darkcomet | 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9

General

Target

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
Size

520KB
MD5

d683b4b96582e58a06ddc15284ea35c8
SHA1

2a9902159d8dabec02f9ee13e791fa298290fc81
SHA256

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9
SHA512

a56674362d15ed66335b0a54449a658503a4346e58a066197c5665ab48da952b3c8bd3dc49cd0dee30b04208e7f97085ae74e332499f307700353de298331a19

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3872 created 3228 3872 WerFault.exe ipconfig.exe
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

2884 winupd.exe
816 winupd.exe
3888 winupd.exe

description	pid	process	target process
PID 3872 created 3228	3872	WerFault.exe	ipconfig.exe

pid	process
2884	winupd.exe
816	winupd.exe
3888	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3888-132-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3888-139-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exe

description	pid	process	target process
PID 912 set thread context of 3276	912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 2884 set thread context of 816	2884	winupd.exe	winupd.exe
PID 2884 set thread context of 3888	2884	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3872 3228 WerFault.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3228 ipconfig.exe

pid	pid_target	process	target process
3872	3228	WerFault.exe	ipconfig.exe

pid	process
3228	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe
3872	WerFault.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

winupd.exeWerFault.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3888	winupd.exe
Token: SeSecurityPrivilege	3888	winupd.exe
Token: SeTakeOwnershipPrivilege	3888	winupd.exe
Token: SeLoadDriverPrivilege	3888	winupd.exe
Token: SeSystemProfilePrivilege	3888	winupd.exe
Token: SeSystemtimePrivilege	3888	winupd.exe
Token: SeProfSingleProcessPrivilege	3888	winupd.exe
Token: SeIncBasePriorityPrivilege	3888	winupd.exe
Token: SeCreatePagefilePrivilege	3888	winupd.exe
Token: SeBackupPrivilege	3888	winupd.exe
Token: SeRestorePrivilege	3888	winupd.exe
Token: SeShutdownPrivilege	3888	winupd.exe
Token: SeDebugPrivilege	3888	winupd.exe
Token: SeSystemEnvironmentPrivilege	3888	winupd.exe
Token: SeChangeNotifyPrivilege	3888	winupd.exe
Token: SeRemoteShutdownPrivilege	3888	winupd.exe
Token: SeUndockPrivilege	3888	winupd.exe
Token: SeManageVolumePrivilege	3888	winupd.exe
Token: SeImpersonatePrivilege	3888	winupd.exe
Token: SeCreateGlobalPrivilege	3888	winupd.exe
Token: 33	3888	winupd.exe
Token: 34	3888	winupd.exe
Token: 35	3888	winupd.exe
Token: 36	3888	winupd.exe
Token: SeRestorePrivilege	3872	WerFault.exe
Token: SeBackupPrivilege	3872	WerFault.exe
Token: SeDebugPrivilege	3872	WerFault.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exewinupd.exe

pid	process
912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
3276	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
2884	winupd.exe
816	winupd.exe
3888	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exe

description	pid	process	target process
PID 912 wrote to memory of 3276	912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 912 wrote to memory of 3276	912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 912 wrote to memory of 3276	912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 912 wrote to memory of 3276	912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 912 wrote to memory of 3276	912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 912 wrote to memory of 3276	912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 912 wrote to memory of 3276	912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 912 wrote to memory of 3276	912	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
PID 3276 wrote to memory of 2884	3276	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 3276 wrote to memory of 2884	3276	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 3276 wrote to memory of 2884	3276	8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe	winupd.exe
PID 2884 wrote to memory of 816	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 816	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 816	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 816	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 816	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 816	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 816	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 816	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 3888	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 3888	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 3888	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 3888	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 3888	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 3888	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 3888	2884	winupd.exe	winupd.exe
PID 2884 wrote to memory of 3888	2884	winupd.exe	winupd.exe
PID 816 wrote to memory of 3228	816	winupd.exe	ipconfig.exe
PID 816 wrote to memory of 3228	816	winupd.exe	ipconfig.exe
PID 816 wrote to memory of 3228	816	winupd.exe	ipconfig.exe
PID 816 wrote to memory of 3228	816	winupd.exe	ipconfig.exe
PID 816 wrote to memory of 3228	816	winupd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3276

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 256
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
f6ed76809535eb35f20a4d92603a015c

SHA1
5d34945e8efbf966e83e109f4bfb17d35d8df0ba

SHA256
4fbaa52705410aa33e19e5ea07cee4babde6a2c725858ca36ca5645e9ed7a0d1

SHA512
86eb2b94b654b026e6f1511c634ec4397c74a5e12a3e8a197b783ad3a2dcfb018b8d7ad857297a9c32b0bf7037ed7b61a3f490f927a438f8e84f40fabc011667

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
f6ed76809535eb35f20a4d92603a015c

SHA1
5d34945e8efbf966e83e109f4bfb17d35d8df0ba

SHA256
4fbaa52705410aa33e19e5ea07cee4babde6a2c725858ca36ca5645e9ed7a0d1

SHA512
86eb2b94b654b026e6f1511c634ec4397c74a5e12a3e8a197b783ad3a2dcfb018b8d7ad857297a9c32b0bf7037ed7b61a3f490f927a438f8e84f40fabc011667

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
f6ed76809535eb35f20a4d92603a015c

SHA1
5d34945e8efbf966e83e109f4bfb17d35d8df0ba

SHA256
4fbaa52705410aa33e19e5ea07cee4babde6a2c725858ca36ca5645e9ed7a0d1

SHA512
86eb2b94b654b026e6f1511c634ec4397c74a5e12a3e8a197b783ad3a2dcfb018b8d7ad857297a9c32b0bf7037ed7b61a3f490f927a438f8e84f40fabc011667

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
f6ed76809535eb35f20a4d92603a015c

SHA1
5d34945e8efbf966e83e109f4bfb17d35d8df0ba

SHA256
4fbaa52705410aa33e19e5ea07cee4babde6a2c725858ca36ca5645e9ed7a0d1

SHA512
86eb2b94b654b026e6f1511c634ec4397c74a5e12a3e8a197b783ad3a2dcfb018b8d7ad857297a9c32b0bf7037ed7b61a3f490f927a438f8e84f40fabc011667

Download Submit
memory/816-130-0x000000000040140C-mapping.dmp

Download
memory/912-125-0x0000000000740000-0x0000000000742000-memory.dmp

Filesize
8KB

Download
memory/912-127-0x0000000002A60000-0x0000000002A62000-memory.dmp

Filesize
8KB

Download
memory/912-126-0x0000000002A50000-0x0000000002A52000-memory.dmp

Filesize
8KB

Download
memory/2884-133-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/2884-120-0x0000000000000000-mapping.dmp

Download
memory/3228-138-0x0000000000000000-mapping.dmp

Download
memory/3276-128-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3276-116-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3276-117-0x000000000040140C-mapping.dmp

Download
memory/3888-134-0x00000000004B5670-mapping.dmp

Download
memory/3888-132-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3888-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3888-140-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads