Download Submit
memory/772-4-0x0000000000000000-mapping.dmp

Download
memory/4024-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4024-10-0x00000000004B67A0-mapping.dmp

Download
memory/4024-13-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4024-12-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads