darkcomet | 9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681

General

Target

9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe
Size

1.4MB
MD5

764118763c69cf32e0db57b46c2f8a54
SHA1

ead2bf75b406f42d7e0d1ed7ed0e371f474b037c
SHA256

9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681
SHA512

e22548aae9516a127cf43028ad61426af1bb4459f5c69d9dd34519beebbe001cc87ab2a318dfbc9187273216e4a1620d92887edf6d20f557ca13e4bebca3f295

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

TVcard.exeTVcard.exe

pid process

2972 TVcard.exe
1164 TVcard.exe

pid	process
2972	TVcard.exe
1164	TVcard.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1164-172-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1164-176-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TVcard.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla = "C:\\Users\\Admin\\AppData\\Local\\Mozilla\\StatsReader.exe"	TVcard.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

TVcard.exe

description pid process target process

PID 2972 set thread context of 1164 2972 TVcard.exe TVcard.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2972 set thread context of 1164	2972	TVcard.exe	TVcard.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

TVcard.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1164	TVcard.exe
Token: SeSecurityPrivilege	1164	TVcard.exe
Token: SeTakeOwnershipPrivilege	1164	TVcard.exe
Token: SeLoadDriverPrivilege	1164	TVcard.exe
Token: SeSystemProfilePrivilege	1164	TVcard.exe
Token: SeSystemtimePrivilege	1164	TVcard.exe
Token: SeProfSingleProcessPrivilege	1164	TVcard.exe
Token: SeIncBasePriorityPrivilege	1164	TVcard.exe
Token: SeCreatePagefilePrivilege	1164	TVcard.exe
Token: SeBackupPrivilege	1164	TVcard.exe
Token: SeRestorePrivilege	1164	TVcard.exe
Token: SeShutdownPrivilege	1164	TVcard.exe
Token: SeDebugPrivilege	1164	TVcard.exe
Token: SeSystemEnvironmentPrivilege	1164	TVcard.exe
Token: SeChangeNotifyPrivilege	1164	TVcard.exe
Token: SeRemoteShutdownPrivilege	1164	TVcard.exe
Token: SeUndockPrivilege	1164	TVcard.exe
Token: SeManageVolumePrivilege	1164	TVcard.exe
Token: SeImpersonatePrivilege	1164	TVcard.exe
Token: SeCreateGlobalPrivilege	1164	TVcard.exe
Token: 33	1164	TVcard.exe
Token: 34	1164	TVcard.exe
Token: 35	1164	TVcard.exe
Token: 36	1164	TVcard.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TVcard.exe

pid process

1164 TVcard.exe

pid	process
1164	TVcard.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exeTVcard.exeTVcard.exe

description	pid	process	target process
PID 3152 wrote to memory of 2972	3152	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe	TVcard.exe
PID 3152 wrote to memory of 2972	3152	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe	TVcard.exe
PID 3152 wrote to memory of 2972	3152	9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe	TVcard.exe
PID 2972 wrote to memory of 1164	2972	TVcard.exe	TVcard.exe
PID 2972 wrote to memory of 1164	2972	TVcard.exe	TVcard.exe
PID 2972 wrote to memory of 1164	2972	TVcard.exe	TVcard.exe
PID 2972 wrote to memory of 1164	2972	TVcard.exe	TVcard.exe
PID 2972 wrote to memory of 1164	2972	TVcard.exe	TVcard.exe
PID 2972 wrote to memory of 1164	2972	TVcard.exe	TVcard.exe
PID 2972 wrote to memory of 1164	2972	TVcard.exe	TVcard.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe
PID 1164 wrote to memory of 2204	1164	TVcard.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe
"C:\Users\Admin\AppData\Local\Temp\9afc73998f3bf6391f8d7eaf945a6949d4f5aa2a45ef228f23abfdb397bd0681.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\TVcard.exe
"C:\Users\Admin\AppData\Local\TVcard.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\TVcard.exe
"C:\Users\Admin\AppData\Local\TVcard.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\F.bmp
MD5
6433c704e2495cfd73f197b1d84fc559

SHA1
f0fe20f87a9513cb6d5a64c0ff3ef4229b9a8c57

SHA256
053c86f2fb2657c5e53e1e93706e5d2ee4673f9fecaba5741868b92a732a6fde

SHA512
fa14ac9f15f1d717c74c28fafa2c8892676603187afcd1c3a16acace6bd4cc6c104df240dce09c5a98441e44c95e7f3ee55663f2186584777f74efce0aedf5f5

Download Submit
C:\Users\Admin\AppData\Local\TVcard.exe
MD5
50313e466a38e41be62ecf188e103673

SHA1
d60d3bc51006f03e5440c6152638ef16e8c4ef7a

SHA256
1b44acfc7e6b0d0cf553273a8e46e1f49c8e3e0a449e36ab61dfad8e9c954c47

SHA512
c4f0055f2bcd142db363b390921fae9f5b55a5ffd240457cc835367dbfcbe27cde080666b61bad089224ae4221e5ecc7e9c28e1d9f3ab64c87f7991ce65697c0

Download Submit
C:\Users\Admin\AppData\Local\TVcard.exe
MD5
50313e466a38e41be62ecf188e103673

SHA1
d60d3bc51006f03e5440c6152638ef16e8c4ef7a

SHA256
1b44acfc7e6b0d0cf553273a8e46e1f49c8e3e0a449e36ab61dfad8e9c954c47

SHA512
c4f0055f2bcd142db363b390921fae9f5b55a5ffd240457cc835367dbfcbe27cde080666b61bad089224ae4221e5ecc7e9c28e1d9f3ab64c87f7991ce65697c0

Download Submit
C:\Users\Admin\AppData\Local\TVcard.exe
MD5
50313e466a38e41be62ecf188e103673

SHA1
d60d3bc51006f03e5440c6152638ef16e8c4ef7a

SHA256
1b44acfc7e6b0d0cf553273a8e46e1f49c8e3e0a449e36ab61dfad8e9c954c47

SHA512
c4f0055f2bcd142db363b390921fae9f5b55a5ffd240457cc835367dbfcbe27cde080666b61bad089224ae4221e5ecc7e9c28e1d9f3ab64c87f7991ce65697c0

Download Submit
memory/1164-172-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1164-176-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1164-177-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1164-173-0x00000000004B5670-mapping.dmp

Download
memory/2204-178-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2204-175-0x0000000000000000-mapping.dmp

Download
memory/2972-168-0x0000000000000000-mapping.dmp

Download
memory/3152-141-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/3152-147-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3152-124-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3152-123-0x0000000002590000-0x0000000002593000-memory.dmp

Filesize
12KB

Download
memory/3152-121-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3152-125-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/3152-126-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/3152-127-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/3152-128-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/3152-129-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/3152-130-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/3152-132-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/3152-134-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/3152-135-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/3152-133-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/3152-131-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/3152-136-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/3152-137-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/3152-138-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/3152-139-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/3152-140-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3152-120-0x0000000000880000-0x00000000008A3000-memory.dmp

Filesize
140KB

Download
memory/3152-142-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/3152-143-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/3152-144-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3152-146-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/3152-145-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/3152-122-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3152-148-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/3152-149-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/3152-150-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/3152-151-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/3152-152-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/3152-153-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3152-154-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3152-155-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/3152-156-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/3152-158-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3152-159-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3152-157-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/3152-160-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/3152-161-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/3152-162-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/3152-119-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3152-118-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3152-117-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/3152-115-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3152-116-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/3152-114-0x00000000023A0000-0x00000000023E2000-memory.dmp

Filesize
264KB

Download
memory/3152-163-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3152-164-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/3152-166-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3152-165-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/3152-167-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads