darkcomet | 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9

General

Target

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
Size

520KB
MD5

d683b4b96582e58a06ddc15284ea35c8
SHA1

2a9902159d8dabec02f9ee13e791fa298290fc81
SHA256

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9
SHA512

a56674362d15ed66335b0a54449a658503a4346e58a066197c5665ab48da952b3c8bd3dc49cd0dee30b04208e7f97085ae74e332499f307700353de298331a19

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

1280 winupd.exe
1468 winupd.exe
2024 winupd.exe

pid	process
1280	winupd.exe
1468	winupd.exe
2024	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2024-80-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2024-92-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe

pid	process
1260	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
1260	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exe

description	pid	process	target process
PID 1120 set thread context of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1280 set thread context of 1468	1280	winupd.exe	winupd.exe
PID 1280 set thread context of 2024	1280	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1944 ipconfig.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1728 reg.exe

pid	process
1944	ipconfig.exe

pid	process
1728	reg.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

winupd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2024	winupd.exe
Token: SeSecurityPrivilege	2024	winupd.exe
Token: SeTakeOwnershipPrivilege	2024	winupd.exe
Token: SeLoadDriverPrivilege	2024	winupd.exe
Token: SeSystemProfilePrivilege	2024	winupd.exe
Token: SeSystemtimePrivilege	2024	winupd.exe
Token: SeProfSingleProcessPrivilege	2024	winupd.exe
Token: SeIncBasePriorityPrivilege	2024	winupd.exe
Token: SeCreatePagefilePrivilege	2024	winupd.exe
Token: SeBackupPrivilege	2024	winupd.exe
Token: SeRestorePrivilege	2024	winupd.exe
Token: SeShutdownPrivilege	2024	winupd.exe
Token: SeDebugPrivilege	2024	winupd.exe
Token: SeSystemEnvironmentPrivilege	2024	winupd.exe
Token: SeChangeNotifyPrivilege	2024	winupd.exe
Token: SeRemoteShutdownPrivilege	2024	winupd.exe
Token: SeUndockPrivilege	2024	winupd.exe
Token: SeManageVolumePrivilege	2024	winupd.exe
Token: SeImpersonatePrivilege	2024	winupd.exe
Token: SeCreateGlobalPrivilege	2024	winupd.exe
Token: 33	2024	winupd.exe
Token: 34	2024	winupd.exe
Token: 35	2024	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exewinupd.exe

pid	process
1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
1260	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
1280	winupd.exe
1468	winupd.exe
2024	winupd.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exeipconfig.execmd.exe

description	pid	process	target process
PID 1120 wrote to memory of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1120 wrote to memory of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1120 wrote to memory of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1120 wrote to memory of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1120 wrote to memory of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1120 wrote to memory of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1120 wrote to memory of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1120 wrote to memory of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1120 wrote to memory of 1260	1120	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 1260 wrote to memory of 1280	1260	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 1260 wrote to memory of 1280	1260	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 1260 wrote to memory of 1280	1260	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 1260 wrote to memory of 1280	1260	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 1280 wrote to memory of 1468	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 1468	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 1468	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 1468	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 1468	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 1468	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 1468	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 1468	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 1468	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 2024	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 2024	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 2024	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 2024	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 2024	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 2024	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 2024	1280	winupd.exe	winupd.exe
PID 1280 wrote to memory of 2024	1280	winupd.exe	winupd.exe
PID 1468 wrote to memory of 1944	1468	winupd.exe	ipconfig.exe
PID 1468 wrote to memory of 1944	1468	winupd.exe	ipconfig.exe
PID 1468 wrote to memory of 1944	1468	winupd.exe	ipconfig.exe
PID 1468 wrote to memory of 1944	1468	winupd.exe	ipconfig.exe
PID 1468 wrote to memory of 1944	1468	winupd.exe	ipconfig.exe
PID 1468 wrote to memory of 1944	1468	winupd.exe	ipconfig.exe
PID 1944 wrote to memory of 688	1944	ipconfig.exe	cmd.exe
PID 1944 wrote to memory of 688	1944	ipconfig.exe	cmd.exe
PID 1944 wrote to memory of 688	1944	ipconfig.exe	cmd.exe
PID 1944 wrote to memory of 688	1944	ipconfig.exe	cmd.exe
PID 688 wrote to memory of 1728	688	cmd.exe	reg.exe
PID 688 wrote to memory of 1728	688	cmd.exe	reg.exe
PID 688 wrote to memory of 1728	688	cmd.exe	reg.exe
PID 688 wrote to memory of 1728	688	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IKWWAXSR.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f
7⤵
- Adds Run key to start application
- Modifies registry key
PID:1728

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IKWWAXSR.bat
MD5
cac890d00365d07b9ca89def17cc3a36

SHA1
6fa99679ede791c16b5d3e6d243a98e8bbdb7eab

SHA256
4f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da

SHA512
124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
eacdad3dde7f8d5cec59a89d0c33d1fb

SHA1
b416e98080d6446d7d992f5393a00b18f0d40e8b

SHA256
1d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2

SHA512
52a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
eacdad3dde7f8d5cec59a89d0c33d1fb

SHA1
b416e98080d6446d7d992f5393a00b18f0d40e8b

SHA256
1d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2

SHA512
52a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
eacdad3dde7f8d5cec59a89d0c33d1fb

SHA1
b416e98080d6446d7d992f5393a00b18f0d40e8b

SHA256
1d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2

SHA512
52a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
eacdad3dde7f8d5cec59a89d0c33d1fb

SHA1
b416e98080d6446d7d992f5393a00b18f0d40e8b

SHA256
1d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2

SHA512
52a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
eacdad3dde7f8d5cec59a89d0c33d1fb

SHA1
b416e98080d6446d7d992f5393a00b18f0d40e8b

SHA256
1d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2

SHA512
52a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
eacdad3dde7f8d5cec59a89d0c33d1fb

SHA1
b416e98080d6446d7d992f5393a00b18f0d40e8b

SHA256
1d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2

SHA512
52a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59

Download Submit
memory/688-90-0x0000000000000000-mapping.dmp

Download
memory/1120-73-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/1120-74-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download
memory/1120-75-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/1260-62-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1260-63-0x000000000040140C-mapping.dmp

Download
memory/1260-66-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1280-69-0x0000000000000000-mapping.dmp

Download
memory/1468-78-0x000000000040140C-mapping.dmp

Download
memory/1728-91-0x0000000000000000-mapping.dmp

Download
memory/1944-87-0x0000000000000000-mapping.dmp

Download
memory/2024-80-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2024-82-0x00000000004B5670-mapping.dmp

Download
memory/2024-93-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2024-92-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads