darkcomet | e6df55cc9bd779e4b53f57c8a2291e1a15c4ffee992b535c0ed6ed14801313aa

General

Target

Payment Confirmation.exe

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

cvcvsdf.execvcvsdf.exe

pid process

3084 cvcvsdf.exe
400 cvcvsdf.exe

pid	process
3084	cvcvsdf.exe
400	cvcvsdf.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/400-9-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/400-12-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

Payment Confirmation.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Payment Confirmation.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Payment Confirmation.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cvcvsdf.exe

description pid process target process

PID 3084 set thread context of 400 3084 cvcvsdf.exe cvcvsdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3084 set thread context of 400	3084	cvcvsdf.exe	cvcvsdf.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

cvcvsdf.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	400	cvcvsdf.exe
Token: SeSecurityPrivilege	400	cvcvsdf.exe
Token: SeTakeOwnershipPrivilege	400	cvcvsdf.exe
Token: SeLoadDriverPrivilege	400	cvcvsdf.exe
Token: SeSystemProfilePrivilege	400	cvcvsdf.exe
Token: SeSystemtimePrivilege	400	cvcvsdf.exe
Token: SeProfSingleProcessPrivilege	400	cvcvsdf.exe
Token: SeIncBasePriorityPrivilege	400	cvcvsdf.exe
Token: SeCreatePagefilePrivilege	400	cvcvsdf.exe
Token: SeBackupPrivilege	400	cvcvsdf.exe
Token: SeRestorePrivilege	400	cvcvsdf.exe
Token: SeShutdownPrivilege	400	cvcvsdf.exe
Token: SeDebugPrivilege	400	cvcvsdf.exe
Token: SeSystemEnvironmentPrivilege	400	cvcvsdf.exe
Token: SeChangeNotifyPrivilege	400	cvcvsdf.exe
Token: SeRemoteShutdownPrivilege	400	cvcvsdf.exe
Token: SeUndockPrivilege	400	cvcvsdf.exe
Token: SeManageVolumePrivilege	400	cvcvsdf.exe
Token: SeImpersonatePrivilege	400	cvcvsdf.exe
Token: SeCreateGlobalPrivilege	400	cvcvsdf.exe
Token: 33	400	cvcvsdf.exe
Token: 34	400	cvcvsdf.exe
Token: 35	400	cvcvsdf.exe
Token: 36	400	cvcvsdf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Payment Confirmation.execvcvsdf.exe

pid process

1144 Payment Confirmation.exe
3084 cvcvsdf.exe

pid	process
1144	Payment Confirmation.exe
3084	cvcvsdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Payment Confirmation.execvcvsdf.exe

description	pid	process	target process
PID 1144 wrote to memory of 3084	1144	Payment Confirmation.exe	cvcvsdf.exe
PID 1144 wrote to memory of 3084	1144	Payment Confirmation.exe	cvcvsdf.exe
PID 1144 wrote to memory of 3084	1144	Payment Confirmation.exe	cvcvsdf.exe
PID 3084 wrote to memory of 400	3084	cvcvsdf.exe	cvcvsdf.exe
PID 3084 wrote to memory of 400	3084	cvcvsdf.exe	cvcvsdf.exe
PID 3084 wrote to memory of 400	3084	cvcvsdf.exe	cvcvsdf.exe
PID 3084 wrote to memory of 400	3084	cvcvsdf.exe	cvcvsdf.exe
PID 3084 wrote to memory of 400	3084	cvcvsdf.exe	cvcvsdf.exe
PID 3084 wrote to memory of 400	3084	cvcvsdf.exe	cvcvsdf.exe
PID 3084 wrote to memory of 400	3084	cvcvsdf.exe	cvcvsdf.exe
PID 3084 wrote to memory of 400	3084	cvcvsdf.exe	cvcvsdf.exe

C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

MD5
800b9d7f3a47c5a18da78cb6a54f90be

SHA1
67c825ca6d8f430fdfc4cbca78c442600db7ccf0

SHA256
e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233

SHA512
3f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

MD5
800b9d7f3a47c5a18da78cb6a54f90be

SHA1
67c825ca6d8f430fdfc4cbca78c442600db7ccf0

SHA256
e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233

SHA512
3f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

MD5
800b9d7f3a47c5a18da78cb6a54f90be

SHA1
67c825ca6d8f430fdfc4cbca78c442600db7ccf0

SHA256
e6edf54375a14314aa44db9fe8cdd48368338e7ed873f25ba2a6a5ff4381d233

SHA512
3f36217fc2e0afd41d16ea8e35628b00bd8e094194b892e551ba2b39fffaf16e67ece937ade136fe03286fef59718a76fc83081a7cb1dd2f8a7efa811a992e87

Download Submit
memory/400-9-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/400-10-0x00000000004B67A0-mapping.dmp

Download
memory/400-12-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/400-13-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3084-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads