darkcomet | a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe

Analysis

max time kernel
148s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Size

1.5MB
MD5

d43b7ec61bb8240706fc6d978ac04fc2
SHA1

3f35a01efa6b58a0e9d6f8134760459b60372bcc
SHA256

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe
SHA512

2afbab25c5933d8a168a49e707c34955bc2439fb253bc2b5ceab3db491562ca995a5ea9269022acd2ce019efda223fec5893884d1ad4dc43a07fee668c5a0198
SSDEEP

24576:5Z1xuVVjfFoynPaVBUR8f+kN10EB4JAcqMMcSTENKg1jqY498V:jQDgok30zBqBcRLtu8V

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 4 IoCs

Processes:

MC CRACK.EXEMINECRAFT CRACK.EXEMC CRACK.EXEMINECRAFT CRACK.EXE

pid process

888 MC CRACK.EXE
948 MINECRAFT CRACK.EXE
1332 MC CRACK.EXE
2032 MINECRAFT CRACK.EXE

pid	process
888	MC CRACK.EXE
948	MINECRAFT CRACK.EXE
1332	MC CRACK.EXE
2032	MINECRAFT CRACK.EXE

Loads dropped DLL 8 IoCs

Processes:

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe

pid	process
1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exeMC CRACK.EXEMC CRACK.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeSecurityPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeTakeOwnershipPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeLoadDriverPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeSystemProfilePrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeSystemtimePrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeProfSingleProcessPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeIncBasePriorityPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeCreatePagefilePrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeBackupPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeRestorePrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeShutdownPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeDebugPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeSystemEnvironmentPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeChangeNotifyPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeRemoteShutdownPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeUndockPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeManageVolumePrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeImpersonatePrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeCreateGlobalPrivilege	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: 33	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: 34	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: 35	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeDebugPrivilege	888	MC CRACK.EXE
Token: SeDebugPrivilege	1332	MC CRACK.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exejavaw.exeMC CRACK.EXEMC CRACK.EXE

pid	process
1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
1756	javaw.exe
888	MC CRACK.EXE
1332	MC CRACK.EXE
1756	javaw.exe
1756	javaw.exe
1756	javaw.exe
1756	javaw.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exeMINECRAFT CRACK.EXE

description	pid	process	target process
PID 1760 wrote to memory of 888	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 1760 wrote to memory of 888	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 1760 wrote to memory of 888	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 1760 wrote to memory of 888	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 1760 wrote to memory of 948	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 1760 wrote to memory of 948	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 1760 wrote to memory of 948	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 1760 wrote to memory of 948	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 948 wrote to memory of 1756	948	MINECRAFT CRACK.EXE	javaw.exe
PID 948 wrote to memory of 1756	948	MINECRAFT CRACK.EXE	javaw.exe
PID 948 wrote to memory of 1756	948	MINECRAFT CRACK.EXE	javaw.exe
PID 948 wrote to memory of 1756	948	MINECRAFT CRACK.EXE	javaw.exe
PID 1760 wrote to memory of 1332	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 1760 wrote to memory of 1332	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 1760 wrote to memory of 1332	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 1760 wrote to memory of 1332	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 1760 wrote to memory of 2032	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 1760 wrote to memory of 2032	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 1760 wrote to memory of 2032	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 1760 wrote to memory of 2032	1760	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE

C:\Users\Admin\AppData\Local\Temp\a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
"C:\Users\Admin\AppData\Local\Temp\a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE
  "C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE
  "C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1756
- C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE
  "C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE
  "C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE"
  2⤵
  - Executes dropped EXE
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Log.txt

Filesize
31B

MD5
f1bc42b5eed872ee86c1c4525bcf91ba

SHA1
2393b34aa34145be0b5a1398ce1bbddfdf4a034a

SHA256
02dad639b90e801fec0755b901f7d7a71b7fb3599568e3c3d3305bd7936e5b1d

SHA512
b43dffa9b567736faed97f193eff30bff63fd301b6bc219846b82fa918498a816e38bba95c4a4a2f650b0743948dfda70a5d97aecde379d2f2dc1c19a7326b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
memory/888-89-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/888-99-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/888-57-0x0000000000000000-mapping.dmp

Download
memory/948-61-0x0000000000000000-mapping.dmp

Download
memory/1332-73-0x0000000000000000-mapping.dmp

Download
memory/1332-101-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/1332-93-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-92-0x00000000021B0000-0x00000000051B0000-memory.dmp

Filesize
48.0MB

Download
memory/1756-65-0x0000000000000000-mapping.dmp

Download
memory/1756-95-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/1756-96-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/1756-66-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1756-100-0x00000000021B0000-0x00000000051B0000-memory.dmp

Filesize
48.0MB

Download
memory/1756-102-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/1760-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/2032-77-0x0000000000000000-mapping.dmp

Download