darkcomet | 4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452

General

Target

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
Size

439KB
MD5

7970df345b3ee305ac6b4b028ee1d552
SHA1

d0c2b3ae5b4fad875a24fb80786797366647151b
SHA256

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452
SHA512

214c2dbb52d82aae810327e9f8d20594db3aa89fb1b2ae5d0d639a5a9cf554dc56dc1b8dd22a6d82b489cdd17345990519ec9deb12e9dda3e24c7843c5cb8f75

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

minsuport.duckdns.org:3333

Mutex

DC_MUTEX-TZSLN7R

Attributes

gencode
KexhufRKN03t
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4296-133-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4296-135-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4296-136-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4388-140-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4388-141-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4296-142-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4388-143-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4388-144-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4388-146-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scvshots.lnk	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe

description	pid	process	target process
PID 4180 set thread context of 4296	4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 4296 set thread context of 4388	4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeSecurityPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeTakeOwnershipPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeLoadDriverPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeSystemProfilePrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeSystemtimePrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeProfSingleProcessPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeIncBasePriorityPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeCreatePagefilePrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeBackupPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeRestorePrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeShutdownPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeDebugPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeSystemEnvironmentPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeChangeNotifyPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeRemoteShutdownPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeUndockPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeManageVolumePrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeImpersonatePrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: SeCreateGlobalPrivilege	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: 33	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: 34	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: 35	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
Token: 36	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

pid	process
4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE

description	pid	process	target process
PID 4180 wrote to memory of 4296	4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 4180 wrote to memory of 4296	4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 4180 wrote to memory of 4296	4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 4180 wrote to memory of 4296	4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 4180 wrote to memory of 4296	4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 4180 wrote to memory of 4296	4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 4180 wrote to memory of 4296	4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 4180 wrote to memory of 4296	4180	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
PID 4296 wrote to memory of 4388	4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 4296 wrote to memory of 4388	4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 4296 wrote to memory of 4388	4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 4296 wrote to memory of 4388	4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 4296 wrote to memory of 4388	4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 4296 wrote to memory of 4388	4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 4296 wrote to memory of 4388	4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 4296 wrote to memory of 4388	4296	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe
PID 4388 wrote to memory of 2968	4388	4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE	notepad.exe

C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
"C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe
"C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE
"C:\Users\Admin\AppData\Local\Temp\4eb0e9fe8a9f823d5498797b99c0d7c21a2cc4cfdf7808560040b2116b9dd452.EXE"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2968-145-0x0000000000000000-mapping.dmp

Download
memory/4296-132-0x0000000000000000-mapping.dmp

Download
memory/4296-133-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4296-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4296-136-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4296-142-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4388-139-0x0000000000000000-mapping.dmp

Download
memory/4388-140-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4388-141-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4388-143-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4388-144-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4388-146-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads