darkcomet | 965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22

Analysis

max time kernel
147s
max time network
185s
platform
windows7_x64
resource
win7v20210408
submitted
15-05-2021 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe
Size

740KB
MD5

7a03a13ed4082028a93e64d744cd6c31
SHA1

d2c133f83b8e6907411f96008036cb5add897c37
SHA256

965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22
SHA512

6f4c7e42cc4c23f0882a1d7090487d3430c64f89631a42a00c894fad1b56b7a0320f872c0b2e0048b2c2d41ecd569786ee66b497a97b780649345e1568fc61e0

Score

10^/10

darkcomet evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Windows Update\\winupdate.exe"	tmp.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

winupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winupdate.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winupdate.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	winupdate.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

winupdate.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winupdate.exe
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

tmp.exewinupdate.exe

pid process

1620 tmp.exe
1936 winupdate.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winupdate.exe

pid	process
1620	tmp.exe
1936	winupdate.exe

Loads dropped DLL 6 IoCs

Processes:

965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exetmp.exewinupdate.exe

pid	process
1920	965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe
1920	965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe
1620	tmp.exe
1936	winupdate.exe
1936	winupdate.exe
1936	winupdate.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exenotepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\Windows Update\\winupdate.exe"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\Windows Update\\winupdate.exe"	notepad.exe

Drops file in Windows directory 4 IoCs

Processes:

tmp.exenotepad.exe

description	ioc	process
File created	C:\Windows\Windows Update\winupdate.exe	tmp.exe
File opened for modification	C:\Windows\Windows Update\winupdate.exe	tmp.exe
File opened for modification	C:\Windows\Windows Update\	tmp.exe
File created	C:\Windows\Windows Update\winupdate.exe	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winupdate.exe

pid process

1936 winupdate.exe

pid	process
1936	winupdate.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

tmp.exewinupdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1620	tmp.exe
Token: SeSecurityPrivilege	1620	tmp.exe
Token: SeTakeOwnershipPrivilege	1620	tmp.exe
Token: SeLoadDriverPrivilege	1620	tmp.exe
Token: SeSystemProfilePrivilege	1620	tmp.exe
Token: SeSystemtimePrivilege	1620	tmp.exe
Token: SeProfSingleProcessPrivilege	1620	tmp.exe
Token: SeIncBasePriorityPrivilege	1620	tmp.exe
Token: SeCreatePagefilePrivilege	1620	tmp.exe
Token: SeBackupPrivilege	1620	tmp.exe
Token: SeRestorePrivilege	1620	tmp.exe
Token: SeShutdownPrivilege	1620	tmp.exe
Token: SeDebugPrivilege	1620	tmp.exe
Token: SeSystemEnvironmentPrivilege	1620	tmp.exe
Token: SeChangeNotifyPrivilege	1620	tmp.exe
Token: SeRemoteShutdownPrivilege	1620	tmp.exe
Token: SeUndockPrivilege	1620	tmp.exe
Token: SeManageVolumePrivilege	1620	tmp.exe
Token: SeImpersonatePrivilege	1620	tmp.exe
Token: SeCreateGlobalPrivilege	1620	tmp.exe
Token: 33	1620	tmp.exe
Token: 34	1620	tmp.exe
Token: 35	1620	tmp.exe
Token: SeIncreaseQuotaPrivilege	1936	winupdate.exe
Token: SeSecurityPrivilege	1936	winupdate.exe
Token: SeTakeOwnershipPrivilege	1936	winupdate.exe
Token: SeLoadDriverPrivilege	1936	winupdate.exe
Token: SeSystemProfilePrivilege	1936	winupdate.exe
Token: SeSystemtimePrivilege	1936	winupdate.exe
Token: SeProfSingleProcessPrivilege	1936	winupdate.exe
Token: SeIncBasePriorityPrivilege	1936	winupdate.exe
Token: SeCreatePagefilePrivilege	1936	winupdate.exe
Token: SeBackupPrivilege	1936	winupdate.exe
Token: SeRestorePrivilege	1936	winupdate.exe
Token: SeShutdownPrivilege	1936	winupdate.exe
Token: SeDebugPrivilege	1936	winupdate.exe
Token: SeSystemEnvironmentPrivilege	1936	winupdate.exe
Token: SeChangeNotifyPrivilege	1936	winupdate.exe
Token: SeRemoteShutdownPrivilege	1936	winupdate.exe
Token: SeUndockPrivilege	1936	winupdate.exe
Token: SeManageVolumePrivilege	1936	winupdate.exe
Token: SeImpersonatePrivilege	1936	winupdate.exe
Token: SeCreateGlobalPrivilege	1936	winupdate.exe
Token: 33	1936	winupdate.exe
Token: 34	1936	winupdate.exe
Token: 35	1936	winupdate.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exewinupdate.exe

pid process

1920 965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe
1936 winupdate.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exetmp.exe

description	pid	process	target process
PID 1920 wrote to memory of 1620	1920	965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe	tmp.exe
PID 1920 wrote to memory of 1620	1920	965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe	tmp.exe
PID 1920 wrote to memory of 1620	1920	965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe	tmp.exe
PID 1920 wrote to memory of 1620	1920	965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe	tmp.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 740	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 268	1620	tmp.exe	attrib.exe
PID 1620 wrote to memory of 268	1620	tmp.exe	attrib.exe
PID 1620 wrote to memory of 268	1620	tmp.exe	attrib.exe
PID 1620 wrote to memory of 268	1620	tmp.exe	attrib.exe
PID 1620 wrote to memory of 996	1620	tmp.exe	attrib.exe
PID 1620 wrote to memory of 996	1620	tmp.exe	attrib.exe
PID 1620 wrote to memory of 996	1620	tmp.exe	attrib.exe
PID 1620 wrote to memory of 996	1620	tmp.exe	attrib.exe
PID 1620 wrote to memory of 1936	1620	tmp.exe	winupdate.exe
PID 1620 wrote to memory of 1936	1620	tmp.exe	winupdate.exe
PID 1620 wrote to memory of 1936	1620	tmp.exe	winupdate.exe
PID 1620 wrote to memory of 1936	1620	tmp.exe	winupdate.exe
PID 1620 wrote to memory of 1936	1620	tmp.exe	winupdate.exe
PID 1620 wrote to memory of 1936	1620	tmp.exe	winupdate.exe
PID 1620 wrote to memory of 1936	1620	tmp.exe	winupdate.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe
PID 1620 wrote to memory of 1628	1620	tmp.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

winupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	winupdate.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

268 attrib.exe
996 attrib.exe

pid	process
268	attrib.exe
996	attrib.exe

C:\Users\Admin\AppData\Local\Temp\965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe
"C:\Users\Admin\AppData\Local\Temp\965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:740

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\tmp.exe" +s +h
3⤵
- Views/modifies file attributes
PID:268

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:996

C:\Windows\Windows Update\winupdate.exe
"C:\Windows\Windows Update\winupdate.exe"
3⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1936

C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
3⤵
PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
C:\Windows\Windows Update\winupdate.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
C:\Windows\Windows Update\winupdate.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
\Windows\Windows Update\winupdate.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
\Windows\Windows Update\winupdate.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
\Windows\Windows Update\winupdate.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
\Windows\Windows Update\winupdate.exe
MD5
4d97a5d80be972483e90aa1e4f848347

SHA1
b127f774134b97aeb9f930a9179b08e36ad1a1b3

SHA256
f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2

SHA512
1b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da

Download Submit
memory/268-70-0x0000000000000000-mapping.dmp

Download
memory/740-73-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/740-69-0x0000000000000000-mapping.dmp

Download
memory/996-71-0x0000000000000000-mapping.dmp

Download
memory/1620-67-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1620-66-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1620-64-0x0000000000000000-mapping.dmp

Download
memory/1628-76-0x0000000000000000-mapping.dmp

Download
memory/1628-81-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1936-75-0x0000000000000000-mapping.dmp

Download
memory/1936-85-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download