darkcomet | 4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452

General

Target

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
Size

439KB
MD5

7970df345b3ee305ac6b4b028ee1d552
SHA1

d0c2b3ae5b4fad875a24fb80786797366647151b
SHA256

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452
SHA512

214c2dbb52d82aae810327e9f8d20594db3aa89fb1b2ae5d0d639a5a9cf554dc56dc1b8dd22a6d82b489cdd17345990519ec9deb12e9dda3e24c7843c5cb8f75

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

minsuport.duckdns.org:3333

Mutex

DC_MUTEX-TZSLN7R

Attributes

gencode
KexhufRKN03t
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/888-56-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/888-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/888-60-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1956-66-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1956-68-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1956-69-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1956-71-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/888-72-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1956-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1956-75-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1956-76-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1956-79-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvshots.lnk	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe

description	pid	process	target process
PID 1108 set thread context of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 888 set thread context of 1956	888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeSecurityPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeTakeOwnershipPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeLoadDriverPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeSystemProfilePrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeSystemtimePrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeProfSingleProcessPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeIncBasePriorityPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeCreatePagefilePrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeBackupPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeRestorePrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeShutdownPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeDebugPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeSystemEnvironmentPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeChangeNotifyPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeRemoteShutdownPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeUndockPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeManageVolumePrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeImpersonatePrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeCreateGlobalPrivilege	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: 33	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: 34	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: 35	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

pid	process
1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

description	pid	process	target process
PID 1108 wrote to memory of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 1108 wrote to memory of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 1108 wrote to memory of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 1108 wrote to memory of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 1108 wrote to memory of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 1108 wrote to memory of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 1108 wrote to memory of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 1108 wrote to memory of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 1108 wrote to memory of 888	1108	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 888 wrote to memory of 1956	888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 888 wrote to memory of 1956	888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 888 wrote to memory of 1956	888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 888 wrote to memory of 1956	888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 888 wrote to memory of 1956	888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 888 wrote to memory of 1956	888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 888 wrote to memory of 1956	888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 888 wrote to memory of 1956	888	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 1956 wrote to memory of 804	1956	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe

C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
"C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
"C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
"C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-77-0x0000000000000000-mapping.dmp

Download
memory/888-57-0x0000000000409660-mapping.dmp

Download
memory/888-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/888-63-0x00000000762A1000-0x00000000762A3000-memory.dmp

Filesize
8KB

Download
memory/888-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1956-69-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1956-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1956-70-0x00000000004B5670-mapping.dmp

Download
memory/1956-71-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1956-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1956-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1956-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1956-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1956-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1956-79-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads