darkcomet | 5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4

Analysis

max time kernel
90s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Size

247KB
MD5

a05a145d5eeba78711cc05105220bb1c
SHA1

b5e56980fee13249b443c13e414b508751a34337
SHA256

5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4
SHA512

53c8175581241f3918ed565f92e1d711ba5907698eabb3d96c8ebc0a61bf3c53d98a22d278b2cc18d85a3140bd94f2e6fbbb2cc0b1ba9e7f96052f3bd1f985a3
SSDEEP

6144:qFRaI2EqBP/WsZL1PgLl4w0AidVym0EnarUBYVsvyF:OR72EqluswR45JTnaEY2aF

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4568-132-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/4568-133-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Program crash 6 IoCs

pid	pid_target	Process	procid_target
368	4568	WerFault.exe	81
548	4568	WerFault.exe	81
2240	4568	WerFault.exe	81
2376	4812	WerFault.exe	88
1796	4812	WerFault.exe	88
3492	4812	WerFault.exe	88

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4568 set thread context of 4812	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe	88

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeSecurityPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeTakeOwnershipPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeLoadDriverPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeSystemProfilePrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeSystemtimePrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeProfSingleProcessPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeIncBasePriorityPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeCreatePagefilePrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeBackupPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeRestorePrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeShutdownPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeDebugPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeSystemEnvironmentPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeChangeNotifyPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeRemoteShutdownPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeUndockPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeManageVolumePrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeImpersonatePrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeCreateGlobalPrivilege	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: 33	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: 34	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: 35	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: 36	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
Token: SeIncreaseQuotaPrivilege	4812	iexplore.exe
Token: SeSecurityPrivilege	4812	iexplore.exe
Token: SeTakeOwnershipPrivilege	4812	iexplore.exe
Token: SeLoadDriverPrivilege	4812	iexplore.exe
Token: SeSystemProfilePrivilege	4812	iexplore.exe
Token: SeSystemtimePrivilege	4812	iexplore.exe
Token: SeProfSingleProcessPrivilege	4812	iexplore.exe
Token: SeIncBasePriorityPrivilege	4812	iexplore.exe
Token: SeCreatePagefilePrivilege	4812	iexplore.exe
Token: SeBackupPrivilege	4812	iexplore.exe
Token: SeRestorePrivilege	4812	iexplore.exe
Token: SeShutdownPrivilege	4812	iexplore.exe
Token: SeDebugPrivilege	4812	iexplore.exe
Token: SeSystemEnvironmentPrivilege	4812	iexplore.exe
Token: SeChangeNotifyPrivilege	4812	iexplore.exe
Token: SeRemoteShutdownPrivilege	4812	iexplore.exe
Token: SeUndockPrivilege	4812	iexplore.exe
Token: SeManageVolumePrivilege	4812	iexplore.exe
Token: SeImpersonatePrivilege	4812	iexplore.exe
Token: SeCreateGlobalPrivilege	4812	iexplore.exe
Token: 33	4812	iexplore.exe
Token: 34	4812	iexplore.exe
Token: 35	4812	iexplore.exe
Token: 36	4812	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4812	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe	88
PID 4568 wrote to memory of 4812	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe	88
PID 4568 wrote to memory of 4812	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe	88
PID 4568 wrote to memory of 4812	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe	88
PID 4568 wrote to memory of 4812	4568	5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe	88

C:\Users\Admin\AppData\Local\Temp\5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe
"C:\Users\Admin\AppData\Local\Temp\5c9b62c4105f8a41bead9339dcf40534e776a439d5cc59d6301a03bd48bc1eb4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 544
  2⤵
  - Program crash
  PID:368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 616
  2⤵
  - Program crash
  PID:548
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 552
    3⤵
    - Program crash
    PID:2376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 788
    3⤵
    - Program crash
    PID:1796
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 156
    3⤵
    - Program crash
    PID:3492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 144
  2⤵
  - Program crash
  PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4568 -ip 4568
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4568 -ip 4568
1⤵
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4568 -ip 4568
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4812 -ip 4812
1⤵
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4812 -ip 4812
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4812 -ip 4812
1⤵
PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4568-132-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4568-133-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download