darkcomet | 9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681

General

Target

9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe
Size

1.4MB
MD5

764118763c69cf32e0db57b46c2f8a54
SHA1

ead2bf75b406f42d7e0d1ed7ed0e371f474b037c
SHA256

9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681
SHA512

e22548aae9516a127cf43028ad61426af1bb4459f5c69d9dd34519beebbe001cc87ab2a318dfbc9187273216e4a1620d92887edf6d20f557ca13e4bebca3f295

Score

10^/10

darkcomet bootkit persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

TVcard.exeTVcard.exe

pid process

1228 TVcard.exe
1804 TVcard.exe

pid	process
1228	TVcard.exe
1804	TVcard.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1804-121-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1804-127-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe

pid	process
1640	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe
1640	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TVcard.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\StatsReader.exe"	TVcard.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe

description ioc process

File opened for modification \??\PhysicalDrive0 9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

TVcard.exe

description pid process target process

PID 1228 set thread context of 1804 1228 TVcard.exe TVcard.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe

description	pid	process	target process
PID 1228 set thread context of 1804	1228	TVcard.exe	TVcard.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

TVcard.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1804	TVcard.exe
Token: SeSecurityPrivilege	1804	TVcard.exe
Token: SeTakeOwnershipPrivilege	1804	TVcard.exe
Token: SeLoadDriverPrivilege	1804	TVcard.exe
Token: SeSystemProfilePrivilege	1804	TVcard.exe
Token: SeSystemtimePrivilege	1804	TVcard.exe
Token: SeProfSingleProcessPrivilege	1804	TVcard.exe
Token: SeIncBasePriorityPrivilege	1804	TVcard.exe
Token: SeCreatePagefilePrivilege	1804	TVcard.exe
Token: SeBackupPrivilege	1804	TVcard.exe
Token: SeRestorePrivilege	1804	TVcard.exe
Token: SeShutdownPrivilege	1804	TVcard.exe
Token: SeDebugPrivilege	1804	TVcard.exe
Token: SeSystemEnvironmentPrivilege	1804	TVcard.exe
Token: SeChangeNotifyPrivilege	1804	TVcard.exe
Token: SeRemoteShutdownPrivilege	1804	TVcard.exe
Token: SeUndockPrivilege	1804	TVcard.exe
Token: SeManageVolumePrivilege	1804	TVcard.exe
Token: SeImpersonatePrivilege	1804	TVcard.exe
Token: SeCreateGlobalPrivilege	1804	TVcard.exe
Token: 33	1804	TVcard.exe
Token: 34	1804	TVcard.exe
Token: 35	1804	TVcard.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TVcard.exe

pid process

1804 TVcard.exe

pid	process
1804	TVcard.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exeTVcard.exeTVcard.exe

description	pid	process	target process
PID 1640 wrote to memory of 1228	1640	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe	TVcard.exe
PID 1640 wrote to memory of 1228	1640	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe	TVcard.exe
PID 1640 wrote to memory of 1228	1640	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe	TVcard.exe
PID 1640 wrote to memory of 1228	1640	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe	TVcard.exe
PID 1228 wrote to memory of 1804	1228	TVcard.exe	TVcard.exe
PID 1228 wrote to memory of 1804	1228	TVcard.exe	TVcard.exe
PID 1228 wrote to memory of 1804	1228	TVcard.exe	TVcard.exe
PID 1228 wrote to memory of 1804	1228	TVcard.exe	TVcard.exe
PID 1228 wrote to memory of 1804	1228	TVcard.exe	TVcard.exe
PID 1228 wrote to memory of 1804	1228	TVcard.exe	TVcard.exe
PID 1228 wrote to memory of 1804	1228	TVcard.exe	TVcard.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe
PID 1804 wrote to memory of 1656	1804	TVcard.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe
"C:\Users\Admin\AppData\Local\Temp\9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\TVcard.exe
"C:\Users\Admin\AppData\Local\TVcard.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\TVcard.exe
"C:\Users\Admin\AppData\Local\TVcard.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\F.bmp
MD5
6433c704e2495cfd73f197b1d84fc559

SHA1
f0fe20f87a9513cb6d5a64c0ff3ef4229b9a8c57

SHA256
053c86f2fb2657c5e53e1e93706e5d2ee4673f9fecaba5741868b92a732a6fde

SHA512
fa14ac9f15f1d717c74c28fafa2c8892676603187afcd1c3a16acace6bd4cc6c104df240dce09c5a98441e44c95e7f3ee55663f2186584777f74efce0aedf5f5

Download Submit
C:\Users\Admin\AppData\Local\TVcard.exe
MD5
50313e466a38e41be62ecf188e103673

SHA1
d60d3bc51006f03e5440c6152638ef16e8c4ef7a

SHA256
1b44acfc7e6b0d0cf553273a8e46e1f49c8e3e0a449e36ab61dfad8e9c954c47

SHA512
c4f0055f2bcd142db363b390921fae9f5b55a5ffd240457cc835367dbfcbe27cde080666b61bad089224ae4221e5ecc7e9c28e1d9f3ab64c87f7991ce65697c0

Download Submit
C:\Users\Admin\AppData\Local\TVcard.exe
MD5
50313e466a38e41be62ecf188e103673

SHA1
d60d3bc51006f03e5440c6152638ef16e8c4ef7a

SHA256
1b44acfc7e6b0d0cf553273a8e46e1f49c8e3e0a449e36ab61dfad8e9c954c47

SHA512
c4f0055f2bcd142db363b390921fae9f5b55a5ffd240457cc835367dbfcbe27cde080666b61bad089224ae4221e5ecc7e9c28e1d9f3ab64c87f7991ce65697c0

Download Submit
C:\Users\Admin\AppData\Local\TVcard.exe
MD5
50313e466a38e41be62ecf188e103673

SHA1
d60d3bc51006f03e5440c6152638ef16e8c4ef7a

SHA256
1b44acfc7e6b0d0cf553273a8e46e1f49c8e3e0a449e36ab61dfad8e9c954c47

SHA512
c4f0055f2bcd142db363b390921fae9f5b55a5ffd240457cc835367dbfcbe27cde080666b61bad089224ae4221e5ecc7e9c28e1d9f3ab64c87f7991ce65697c0

Download Submit
\Users\Admin\AppData\Local\TVcard.exe
MD5
50313e466a38e41be62ecf188e103673

SHA1
d60d3bc51006f03e5440c6152638ef16e8c4ef7a

SHA256
1b44acfc7e6b0d0cf553273a8e46e1f49c8e3e0a449e36ab61dfad8e9c954c47

SHA512
c4f0055f2bcd142db363b390921fae9f5b55a5ffd240457cc835367dbfcbe27cde080666b61bad089224ae4221e5ecc7e9c28e1d9f3ab64c87f7991ce65697c0

Download Submit
\Users\Admin\AppData\Local\TVcard.exe
MD5
50313e466a38e41be62ecf188e103673

SHA1
d60d3bc51006f03e5440c6152638ef16e8c4ef7a

SHA256
1b44acfc7e6b0d0cf553273a8e46e1f49c8e3e0a449e36ab61dfad8e9c954c47

SHA512
c4f0055f2bcd142db363b390921fae9f5b55a5ffd240457cc835367dbfcbe27cde080666b61bad089224ae4221e5ecc7e9c28e1d9f3ab64c87f7991ce65697c0

Download Submit
memory/1228-116-0x0000000000000000-mapping.dmp

Download
memory/1640-89-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1640-68-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1640-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1640-64-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1640-65-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1640-66-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1640-67-0x0000000000610000-0x0000000000613000-memory.dmp

Filesize
12KB

Download
memory/1640-91-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1640-69-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1640-70-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1640-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1640-72-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1640-73-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1640-74-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1640-75-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1640-76-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1640-78-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1640-77-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1640-79-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1640-80-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1640-81-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1640-82-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1640-83-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1640-84-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1640-86-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1640-85-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1640-87-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1640-61-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1640-88-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1640-90-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1640-93-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1640-92-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1640-62-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1640-95-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1640-94-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1640-96-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1640-97-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1640-99-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1640-98-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1640-100-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1640-101-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1640-103-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1640-102-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1640-104-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1640-105-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1640-106-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1640-107-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1640-109-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1640-60-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/1640-108-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1640-110-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1640-111-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1640-112-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1640-113-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1640-59-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download
memory/1656-125-0x0000000000000000-mapping.dmp

Download
memory/1656-129-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1804-122-0x00000000004B5670-mapping.dmp

Download
memory/1804-121-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1804-128-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1804-127-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads