darkcomet | 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea

General

Target

5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
Size

520KB
MD5

987a5d029c5c923724872bc013ba8eca
SHA1

97c2b943c9cd1625c273652f831860a72427bb5b
SHA256

5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea
SHA512

bdccf49488488b67025a2c8a4d48c4ca9180ac93c5e3b3564d0e25cf0fc895c5296d08cee8febf825de5af37c44032fe7bfd094ec0994628acad19a0f129619d

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4008 created 3636 4008 WerFault.exe ipconfig.exe
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

2732 winupd.exe
3488 winupd.exe
3844 winupd.exe

description	pid	process	target process
PID 4008 created 3636	4008	WerFault.exe	ipconfig.exe

pid	process
2732	winupd.exe
3488	winupd.exe
3844	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3844-133-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3844-139-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exewinupd.exe

description	pid	process	target process
PID 2160 set thread context of 2660	2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
PID 2732 set thread context of 3488	2732	winupd.exe	winupd.exe
PID 2732 set thread context of 3844	2732	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4008 3636 WerFault.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3636 ipconfig.exe

pid	pid_target	process	target process
4008	3636	WerFault.exe	ipconfig.exe

pid	process
3636	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe
4008	WerFault.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

winupd.exeWerFault.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3844	winupd.exe
Token: SeSecurityPrivilege	3844	winupd.exe
Token: SeTakeOwnershipPrivilege	3844	winupd.exe
Token: SeLoadDriverPrivilege	3844	winupd.exe
Token: SeSystemProfilePrivilege	3844	winupd.exe
Token: SeSystemtimePrivilege	3844	winupd.exe
Token: SeProfSingleProcessPrivilege	3844	winupd.exe
Token: SeIncBasePriorityPrivilege	3844	winupd.exe
Token: SeCreatePagefilePrivilege	3844	winupd.exe
Token: SeBackupPrivilege	3844	winupd.exe
Token: SeRestorePrivilege	3844	winupd.exe
Token: SeShutdownPrivilege	3844	winupd.exe
Token: SeDebugPrivilege	3844	winupd.exe
Token: SeSystemEnvironmentPrivilege	3844	winupd.exe
Token: SeChangeNotifyPrivilege	3844	winupd.exe
Token: SeRemoteShutdownPrivilege	3844	winupd.exe
Token: SeUndockPrivilege	3844	winupd.exe
Token: SeManageVolumePrivilege	3844	winupd.exe
Token: SeImpersonatePrivilege	3844	winupd.exe
Token: SeCreateGlobalPrivilege	3844	winupd.exe
Token: 33	3844	winupd.exe
Token: 34	3844	winupd.exe
Token: 35	3844	winupd.exe
Token: 36	3844	winupd.exe
Token: SeRestorePrivilege	4008	WerFault.exe
Token: SeBackupPrivilege	4008	WerFault.exe
Token: SeDebugPrivilege	4008	WerFault.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exewinupd.exewinupd.exewinupd.exe

pid	process
2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
2660	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
2732	winupd.exe
3488	winupd.exe
3844	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exewinupd.exewinupd.exe

description	pid	process	target process
PID 2160 wrote to memory of 2660	2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
PID 2160 wrote to memory of 2660	2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
PID 2160 wrote to memory of 2660	2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
PID 2160 wrote to memory of 2660	2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
PID 2160 wrote to memory of 2660	2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
PID 2160 wrote to memory of 2660	2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
PID 2160 wrote to memory of 2660	2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
PID 2160 wrote to memory of 2660	2160	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
PID 2660 wrote to memory of 2732	2660	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	winupd.exe
PID 2660 wrote to memory of 2732	2660	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	winupd.exe
PID 2660 wrote to memory of 2732	2660	5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe	winupd.exe
PID 2732 wrote to memory of 3488	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3488	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3488	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3488	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3488	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3488	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3488	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3488	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3844	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3844	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3844	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3844	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3844	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3844	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3844	2732	winupd.exe	winupd.exe
PID 2732 wrote to memory of 3844	2732	winupd.exe	winupd.exe
PID 3488 wrote to memory of 3636	3488	winupd.exe	ipconfig.exe
PID 3488 wrote to memory of 3636	3488	winupd.exe	ipconfig.exe
PID 3488 wrote to memory of 3636	3488	winupd.exe	ipconfig.exe
PID 3488 wrote to memory of 3636	3488	winupd.exe	ipconfig.exe
PID 3488 wrote to memory of 3636	3488	winupd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
"C:\Users\Admin\AppData\Local\Temp\5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
"C:\Users\Admin\AppData\Local\Temp\5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 268
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
0b05ba1ca26b8f6316f5df8de9183d24

SHA1
269dcea4fb830c1a4b7a1a5aafd84377f58112d3

SHA256
406c29dad85429215dba37c02e99a0ed4998c1b3f9e989dbe6a59db24c812e29

SHA512
034e81d9beb5c5930de83396fd0ea9cd6734129f3605cf8b7e78a1187c2abb43f60c14014a80122a30718263b99b397fd3d32f1a0642b150e23e7db78f82af10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
0b05ba1ca26b8f6316f5df8de9183d24

SHA1
269dcea4fb830c1a4b7a1a5aafd84377f58112d3

SHA256
406c29dad85429215dba37c02e99a0ed4998c1b3f9e989dbe6a59db24c812e29

SHA512
034e81d9beb5c5930de83396fd0ea9cd6734129f3605cf8b7e78a1187c2abb43f60c14014a80122a30718263b99b397fd3d32f1a0642b150e23e7db78f82af10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
0b05ba1ca26b8f6316f5df8de9183d24

SHA1
269dcea4fb830c1a4b7a1a5aafd84377f58112d3

SHA256
406c29dad85429215dba37c02e99a0ed4998c1b3f9e989dbe6a59db24c812e29

SHA512
034e81d9beb5c5930de83396fd0ea9cd6734129f3605cf8b7e78a1187c2abb43f60c14014a80122a30718263b99b397fd3d32f1a0642b150e23e7db78f82af10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
0b05ba1ca26b8f6316f5df8de9183d24

SHA1
269dcea4fb830c1a4b7a1a5aafd84377f58112d3

SHA256
406c29dad85429215dba37c02e99a0ed4998c1b3f9e989dbe6a59db24c812e29

SHA512
034e81d9beb5c5930de83396fd0ea9cd6734129f3605cf8b7e78a1187c2abb43f60c14014a80122a30718263b99b397fd3d32f1a0642b150e23e7db78f82af10

Download Submit
memory/2160-127-0x0000000002230000-0x0000000002232000-memory.dmp

Filesize
8KB

Download
memory/2160-128-0x0000000002250000-0x0000000002252000-memory.dmp

Filesize
8KB

Download
memory/2160-126-0x00000000021E0000-0x00000000021E2000-memory.dmp

Filesize
8KB

Download
memory/2660-117-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2660-129-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2660-118-0x000000000040140C-mapping.dmp

Download
memory/2732-121-0x0000000000000000-mapping.dmp

Download
memory/3488-131-0x000000000040140C-mapping.dmp

Download
memory/3636-138-0x0000000000000000-mapping.dmp

Download
memory/3844-134-0x00000000004B5670-mapping.dmp

Download
memory/3844-133-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3844-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3844-140-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads