darkcomet | d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc

General

Target

d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
Size

521KB
MD5

395fa99254a783e8592dcecdaa465140
SHA1

587f1cc23c522eb2d0be6ab62a03bdd23df423a3
SHA256

d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc
SHA512

3095d3f673ffcaf69193189ebc159bccce4e0ed1a3d8188d5424ed0251bcf95ac3d7a9555e84dbcb52de37f234f568764737da2dab7f5ea56dbd9a553b95a235

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

1920 winupd.exe
1376 winupd.exe
1620 winupd.exe

pid	process
1920	winupd.exe
1376	winupd.exe
1620	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1620-80-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1620-92-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe

pid	process
1712	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
1712	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exewinupd.exe

description	pid	process	target process
PID 1824 set thread context of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1920 set thread context of 1376	1920	winupd.exe	winupd.exe
PID 1920 set thread context of 1620	1920	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1740 ipconfig.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1104 reg.exe

pid	process
1740	ipconfig.exe

pid	process
1104	reg.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

winupd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1620	winupd.exe
Token: SeSecurityPrivilege	1620	winupd.exe
Token: SeTakeOwnershipPrivilege	1620	winupd.exe
Token: SeLoadDriverPrivilege	1620	winupd.exe
Token: SeSystemProfilePrivilege	1620	winupd.exe
Token: SeSystemtimePrivilege	1620	winupd.exe
Token: SeProfSingleProcessPrivilege	1620	winupd.exe
Token: SeIncBasePriorityPrivilege	1620	winupd.exe
Token: SeCreatePagefilePrivilege	1620	winupd.exe
Token: SeBackupPrivilege	1620	winupd.exe
Token: SeRestorePrivilege	1620	winupd.exe
Token: SeShutdownPrivilege	1620	winupd.exe
Token: SeDebugPrivilege	1620	winupd.exe
Token: SeSystemEnvironmentPrivilege	1620	winupd.exe
Token: SeChangeNotifyPrivilege	1620	winupd.exe
Token: SeRemoteShutdownPrivilege	1620	winupd.exe
Token: SeUndockPrivilege	1620	winupd.exe
Token: SeManageVolumePrivilege	1620	winupd.exe
Token: SeImpersonatePrivilege	1620	winupd.exe
Token: SeCreateGlobalPrivilege	1620	winupd.exe
Token: 33	1620	winupd.exe
Token: 34	1620	winupd.exe
Token: 35	1620	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exed33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exewinupd.exewinupd.exewinupd.exe

pid	process
1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
1712	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
1920	winupd.exe
1376	winupd.exe
1620	winupd.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exed33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exewinupd.exewinupd.exeipconfig.execmd.exe

description	pid	process	target process
PID 1824 wrote to memory of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1824 wrote to memory of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1824 wrote to memory of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1824 wrote to memory of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1824 wrote to memory of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1824 wrote to memory of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1824 wrote to memory of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1824 wrote to memory of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1824 wrote to memory of 1712	1824	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
PID 1712 wrote to memory of 1920	1712	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	winupd.exe
PID 1712 wrote to memory of 1920	1712	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	winupd.exe
PID 1712 wrote to memory of 1920	1712	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	winupd.exe
PID 1712 wrote to memory of 1920	1712	d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe	winupd.exe
PID 1920 wrote to memory of 1376	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1376	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1376	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1376	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1376	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1376	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1376	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1376	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1376	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1620	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1620	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1620	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1620	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1620	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1620	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1620	1920	winupd.exe	winupd.exe
PID 1920 wrote to memory of 1620	1920	winupd.exe	winupd.exe
PID 1376 wrote to memory of 1740	1376	winupd.exe	ipconfig.exe
PID 1376 wrote to memory of 1740	1376	winupd.exe	ipconfig.exe
PID 1376 wrote to memory of 1740	1376	winupd.exe	ipconfig.exe
PID 1376 wrote to memory of 1740	1376	winupd.exe	ipconfig.exe
PID 1376 wrote to memory of 1740	1376	winupd.exe	ipconfig.exe
PID 1376 wrote to memory of 1740	1376	winupd.exe	ipconfig.exe
PID 1740 wrote to memory of 1644	1740	ipconfig.exe	cmd.exe
PID 1740 wrote to memory of 1644	1740	ipconfig.exe	cmd.exe
PID 1740 wrote to memory of 1644	1740	ipconfig.exe	cmd.exe
PID 1740 wrote to memory of 1644	1740	ipconfig.exe	cmd.exe
PID 1644 wrote to memory of 1104	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1104	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1104	1644	cmd.exe	reg.exe
PID 1644 wrote to memory of 1104	1644	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
"C:\Users\Admin\AppData\Local\Temp\d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
"C:\Users\Admin\AppData\Local\Temp\d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FBXQVOEO.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f
7⤵
- Adds Run key to start application
- Modifies registry key
PID:1104

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FBXQVOEO.bat
MD5
cac890d00365d07b9ca89def17cc3a36

SHA1
6fa99679ede791c16b5d3e6d243a98e8bbdb7eab

SHA256
4f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da

SHA512
124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
809f77ef51fbf2da792a3448931a0472

SHA1
6eb9d5fd40dc7cdb93f7a3bc8224b28b4ab0819d

SHA256
7dc2613c48da5f4275c33507fcf7f31e2b5e3fa1b33f1f811125dab7273c0d15

SHA512
2ac3daaa3619da85d1cb859eb49ec2ad827434090458cdb7277fda6b3442ade934e597fc3dd246571049ca10ab9c57c94ba26d27b4037b988b37ca8ee655401d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
809f77ef51fbf2da792a3448931a0472

SHA1
6eb9d5fd40dc7cdb93f7a3bc8224b28b4ab0819d

SHA256
7dc2613c48da5f4275c33507fcf7f31e2b5e3fa1b33f1f811125dab7273c0d15

SHA512
2ac3daaa3619da85d1cb859eb49ec2ad827434090458cdb7277fda6b3442ade934e597fc3dd246571049ca10ab9c57c94ba26d27b4037b988b37ca8ee655401d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
809f77ef51fbf2da792a3448931a0472

SHA1
6eb9d5fd40dc7cdb93f7a3bc8224b28b4ab0819d

SHA256
7dc2613c48da5f4275c33507fcf7f31e2b5e3fa1b33f1f811125dab7273c0d15

SHA512
2ac3daaa3619da85d1cb859eb49ec2ad827434090458cdb7277fda6b3442ade934e597fc3dd246571049ca10ab9c57c94ba26d27b4037b988b37ca8ee655401d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
809f77ef51fbf2da792a3448931a0472

SHA1
6eb9d5fd40dc7cdb93f7a3bc8224b28b4ab0819d

SHA256
7dc2613c48da5f4275c33507fcf7f31e2b5e3fa1b33f1f811125dab7273c0d15

SHA512
2ac3daaa3619da85d1cb859eb49ec2ad827434090458cdb7277fda6b3442ade934e597fc3dd246571049ca10ab9c57c94ba26d27b4037b988b37ca8ee655401d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
809f77ef51fbf2da792a3448931a0472

SHA1
6eb9d5fd40dc7cdb93f7a3bc8224b28b4ab0819d

SHA256
7dc2613c48da5f4275c33507fcf7f31e2b5e3fa1b33f1f811125dab7273c0d15

SHA512
2ac3daaa3619da85d1cb859eb49ec2ad827434090458cdb7277fda6b3442ade934e597fc3dd246571049ca10ab9c57c94ba26d27b4037b988b37ca8ee655401d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
809f77ef51fbf2da792a3448931a0472

SHA1
6eb9d5fd40dc7cdb93f7a3bc8224b28b4ab0819d

SHA256
7dc2613c48da5f4275c33507fcf7f31e2b5e3fa1b33f1f811125dab7273c0d15

SHA512
2ac3daaa3619da85d1cb859eb49ec2ad827434090458cdb7277fda6b3442ade934e597fc3dd246571049ca10ab9c57c94ba26d27b4037b988b37ca8ee655401d

Download Submit
memory/1104-91-0x0000000000000000-mapping.dmp

Download
memory/1376-78-0x000000000040140C-mapping.dmp

Download
memory/1620-92-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1620-93-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1620-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1620-81-0x00000000004B5670-mapping.dmp

Download
memory/1644-90-0x0000000000000000-mapping.dmp

Download
memory/1712-62-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1712-63-0x000000000040140C-mapping.dmp

Download
memory/1712-66-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1740-87-0x0000000000000000-mapping.dmp

Download
memory/1824-67-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/1824-69-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/1824-70-0x0000000000390000-0x0000000000392000-memory.dmp

Filesize
8KB

Download
memory/1920-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads