darkcomet | 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2

General

Target

345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
Size

520KB
MD5

9dbffc041eb423abdbcc46e05d99899d
SHA1

9224ed9c8521441e787dd232e18e859c9d555e72
SHA256

345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2
SHA512

dc6d503da7c0f9ae66438fe8fd6edd83556109cdba643e050dbe51b0dd9aaf594e78eb7b97a7d3bf13a47ca7b12b7e2893bbca640365f93dd4288a13cebe8128

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

1780 winupd.exe
740 winupd.exe
792 winupd.exe

pid	process
1780	winupd.exe
740	winupd.exe
792	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/792-80-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/792-92-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe

pid	process
1708	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
1708	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exewinupd.exe

description	pid	process	target process
PID 1100 set thread context of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1780 set thread context of 740	1780	winupd.exe	winupd.exe
PID 1780 set thread context of 792	1780	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1496 ipconfig.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1620 reg.exe

pid	process
1496	ipconfig.exe

pid	process
1620	reg.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

winupd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	792	winupd.exe
Token: SeSecurityPrivilege	792	winupd.exe
Token: SeTakeOwnershipPrivilege	792	winupd.exe
Token: SeLoadDriverPrivilege	792	winupd.exe
Token: SeSystemProfilePrivilege	792	winupd.exe
Token: SeSystemtimePrivilege	792	winupd.exe
Token: SeProfSingleProcessPrivilege	792	winupd.exe
Token: SeIncBasePriorityPrivilege	792	winupd.exe
Token: SeCreatePagefilePrivilege	792	winupd.exe
Token: SeBackupPrivilege	792	winupd.exe
Token: SeRestorePrivilege	792	winupd.exe
Token: SeShutdownPrivilege	792	winupd.exe
Token: SeDebugPrivilege	792	winupd.exe
Token: SeSystemEnvironmentPrivilege	792	winupd.exe
Token: SeChangeNotifyPrivilege	792	winupd.exe
Token: SeRemoteShutdownPrivilege	792	winupd.exe
Token: SeUndockPrivilege	792	winupd.exe
Token: SeManageVolumePrivilege	792	winupd.exe
Token: SeImpersonatePrivilege	792	winupd.exe
Token: SeCreateGlobalPrivilege	792	winupd.exe
Token: 33	792	winupd.exe
Token: 34	792	winupd.exe
Token: 35	792	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exewinupd.exewinupd.exewinupd.exe

pid	process
1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
1708	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
1780	winupd.exe
740	winupd.exe
792	winupd.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exewinupd.exewinupd.exeipconfig.execmd.exe

description	pid	process	target process
PID 1100 wrote to memory of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1100 wrote to memory of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1100 wrote to memory of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1100 wrote to memory of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1100 wrote to memory of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1100 wrote to memory of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1100 wrote to memory of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1100 wrote to memory of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1100 wrote to memory of 1708	1100	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
PID 1708 wrote to memory of 1780	1708	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	winupd.exe
PID 1708 wrote to memory of 1780	1708	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	winupd.exe
PID 1708 wrote to memory of 1780	1708	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	winupd.exe
PID 1708 wrote to memory of 1780	1708	345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe	winupd.exe
PID 1780 wrote to memory of 740	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 740	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 740	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 740	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 740	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 740	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 740	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 740	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 740	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 792	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 792	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 792	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 792	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 792	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 792	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 792	1780	winupd.exe	winupd.exe
PID 1780 wrote to memory of 792	1780	winupd.exe	winupd.exe
PID 740 wrote to memory of 1496	740	winupd.exe	ipconfig.exe
PID 740 wrote to memory of 1496	740	winupd.exe	ipconfig.exe
PID 740 wrote to memory of 1496	740	winupd.exe	ipconfig.exe
PID 740 wrote to memory of 1496	740	winupd.exe	ipconfig.exe
PID 740 wrote to memory of 1496	740	winupd.exe	ipconfig.exe
PID 740 wrote to memory of 1496	740	winupd.exe	ipconfig.exe
PID 1496 wrote to memory of 108	1496	ipconfig.exe	cmd.exe
PID 1496 wrote to memory of 108	1496	ipconfig.exe	cmd.exe
PID 1496 wrote to memory of 108	1496	ipconfig.exe	cmd.exe
PID 1496 wrote to memory of 108	1496	ipconfig.exe	cmd.exe
PID 108 wrote to memory of 1620	108	cmd.exe	reg.exe
PID 108 wrote to memory of 1620	108	cmd.exe	reg.exe
PID 108 wrote to memory of 1620	108	cmd.exe	reg.exe
PID 108 wrote to memory of 1620	108	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
"C:\Users\Admin\AppData\Local\Temp\345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
"C:\Users\Admin\AppData\Local\Temp\345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LDTCKUQL.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f
7⤵
- Adds Run key to start application
- Modifies registry key
PID:1620

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LDTCKUQL.bat
MD5
cac890d00365d07b9ca89def17cc3a36

SHA1
6fa99679ede791c16b5d3e6d243a98e8bbdb7eab

SHA256
4f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da

SHA512
124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
cffc725dd456fff9a1c8ef505f9711d0

SHA1
9a575172905abee540ca0ce34c4890786a014076

SHA256
64ca737ade5cde918881b6fc55c6931466e49efbaaa4d12118485189d4a4e2a0

SHA512
8d9f04536b6b82f5be8fe3037894a87e9954c8a7dc0e6be7ba1294bbca138e3bbcf82af6f6f31556fd305a88e9ebd00c31f1dfa4bb18d925a096d1397fee6aa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
cffc725dd456fff9a1c8ef505f9711d0

SHA1
9a575172905abee540ca0ce34c4890786a014076

SHA256
64ca737ade5cde918881b6fc55c6931466e49efbaaa4d12118485189d4a4e2a0

SHA512
8d9f04536b6b82f5be8fe3037894a87e9954c8a7dc0e6be7ba1294bbca138e3bbcf82af6f6f31556fd305a88e9ebd00c31f1dfa4bb18d925a096d1397fee6aa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
cffc725dd456fff9a1c8ef505f9711d0

SHA1
9a575172905abee540ca0ce34c4890786a014076

SHA256
64ca737ade5cde918881b6fc55c6931466e49efbaaa4d12118485189d4a4e2a0

SHA512
8d9f04536b6b82f5be8fe3037894a87e9954c8a7dc0e6be7ba1294bbca138e3bbcf82af6f6f31556fd305a88e9ebd00c31f1dfa4bb18d925a096d1397fee6aa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
cffc725dd456fff9a1c8ef505f9711d0

SHA1
9a575172905abee540ca0ce34c4890786a014076

SHA256
64ca737ade5cde918881b6fc55c6931466e49efbaaa4d12118485189d4a4e2a0

SHA512
8d9f04536b6b82f5be8fe3037894a87e9954c8a7dc0e6be7ba1294bbca138e3bbcf82af6f6f31556fd305a88e9ebd00c31f1dfa4bb18d925a096d1397fee6aa8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
cffc725dd456fff9a1c8ef505f9711d0

SHA1
9a575172905abee540ca0ce34c4890786a014076

SHA256
64ca737ade5cde918881b6fc55c6931466e49efbaaa4d12118485189d4a4e2a0

SHA512
8d9f04536b6b82f5be8fe3037894a87e9954c8a7dc0e6be7ba1294bbca138e3bbcf82af6f6f31556fd305a88e9ebd00c31f1dfa4bb18d925a096d1397fee6aa8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
cffc725dd456fff9a1c8ef505f9711d0

SHA1
9a575172905abee540ca0ce34c4890786a014076

SHA256
64ca737ade5cde918881b6fc55c6931466e49efbaaa4d12118485189d4a4e2a0

SHA512
8d9f04536b6b82f5be8fe3037894a87e9954c8a7dc0e6be7ba1294bbca138e3bbcf82af6f6f31556fd305a88e9ebd00c31f1dfa4bb18d925a096d1397fee6aa8

Download Submit
memory/108-90-0x0000000000000000-mapping.dmp

Download
memory/740-78-0x000000000040140C-mapping.dmp

Download
memory/792-92-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/792-82-0x00000000004B5670-mapping.dmp

Download
memory/792-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/792-93-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1100-70-0x00000000022D0000-0x00000000022D2000-memory.dmp

Filesize
8KB

Download
memory/1100-67-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/1100-69-0x00000000004B0000-0x00000000004B2000-memory.dmp

Filesize
8KB

Download
memory/1496-87-0x0000000000000000-mapping.dmp

Download
memory/1620-91-0x0000000000000000-mapping.dmp

Download
memory/1708-63-0x000000000040140C-mapping.dmp

Download
memory/1708-62-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1708-66-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1780-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads