darkcomet | d58997e7440fa5314b8a3d2dface651186199e382c3b84afb67649c4baaa7b6f

General

Target

NEFT Payment Reciept.exe
Size

888KB
MD5

dbced1fec389e90c07221f2fd2c19c13
SHA1

1de2c803f3083941e39e0e5b7e6fe5cafa2c075b
SHA256

d58997e7440fa5314b8a3d2dface651186199e382c3b84afb67649c4baaa7b6f
SHA512

1f98b3027a7d2baf5225b7cd08aab33b5137eb54725aa15dd475b5c48be4ecfa2f3e459cb6b5431e53cc5a571d92a70b9b6471af30ece1bcbe0905f69d896cdf

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

cvcvsdf.execvcvsdf.exe

pid process

3620 cvcvsdf.exe
500 cvcvsdf.exe

pid	process
3620	cvcvsdf.exe
500	cvcvsdf.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/500-121-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/500-124-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

NEFT Payment Reciept.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	NEFT Payment Reciept.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	NEFT Payment Reciept.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cvcvsdf.exe

description pid process target process

PID 3620 set thread context of 500 3620 cvcvsdf.exe cvcvsdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3620 set thread context of 500	3620	cvcvsdf.exe	cvcvsdf.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

cvcvsdf.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	500	cvcvsdf.exe
Token: SeSecurityPrivilege	500	cvcvsdf.exe
Token: SeTakeOwnershipPrivilege	500	cvcvsdf.exe
Token: SeLoadDriverPrivilege	500	cvcvsdf.exe
Token: SeSystemProfilePrivilege	500	cvcvsdf.exe
Token: SeSystemtimePrivilege	500	cvcvsdf.exe
Token: SeProfSingleProcessPrivilege	500	cvcvsdf.exe
Token: SeIncBasePriorityPrivilege	500	cvcvsdf.exe
Token: SeCreatePagefilePrivilege	500	cvcvsdf.exe
Token: SeBackupPrivilege	500	cvcvsdf.exe
Token: SeRestorePrivilege	500	cvcvsdf.exe
Token: SeShutdownPrivilege	500	cvcvsdf.exe
Token: SeDebugPrivilege	500	cvcvsdf.exe
Token: SeSystemEnvironmentPrivilege	500	cvcvsdf.exe
Token: SeChangeNotifyPrivilege	500	cvcvsdf.exe
Token: SeRemoteShutdownPrivilege	500	cvcvsdf.exe
Token: SeUndockPrivilege	500	cvcvsdf.exe
Token: SeManageVolumePrivilege	500	cvcvsdf.exe
Token: SeImpersonatePrivilege	500	cvcvsdf.exe
Token: SeCreateGlobalPrivilege	500	cvcvsdf.exe
Token: 33	500	cvcvsdf.exe
Token: 34	500	cvcvsdf.exe
Token: 35	500	cvcvsdf.exe
Token: 36	500	cvcvsdf.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

NEFT Payment Reciept.execvcvsdf.execvcvsdf.exe

pid process

808 NEFT Payment Reciept.exe
3620 cvcvsdf.exe
500 cvcvsdf.exe

pid	process
808	NEFT Payment Reciept.exe
3620	cvcvsdf.exe
500	cvcvsdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

NEFT Payment Reciept.execvcvsdf.exe

description	pid	process	target process
PID 808 wrote to memory of 3620	808	NEFT Payment Reciept.exe	cvcvsdf.exe
PID 808 wrote to memory of 3620	808	NEFT Payment Reciept.exe	cvcvsdf.exe
PID 808 wrote to memory of 3620	808	NEFT Payment Reciept.exe	cvcvsdf.exe
PID 3620 wrote to memory of 500	3620	cvcvsdf.exe	cvcvsdf.exe
PID 3620 wrote to memory of 500	3620	cvcvsdf.exe	cvcvsdf.exe
PID 3620 wrote to memory of 500	3620	cvcvsdf.exe	cvcvsdf.exe
PID 3620 wrote to memory of 500	3620	cvcvsdf.exe	cvcvsdf.exe
PID 3620 wrote to memory of 500	3620	cvcvsdf.exe	cvcvsdf.exe
PID 3620 wrote to memory of 500	3620	cvcvsdf.exe	cvcvsdf.exe
PID 3620 wrote to memory of 500	3620	cvcvsdf.exe	cvcvsdf.exe
PID 3620 wrote to memory of 500	3620	cvcvsdf.exe	cvcvsdf.exe

C:\Users\Admin\AppData\Local\Temp\NEFT Payment Reciept.exe
"C:\Users\Admin\AppData\Local\Temp\NEFT Payment Reciept.exe"
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

MD5
dbced1fec389e90c07221f2fd2c19c13

SHA1
1de2c803f3083941e39e0e5b7e6fe5cafa2c075b

SHA256
d58997e7440fa5314b8a3d2dface651186199e382c3b84afb67649c4baaa7b6f

SHA512
1f98b3027a7d2baf5225b7cd08aab33b5137eb54725aa15dd475b5c48be4ecfa2f3e459cb6b5431e53cc5a571d92a70b9b6471af30ece1bcbe0905f69d896cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

MD5
dbced1fec389e90c07221f2fd2c19c13

SHA1
1de2c803f3083941e39e0e5b7e6fe5cafa2c075b

SHA256
d58997e7440fa5314b8a3d2dface651186199e382c3b84afb67649c4baaa7b6f

SHA512
1f98b3027a7d2baf5225b7cd08aab33b5137eb54725aa15dd475b5c48be4ecfa2f3e459cb6b5431e53cc5a571d92a70b9b6471af30ece1bcbe0905f69d896cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

MD5
dbced1fec389e90c07221f2fd2c19c13

SHA1
1de2c803f3083941e39e0e5b7e6fe5cafa2c075b

SHA256
d58997e7440fa5314b8a3d2dface651186199e382c3b84afb67649c4baaa7b6f

SHA512
1f98b3027a7d2baf5225b7cd08aab33b5137eb54725aa15dd475b5c48be4ecfa2f3e459cb6b5431e53cc5a571d92a70b9b6471af30ece1bcbe0905f69d896cdf

Download Submit
memory/500-122-0x00000000004B67C0-mapping.dmp

Download
memory/500-121-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/500-124-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/500-125-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/3620-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads