darkcomet | c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded

General

Target

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
Size

520KB
MD5

8cacb0a780eab8956b0d068f51f720d2
SHA1

f24f2b98db4bee8b0e5da51cb3d33ed6fd5c64c6
SHA256

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded
SHA512

689e0c87bfff0698bf0fb88ee7129923ed619d6c1480d336f80e3de222e5f2f2ceb73ac3c50e456f7d8879e078868799cab7db30eafca89774c4bb0e0a5755b6

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 640 created 2844 640 WerFault.exe ipconfig.exe
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

3064 winupd.exe
848 winupd.exe
804 winupd.exe

description	pid	process	target process
PID 640 created 2844	640	WerFault.exe	ipconfig.exe

pid	process
3064	winupd.exe
848	winupd.exe
804	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/804-132-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/804-138-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exe

description	pid	process	target process
PID 856 set thread context of 2720	856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 3064 set thread context of 848	3064	winupd.exe	winupd.exe
PID 3064 set thread context of 804	3064	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

640 2844 WerFault.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2844 ipconfig.exe

pid	pid_target	process	target process
640	2844	WerFault.exe	ipconfig.exe

pid	process
2844	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe
640	WerFault.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

winupd.exeWerFault.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	804	winupd.exe
Token: SeSecurityPrivilege	804	winupd.exe
Token: SeTakeOwnershipPrivilege	804	winupd.exe
Token: SeLoadDriverPrivilege	804	winupd.exe
Token: SeSystemProfilePrivilege	804	winupd.exe
Token: SeSystemtimePrivilege	804	winupd.exe
Token: SeProfSingleProcessPrivilege	804	winupd.exe
Token: SeIncBasePriorityPrivilege	804	winupd.exe
Token: SeCreatePagefilePrivilege	804	winupd.exe
Token: SeBackupPrivilege	804	winupd.exe
Token: SeRestorePrivilege	804	winupd.exe
Token: SeShutdownPrivilege	804	winupd.exe
Token: SeDebugPrivilege	804	winupd.exe
Token: SeSystemEnvironmentPrivilege	804	winupd.exe
Token: SeChangeNotifyPrivilege	804	winupd.exe
Token: SeRemoteShutdownPrivilege	804	winupd.exe
Token: SeUndockPrivilege	804	winupd.exe
Token: SeManageVolumePrivilege	804	winupd.exe
Token: SeImpersonatePrivilege	804	winupd.exe
Token: SeCreateGlobalPrivilege	804	winupd.exe
Token: 33	804	winupd.exe
Token: 34	804	winupd.exe
Token: 35	804	winupd.exe
Token: 36	804	winupd.exe
Token: SeRestorePrivilege	640	WerFault.exe
Token: SeBackupPrivilege	640	WerFault.exe
Token: SeDebugPrivilege	640	WerFault.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exec68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exewinupd.exewinupd.exe

pid	process
856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
2720	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
3064	winupd.exe
848	winupd.exe
804	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exec68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exewinupd.exe

description	pid	process	target process
PID 856 wrote to memory of 2720	856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 856 wrote to memory of 2720	856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 856 wrote to memory of 2720	856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 856 wrote to memory of 2720	856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 856 wrote to memory of 2720	856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 856 wrote to memory of 2720	856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 856 wrote to memory of 2720	856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 856 wrote to memory of 2720	856	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
PID 2720 wrote to memory of 3064	2720	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	winupd.exe
PID 2720 wrote to memory of 3064	2720	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	winupd.exe
PID 2720 wrote to memory of 3064	2720	c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe	winupd.exe
PID 3064 wrote to memory of 848	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 848	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 848	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 848	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 848	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 848	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 848	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 848	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 804	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 804	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 804	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 804	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 804	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 804	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 804	3064	winupd.exe	winupd.exe
PID 3064 wrote to memory of 804	3064	winupd.exe	winupd.exe
PID 848 wrote to memory of 2844	848	winupd.exe	ipconfig.exe
PID 848 wrote to memory of 2844	848	winupd.exe	ipconfig.exe
PID 848 wrote to memory of 2844	848	winupd.exe	ipconfig.exe
PID 848 wrote to memory of 2844	848	winupd.exe	ipconfig.exe
PID 848 wrote to memory of 2844	848	winupd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
"C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
"C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 276
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
95e4be95a17419287e571bba390baa80

SHA1
c7179e5d14414ba2448c06fdb3f5dd3b3dd39dff

SHA256
a27452515b1bf848ff088adcaaf4347a555c65d7e2ed699f57e277196e58f4f2

SHA512
d58cd503e7206cb3eff423591db2d896c64568a7d5208dc80f2d399552c60360b144abf25a2296e8bc6d2fe27ecfb51064b7899a4d59724e37c14c0ed502d568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
95e4be95a17419287e571bba390baa80

SHA1
c7179e5d14414ba2448c06fdb3f5dd3b3dd39dff

SHA256
a27452515b1bf848ff088adcaaf4347a555c65d7e2ed699f57e277196e58f4f2

SHA512
d58cd503e7206cb3eff423591db2d896c64568a7d5208dc80f2d399552c60360b144abf25a2296e8bc6d2fe27ecfb51064b7899a4d59724e37c14c0ed502d568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
95e4be95a17419287e571bba390baa80

SHA1
c7179e5d14414ba2448c06fdb3f5dd3b3dd39dff

SHA256
a27452515b1bf848ff088adcaaf4347a555c65d7e2ed699f57e277196e58f4f2

SHA512
d58cd503e7206cb3eff423591db2d896c64568a7d5208dc80f2d399552c60360b144abf25a2296e8bc6d2fe27ecfb51064b7899a4d59724e37c14c0ed502d568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
95e4be95a17419287e571bba390baa80

SHA1
c7179e5d14414ba2448c06fdb3f5dd3b3dd39dff

SHA256
a27452515b1bf848ff088adcaaf4347a555c65d7e2ed699f57e277196e58f4f2

SHA512
d58cd503e7206cb3eff423591db2d896c64568a7d5208dc80f2d399552c60360b144abf25a2296e8bc6d2fe27ecfb51064b7899a4d59724e37c14c0ed502d568

Download Submit
memory/804-133-0x00000000004B5670-mapping.dmp

Download
memory/804-132-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/804-138-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/804-139-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/848-130-0x000000000040140C-mapping.dmp

Download
memory/856-125-0x00000000020E0000-0x00000000020E2000-memory.dmp

Filesize
8KB

Download
memory/856-126-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

Filesize
8KB

Download
memory/856-127-0x0000000002AF0000-0x0000000002AF2000-memory.dmp

Filesize
8KB

Download
memory/2720-128-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2720-117-0x000000000040140C-mapping.dmp

Download
memory/2720-116-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2844-137-0x0000000000000000-mapping.dmp

Download
memory/3064-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads