darkcomet | c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded

General

Target

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
Size

520KB
MD5

8cacb0a780eab8956b0d068f51f720d2
SHA1

f24f2b98db4bee8b0e5da51cb3d33ed6fd5c64c6
SHA256

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded
SHA512

689e0c87bfff0698bf0fb88ee7129923ed619d6c1480d336f80e3de222e5f2f2ceb73ac3c50e456f7d8879e078868799cab7db30eafca89774c4bb0e0a5755b6

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

1176 winupd.exe
1600 winupd.exe
1652 winupd.exe

pid	process
1176	winupd.exe
1600	winupd.exe
1652	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1652-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1652-83-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe

pid	process
1516	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
1516	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exe

description	pid	process	target process
PID 1580 set thread context of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1176 set thread context of 1600	1176	winupd.exe	winupd.exe
PID 1176 set thread context of 1652	1176	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1852 ipconfig.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1752 reg.exe

pid	process
1852	ipconfig.exe

pid	process
1752	reg.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

winupd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1652	winupd.exe
Token: SeSecurityPrivilege	1652	winupd.exe
Token: SeTakeOwnershipPrivilege	1652	winupd.exe
Token: SeLoadDriverPrivilege	1652	winupd.exe
Token: SeSystemProfilePrivilege	1652	winupd.exe
Token: SeSystemtimePrivilege	1652	winupd.exe
Token: SeProfSingleProcessPrivilege	1652	winupd.exe
Token: SeIncBasePriorityPrivilege	1652	winupd.exe
Token: SeCreatePagefilePrivilege	1652	winupd.exe
Token: SeBackupPrivilege	1652	winupd.exe
Token: SeRestorePrivilege	1652	winupd.exe
Token: SeShutdownPrivilege	1652	winupd.exe
Token: SeDebugPrivilege	1652	winupd.exe
Token: SeSystemEnvironmentPrivilege	1652	winupd.exe
Token: SeChangeNotifyPrivilege	1652	winupd.exe
Token: SeRemoteShutdownPrivilege	1652	winupd.exe
Token: SeUndockPrivilege	1652	winupd.exe
Token: SeManageVolumePrivilege	1652	winupd.exe
Token: SeImpersonatePrivilege	1652	winupd.exe
Token: SeCreateGlobalPrivilege	1652	winupd.exe
Token: 33	1652	winupd.exe
Token: 34	1652	winupd.exe
Token: 35	1652	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exec68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exewinupd.exewinupd.exe

pid	process
1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
1516	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
1176	winupd.exe
1600	winupd.exe
1652	winupd.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exec68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exewinupd.exeipconfig.execmd.exe

description	pid	process	target process
PID 1580 wrote to memory of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1580 wrote to memory of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1580 wrote to memory of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1580 wrote to memory of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1580 wrote to memory of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1580 wrote to memory of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1580 wrote to memory of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1580 wrote to memory of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1580 wrote to memory of 1516	1580	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 1516 wrote to memory of 1176	1516	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	winupd.exe
PID 1516 wrote to memory of 1176	1516	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	winupd.exe
PID 1516 wrote to memory of 1176	1516	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	winupd.exe
PID 1516 wrote to memory of 1176	1516	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	winupd.exe
PID 1176 wrote to memory of 1600	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1600	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1600	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1600	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1600	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1600	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1600	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1600	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1600	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1652	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1652	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1652	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1652	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1652	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1652	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1652	1176	winupd.exe	winupd.exe
PID 1176 wrote to memory of 1652	1176	winupd.exe	winupd.exe
PID 1600 wrote to memory of 1852	1600	winupd.exe	ipconfig.exe
PID 1600 wrote to memory of 1852	1600	winupd.exe	ipconfig.exe
PID 1600 wrote to memory of 1852	1600	winupd.exe	ipconfig.exe
PID 1600 wrote to memory of 1852	1600	winupd.exe	ipconfig.exe
PID 1600 wrote to memory of 1852	1600	winupd.exe	ipconfig.exe
PID 1600 wrote to memory of 1852	1600	winupd.exe	ipconfig.exe
PID 1852 wrote to memory of 1012	1852	ipconfig.exe	cmd.exe
PID 1852 wrote to memory of 1012	1852	ipconfig.exe	cmd.exe
PID 1852 wrote to memory of 1012	1852	ipconfig.exe	cmd.exe
PID 1852 wrote to memory of 1012	1852	ipconfig.exe	cmd.exe
PID 1012 wrote to memory of 1752	1012	cmd.exe	reg.exe
PID 1012 wrote to memory of 1752	1012	cmd.exe	reg.exe
PID 1012 wrote to memory of 1752	1012	cmd.exe	reg.exe
PID 1012 wrote to memory of 1752	1012	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
"C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
"C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FBWPVNEO.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f
7⤵
- Adds Run key to start application
- Modifies registry key
PID:1752

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FBWPVNEO.bat
MD5
cac890d00365d07b9ca89def17cc3a36

SHA1
6fa99679ede791c16b5d3e6d243a98e8bbdb7eab

SHA256
4f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da

SHA512
124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
fb7eec42daceb4cbe5f5e87125e1d6cc

SHA1
7f8d7b6e01ef36a895806a892a7364a29f4498e7

SHA256
eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97

SHA512
58586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
fb7eec42daceb4cbe5f5e87125e1d6cc

SHA1
7f8d7b6e01ef36a895806a892a7364a29f4498e7

SHA256
eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97

SHA512
58586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
fb7eec42daceb4cbe5f5e87125e1d6cc

SHA1
7f8d7b6e01ef36a895806a892a7364a29f4498e7

SHA256
eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97

SHA512
58586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
fb7eec42daceb4cbe5f5e87125e1d6cc

SHA1
7f8d7b6e01ef36a895806a892a7364a29f4498e7

SHA256
eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97

SHA512
58586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
fb7eec42daceb4cbe5f5e87125e1d6cc

SHA1
7f8d7b6e01ef36a895806a892a7364a29f4498e7

SHA256
eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97

SHA512
58586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
fb7eec42daceb4cbe5f5e87125e1d6cc

SHA1
7f8d7b6e01ef36a895806a892a7364a29f4498e7

SHA256
eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97

SHA512
58586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3

Download Submit
memory/1012-86-0x0000000000000000-mapping.dmp

Download
memory/1176-63-0x0000000000000000-mapping.dmp

Download
memory/1516-57-0x000000000040140C-mapping.dmp

Download
memory/1516-60-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/1516-56-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1580-67-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1580-68-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/1580-69-0x0000000001D00000-0x0000000001D02000-memory.dmp

Filesize
8KB

Download
memory/1600-72-0x000000000040140C-mapping.dmp

Download
memory/1652-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1652-83-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1652-84-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1652-75-0x00000000004B5670-mapping.dmp

Download
memory/1752-87-0x0000000000000000-mapping.dmp

Download
memory/1852-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads