darkcomet | 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779

General

Target

735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
Size

520KB
MD5

2fc861e62742e8c9e534979d1aa3db9e
SHA1

195d8fcf006e93b5c46b3a4ce4d3d12d62818201
SHA256

735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779
SHA512

b299df8b0b18940f66e50ad17a30f779e2bbfd92781d7d9acc5d91522880b9d407a1d7952ebfdd92954df7187683e87b3eb81eb8d8a440d24cf39b0330039f62

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 992 created 1260 992 WerFault.exe ipconfig.exe
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

2564 winupd.exe
4024 winupd.exe
3612 winupd.exe

description	pid	process	target process
PID 992 created 1260	992	WerFault.exe	ipconfig.exe

pid	process
2564	winupd.exe
4024	winupd.exe
3612	winupd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3612-133-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3612-139-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exewinupd.exe

description	pid	process	target process
PID 2068 set thread context of 3728	2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
PID 2564 set thread context of 4024	2564	winupd.exe	winupd.exe
PID 2564 set thread context of 3612	2564	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

992 1260 WerFault.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1260 ipconfig.exe

pid	pid_target	process	target process
992	1260	WerFault.exe	ipconfig.exe

pid	process
1260	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe
992	WerFault.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

winupd.exeWerFault.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3612	winupd.exe
Token: SeSecurityPrivilege	3612	winupd.exe
Token: SeTakeOwnershipPrivilege	3612	winupd.exe
Token: SeLoadDriverPrivilege	3612	winupd.exe
Token: SeSystemProfilePrivilege	3612	winupd.exe
Token: SeSystemtimePrivilege	3612	winupd.exe
Token: SeProfSingleProcessPrivilege	3612	winupd.exe
Token: SeIncBasePriorityPrivilege	3612	winupd.exe
Token: SeCreatePagefilePrivilege	3612	winupd.exe
Token: SeBackupPrivilege	3612	winupd.exe
Token: SeRestorePrivilege	3612	winupd.exe
Token: SeShutdownPrivilege	3612	winupd.exe
Token: SeDebugPrivilege	3612	winupd.exe
Token: SeSystemEnvironmentPrivilege	3612	winupd.exe
Token: SeChangeNotifyPrivilege	3612	winupd.exe
Token: SeRemoteShutdownPrivilege	3612	winupd.exe
Token: SeUndockPrivilege	3612	winupd.exe
Token: SeManageVolumePrivilege	3612	winupd.exe
Token: SeImpersonatePrivilege	3612	winupd.exe
Token: SeCreateGlobalPrivilege	3612	winupd.exe
Token: 33	3612	winupd.exe
Token: 34	3612	winupd.exe
Token: 35	3612	winupd.exe
Token: 36	3612	winupd.exe
Token: SeRestorePrivilege	992	WerFault.exe
Token: SeBackupPrivilege	992	WerFault.exe
Token: SeDebugPrivilege	992	WerFault.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exewinupd.exewinupd.exewinupd.exe

pid	process
2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
3728	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
2564	winupd.exe
4024	winupd.exe
3612	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exewinupd.exewinupd.exe

description	pid	process	target process
PID 2068 wrote to memory of 3728	2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
PID 2068 wrote to memory of 3728	2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
PID 2068 wrote to memory of 3728	2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
PID 2068 wrote to memory of 3728	2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
PID 2068 wrote to memory of 3728	2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
PID 2068 wrote to memory of 3728	2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
PID 2068 wrote to memory of 3728	2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
PID 2068 wrote to memory of 3728	2068	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
PID 3728 wrote to memory of 2564	3728	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	winupd.exe
PID 3728 wrote to memory of 2564	3728	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	winupd.exe
PID 3728 wrote to memory of 2564	3728	735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe	winupd.exe
PID 2564 wrote to memory of 4024	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 4024	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 4024	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 4024	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 4024	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 4024	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 4024	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 4024	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 3612	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 3612	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 3612	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 3612	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 3612	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 3612	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 3612	2564	winupd.exe	winupd.exe
PID 2564 wrote to memory of 3612	2564	winupd.exe	winupd.exe
PID 4024 wrote to memory of 1260	4024	winupd.exe	ipconfig.exe
PID 4024 wrote to memory of 1260	4024	winupd.exe	ipconfig.exe
PID 4024 wrote to memory of 1260	4024	winupd.exe	ipconfig.exe
PID 4024 wrote to memory of 1260	4024	winupd.exe	ipconfig.exe
PID 4024 wrote to memory of 1260	4024	winupd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
"C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
"C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 192
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
9b5cd0481cee83e309fe3e7eeced58c1

SHA1
1ee3f4d5945a367268591ea02864b75f338ba7f1

SHA256
84a63a2fe40855eb9c22e0ab2128fcc0e34556305c094430d82f948064aa5052

SHA512
6416586fbb41a4a6d8bdaa945f2d3df6d02886a9d7ad9b4522ea0995719093cb2e0081c4a6bafa713d252c48337a8b0decf89970079fff002d2965121a182abb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
9b5cd0481cee83e309fe3e7eeced58c1

SHA1
1ee3f4d5945a367268591ea02864b75f338ba7f1

SHA256
84a63a2fe40855eb9c22e0ab2128fcc0e34556305c094430d82f948064aa5052

SHA512
6416586fbb41a4a6d8bdaa945f2d3df6d02886a9d7ad9b4522ea0995719093cb2e0081c4a6bafa713d252c48337a8b0decf89970079fff002d2965121a182abb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
9b5cd0481cee83e309fe3e7eeced58c1

SHA1
1ee3f4d5945a367268591ea02864b75f338ba7f1

SHA256
84a63a2fe40855eb9c22e0ab2128fcc0e34556305c094430d82f948064aa5052

SHA512
6416586fbb41a4a6d8bdaa945f2d3df6d02886a9d7ad9b4522ea0995719093cb2e0081c4a6bafa713d252c48337a8b0decf89970079fff002d2965121a182abb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
MD5
9b5cd0481cee83e309fe3e7eeced58c1

SHA1
1ee3f4d5945a367268591ea02864b75f338ba7f1

SHA256
84a63a2fe40855eb9c22e0ab2128fcc0e34556305c094430d82f948064aa5052

SHA512
6416586fbb41a4a6d8bdaa945f2d3df6d02886a9d7ad9b4522ea0995719093cb2e0081c4a6bafa713d252c48337a8b0decf89970079fff002d2965121a182abb

Download Submit
memory/1260-138-0x0000000000000000-mapping.dmp

Download
memory/2068-127-0x0000000002230000-0x0000000002232000-memory.dmp

Filesize
8KB

Download
memory/2068-126-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download
memory/2068-128-0x0000000002240000-0x0000000002242000-memory.dmp

Filesize
8KB

Download
memory/2564-121-0x0000000000000000-mapping.dmp

Download
memory/3612-135-0x00000000004B5670-mapping.dmp

Download
memory/3612-133-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3612-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3612-140-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3728-117-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3728-129-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3728-118-0x000000000040140C-mapping.dmp

Download
memory/4024-131-0x000000000040140C-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads