darkcomet | 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8

General

Target

02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
Size

520KB
MD5

642a19d61f9d148344d263180d4e386a
SHA1

e5005eab11acaec13e0c6a2af0744d99727b1d07
SHA256

02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8
SHA512

2a337f1910cf046e6b0964430b029a2213d9966f9208df3a9614bc178c6743b48401ea9ee87886b404131c50449f82abdb0796c6c5c3344c5186e5fd877b57db

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2020 created 3508 2020 WerFault.exe ipconfig.exe
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

2592 winupd.exe
3032 winupd.exe
412 winupd.exe

description	pid	process	target process
PID 2020 created 3508	2020	WerFault.exe	ipconfig.exe

pid	process
2592	winupd.exe
3032	winupd.exe
412	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/412-132-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/412-138-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exewinupd.exe

description	pid	process	target process
PID 644 set thread context of 2148	644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
PID 2592 set thread context of 3032	2592	winupd.exe	winupd.exe
PID 2592 set thread context of 412	2592	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2020 3508 WerFault.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3508 ipconfig.exe

pid	pid_target	process	target process
2020	3508	WerFault.exe	ipconfig.exe

pid	process
3508	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

winupd.exeWerFault.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	412	winupd.exe
Token: SeSecurityPrivilege	412	winupd.exe
Token: SeTakeOwnershipPrivilege	412	winupd.exe
Token: SeLoadDriverPrivilege	412	winupd.exe
Token: SeSystemProfilePrivilege	412	winupd.exe
Token: SeSystemtimePrivilege	412	winupd.exe
Token: SeProfSingleProcessPrivilege	412	winupd.exe
Token: SeIncBasePriorityPrivilege	412	winupd.exe
Token: SeCreatePagefilePrivilege	412	winupd.exe
Token: SeBackupPrivilege	412	winupd.exe
Token: SeRestorePrivilege	412	winupd.exe
Token: SeShutdownPrivilege	412	winupd.exe
Token: SeDebugPrivilege	412	winupd.exe
Token: SeSystemEnvironmentPrivilege	412	winupd.exe
Token: SeChangeNotifyPrivilege	412	winupd.exe
Token: SeRemoteShutdownPrivilege	412	winupd.exe
Token: SeUndockPrivilege	412	winupd.exe
Token: SeManageVolumePrivilege	412	winupd.exe
Token: SeImpersonatePrivilege	412	winupd.exe
Token: SeCreateGlobalPrivilege	412	winupd.exe
Token: 33	412	winupd.exe
Token: 34	412	winupd.exe
Token: 35	412	winupd.exe
Token: 36	412	winupd.exe
Token: SeRestorePrivilege	2020	WerFault.exe
Token: SeBackupPrivilege	2020	WerFault.exe
Token: SeDebugPrivilege	2020	WerFault.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exewinupd.exewinupd.exewinupd.exe

pid	process
644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
2148	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
2592	winupd.exe
3032	winupd.exe
412	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exewinupd.exewinupd.exe

description	pid	process	target process
PID 644 wrote to memory of 2148	644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
PID 644 wrote to memory of 2148	644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
PID 644 wrote to memory of 2148	644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
PID 644 wrote to memory of 2148	644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
PID 644 wrote to memory of 2148	644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
PID 644 wrote to memory of 2148	644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
PID 644 wrote to memory of 2148	644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
PID 644 wrote to memory of 2148	644	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
PID 2148 wrote to memory of 2592	2148	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	winupd.exe
PID 2148 wrote to memory of 2592	2148	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	winupd.exe
PID 2148 wrote to memory of 2592	2148	02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe	winupd.exe
PID 2592 wrote to memory of 3032	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 3032	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 3032	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 3032	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 3032	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 3032	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 3032	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 3032	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 412	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 412	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 412	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 412	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 412	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 412	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 412	2592	winupd.exe	winupd.exe
PID 2592 wrote to memory of 412	2592	winupd.exe	winupd.exe
PID 3032 wrote to memory of 3508	3032	winupd.exe	ipconfig.exe
PID 3032 wrote to memory of 3508	3032	winupd.exe	ipconfig.exe
PID 3032 wrote to memory of 3508	3032	winupd.exe	ipconfig.exe
PID 3032 wrote to memory of 3508	3032	winupd.exe	ipconfig.exe
PID 3032 wrote to memory of 3508	3032	winupd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
"C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
"C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 256
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
19a55bf0754e7db600de78ade37f14a7

SHA1
daa415378ca4e0d8d68a9dc9973044d08403bad8

SHA256
4e3af6649a7aa865527370f09b7fb3adbd5bea98bf41c7d464fb70757d088f97

SHA512
2b718606ee2bd2750f1ea70d1b41fcf668c092b71c2d051bfb1385bcc3d7732b225744a9bf4c2279671d554e6bacdeb4f56a9c7b02f7f7f66001db043976cce4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
19a55bf0754e7db600de78ade37f14a7

SHA1
daa415378ca4e0d8d68a9dc9973044d08403bad8

SHA256
4e3af6649a7aa865527370f09b7fb3adbd5bea98bf41c7d464fb70757d088f97

SHA512
2b718606ee2bd2750f1ea70d1b41fcf668c092b71c2d051bfb1385bcc3d7732b225744a9bf4c2279671d554e6bacdeb4f56a9c7b02f7f7f66001db043976cce4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
19a55bf0754e7db600de78ade37f14a7

SHA1
daa415378ca4e0d8d68a9dc9973044d08403bad8

SHA256
4e3af6649a7aa865527370f09b7fb3adbd5bea98bf41c7d464fb70757d088f97

SHA512
2b718606ee2bd2750f1ea70d1b41fcf668c092b71c2d051bfb1385bcc3d7732b225744a9bf4c2279671d554e6bacdeb4f56a9c7b02f7f7f66001db043976cce4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
19a55bf0754e7db600de78ade37f14a7

SHA1
daa415378ca4e0d8d68a9dc9973044d08403bad8

SHA256
4e3af6649a7aa865527370f09b7fb3adbd5bea98bf41c7d464fb70757d088f97

SHA512
2b718606ee2bd2750f1ea70d1b41fcf668c092b71c2d051bfb1385bcc3d7732b225744a9bf4c2279671d554e6bacdeb4f56a9c7b02f7f7f66001db043976cce4

Download Submit
memory/412-132-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/412-139-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/412-138-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/412-133-0x00000000004B5670-mapping.dmp

Download
memory/644-120-0x0000000002210000-0x0000000002212000-memory.dmp

Filesize
8KB

Download
memory/644-122-0x00000000022F0000-0x00000000022F2000-memory.dmp

Filesize
8KB

Download
memory/644-123-0x0000000002300000-0x0000000002302000-memory.dmp

Filesize
8KB

Download
memory/2148-126-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2148-116-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2148-117-0x000000000040140C-mapping.dmp

Download
memory/2592-121-0x0000000000000000-mapping.dmp

Download
memory/3032-130-0x000000000040140C-mapping.dmp

Download
memory/3508-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads