darkcomet | 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9

General

Target

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
Size

520KB
MD5

d683b4b96582e58a06ddc15284ea35c8
SHA1

2a9902159d8dabec02f9ee13e791fa298290fc81
SHA256

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9
SHA512

a56674362d15ed66335b0a54449a658503a4346e58a066197c5665ab48da952b3c8bd3dc49cd0dee30b04208e7f97085ae74e332499f307700353de298331a19

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1964 created 3624 1964 WerFault.exe ipconfig.exe
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

3852 winupd.exe
416 winupd.exe
2416 winupd.exe

description	pid	process	target process
PID 1964 created 3624	1964	WerFault.exe	ipconfig.exe

pid	process
3852	winupd.exe
416	winupd.exe
2416	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2416-132-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2416-139-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exe

description	pid	process	target process
PID 640 set thread context of 3108	640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 3852 set thread context of 416	3852	winupd.exe	winupd.exe
PID 3852 set thread context of 2416	3852	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1964 3624 WerFault.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3624 ipconfig.exe

pid	pid_target	process	target process
1964	3624	WerFault.exe	ipconfig.exe

pid	process
3624	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe
1964	WerFault.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

winupd.exeWerFault.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2416	winupd.exe
Token: SeSecurityPrivilege	2416	winupd.exe
Token: SeTakeOwnershipPrivilege	2416	winupd.exe
Token: SeLoadDriverPrivilege	2416	winupd.exe
Token: SeSystemProfilePrivilege	2416	winupd.exe
Token: SeSystemtimePrivilege	2416	winupd.exe
Token: SeProfSingleProcessPrivilege	2416	winupd.exe
Token: SeIncBasePriorityPrivilege	2416	winupd.exe
Token: SeCreatePagefilePrivilege	2416	winupd.exe
Token: SeBackupPrivilege	2416	winupd.exe
Token: SeRestorePrivilege	2416	winupd.exe
Token: SeShutdownPrivilege	2416	winupd.exe
Token: SeDebugPrivilege	2416	winupd.exe
Token: SeSystemEnvironmentPrivilege	2416	winupd.exe
Token: SeChangeNotifyPrivilege	2416	winupd.exe
Token: SeRemoteShutdownPrivilege	2416	winupd.exe
Token: SeUndockPrivilege	2416	winupd.exe
Token: SeManageVolumePrivilege	2416	winupd.exe
Token: SeImpersonatePrivilege	2416	winupd.exe
Token: SeCreateGlobalPrivilege	2416	winupd.exe
Token: 33	2416	winupd.exe
Token: 34	2416	winupd.exe
Token: 35	2416	winupd.exe
Token: 36	2416	winupd.exe
Token: SeRestorePrivilege	1964	WerFault.exe
Token: SeBackupPrivilege	1964	WerFault.exe
Token: SeDebugPrivilege	1964	WerFault.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exewinupd.exe

pid	process
640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
3108	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
3852	winupd.exe
416	winupd.exe
2416	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exe

description	pid	process	target process
PID 640 wrote to memory of 3108	640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 640 wrote to memory of 3108	640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 640 wrote to memory of 3108	640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 640 wrote to memory of 3108	640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 640 wrote to memory of 3108	640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 640 wrote to memory of 3108	640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 640 wrote to memory of 3108	640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 640 wrote to memory of 3108	640	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 3108 wrote to memory of 3852	3108	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 3108 wrote to memory of 3852	3108	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 3108 wrote to memory of 3852	3108	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 3852 wrote to memory of 416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 2416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 2416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 2416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 2416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 2416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 2416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 2416	3852	winupd.exe	winupd.exe
PID 3852 wrote to memory of 2416	3852	winupd.exe	winupd.exe
PID 416 wrote to memory of 3624	416	winupd.exe	ipconfig.exe
PID 416 wrote to memory of 3624	416	winupd.exe	ipconfig.exe
PID 416 wrote to memory of 3624	416	winupd.exe	ipconfig.exe
PID 416 wrote to memory of 3624	416	winupd.exe	ipconfig.exe
PID 416 wrote to memory of 3624	416	winupd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 256
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
07d01fdd5c10422bdeb5f58fc9cbae97

SHA1
9957a399cbdca3bc6326eb96ac78c0fbb637c0f7

SHA256
3f9f009d38cfd0b749c9da99521ff1be1314ba60d4289244466fc32345a94769

SHA512
293a79d91ae0cfa0810dbfeac881879fcdac3657a944a4e6a0f2ae175baa0ee245b72afad6a29b7151cf367d206361baa6ddd38760005ee34c4d7f91d54d276b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
07d01fdd5c10422bdeb5f58fc9cbae97

SHA1
9957a399cbdca3bc6326eb96ac78c0fbb637c0f7

SHA256
3f9f009d38cfd0b749c9da99521ff1be1314ba60d4289244466fc32345a94769

SHA512
293a79d91ae0cfa0810dbfeac881879fcdac3657a944a4e6a0f2ae175baa0ee245b72afad6a29b7151cf367d206361baa6ddd38760005ee34c4d7f91d54d276b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
07d01fdd5c10422bdeb5f58fc9cbae97

SHA1
9957a399cbdca3bc6326eb96ac78c0fbb637c0f7

SHA256
3f9f009d38cfd0b749c9da99521ff1be1314ba60d4289244466fc32345a94769

SHA512
293a79d91ae0cfa0810dbfeac881879fcdac3657a944a4e6a0f2ae175baa0ee245b72afad6a29b7151cf367d206361baa6ddd38760005ee34c4d7f91d54d276b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
07d01fdd5c10422bdeb5f58fc9cbae97

SHA1
9957a399cbdca3bc6326eb96ac78c0fbb637c0f7

SHA256
3f9f009d38cfd0b749c9da99521ff1be1314ba60d4289244466fc32345a94769

SHA512
293a79d91ae0cfa0810dbfeac881879fcdac3657a944a4e6a0f2ae175baa0ee245b72afad6a29b7151cf367d206361baa6ddd38760005ee34c4d7f91d54d276b

Download Submit
memory/416-130-0x000000000040140C-mapping.dmp

Download
memory/640-127-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/640-126-0x0000000002350000-0x0000000002352000-memory.dmp

Filesize
8KB

Download
memory/640-125-0x0000000002170000-0x0000000002172000-memory.dmp

Filesize
8KB

Download
memory/2416-132-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2416-133-0x00000000004B5670-mapping.dmp

Download
memory/2416-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2416-140-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3108-128-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3108-116-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3108-117-0x000000000040140C-mapping.dmp

Download
memory/3624-137-0x0000000000000000-mapping.dmp

Download
memory/3852-120-0x0000000000000000-mapping.dmp

Download
memory/3852-138-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads