darkcomet | a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe

Analysis

max time kernel
42s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Size

1.5MB
MD5

d43b7ec61bb8240706fc6d978ac04fc2
SHA1

3f35a01efa6b58a0e9d6f8134760459b60372bcc
SHA256

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe
SHA512

2afbab25c5933d8a168a49e707c34955bc2439fb253bc2b5ceab3db491562ca995a5ea9269022acd2ce019efda223fec5893884d1ad4dc43a07fee668c5a0198
SSDEEP

24576:5Z1xuVVjfFoynPaVBUR8f+kN10EB4JAcqMMcSTENKg1jqY498V:jQDgok30zBqBcRLtu8V

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 4 IoCs

Processes:

MC CRACK.EXEMINECRAFT CRACK.EXEMC CRACK.EXEMINECRAFT CRACK.EXE

pid process

5024 MC CRACK.EXE
4384 MINECRAFT CRACK.EXE
844 MC CRACK.EXE
900 MINECRAFT CRACK.EXE

pid	process
5024	MC CRACK.EXE
4384	MINECRAFT CRACK.EXE
844	MC CRACK.EXE
900	MINECRAFT CRACK.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

javaw.exejavaw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exeMC CRACK.EXEMC CRACK.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeSecurityPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeTakeOwnershipPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeLoadDriverPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeSystemProfilePrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeSystemtimePrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeProfSingleProcessPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeIncBasePriorityPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeCreatePagefilePrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeBackupPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeRestorePrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeShutdownPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeDebugPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeSystemEnvironmentPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeChangeNotifyPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeRemoteShutdownPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeUndockPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeManageVolumePrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeImpersonatePrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeCreateGlobalPrivilege	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: 33	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: 34	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: 35	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: 36	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
Token: SeDebugPrivilege	844	MC CRACK.EXE
Token: SeDebugPrivilege	5024	MC CRACK.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exeMC CRACK.EXEMC CRACK.EXEjavaw.exejavaw.exe

pid	process
4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
844	MC CRACK.EXE
5024	MC CRACK.EXE
4332	javaw.exe
3540	javaw.exe
3540	javaw.exe
4332	javaw.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exeMINECRAFT CRACK.EXEMINECRAFT CRACK.EXE

description	pid	process	target process
PID 4996 wrote to memory of 5024	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 4996 wrote to memory of 5024	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 4996 wrote to memory of 5024	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 4996 wrote to memory of 4384	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 4996 wrote to memory of 4384	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 4996 wrote to memory of 4384	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 4384 wrote to memory of 3540	4384	MINECRAFT CRACK.EXE	javaw.exe
PID 4384 wrote to memory of 3540	4384	MINECRAFT CRACK.EXE	javaw.exe
PID 4996 wrote to memory of 844	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 4996 wrote to memory of 844	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 4996 wrote to memory of 844	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MC CRACK.EXE
PID 4996 wrote to memory of 900	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 4996 wrote to memory of 900	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 4996 wrote to memory of 900	4996	a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe	MINECRAFT CRACK.EXE
PID 900 wrote to memory of 4332	900	MINECRAFT CRACK.EXE	javaw.exe
PID 900 wrote to memory of 4332	900	MINECRAFT CRACK.EXE	javaw.exe

C:\Users\Admin\AppData\Local\Temp\a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe
"C:\Users\Admin\AppData\Local\Temp\a3e2aa19908dce9305812292b3e13c17f0c08d17b9150d169ef78a94ddfd94fe.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE
  "C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE
  "C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE"
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3540
- C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE
  "C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:844
- C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE
  "C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE"
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4332

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:4668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
f72bbdda41e295e39be0924c1b5330a3

SHA1
cd85273c9b4d06a1a67f114d1851f54978ddc120

SHA256
494e119bd9722332a2dca3793b058b5f4c00a7054cb8decf71aa8b65e455139d

SHA512
0f2ef7a45713e4f06b241914ee43e2ba3d95b6aae45d3160993b4948d9d01eb40c5079b1c55f8c99f0eb20e25ae24faf5684894bce4c96160bbff25bca685051

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.txt

Filesize
31B

MD5
96cf226ea6ecf47cb397f954a0cb930d

SHA1
a6753bdafcb0f79236a915e7afc9bcc97b6fa395

SHA256
edb0f45dfd93a4d01469d71e6f3a94ab302fcec8aa4e81386e846b368c5b080c

SHA512
d0f8983fd4ffded324d0592d1f9c77a640d4bcdd24c690656ebc6f46ed7e4796e81a3093bb9e51955421db08a66c5d229dad49bdd75bb1135c36901f99ef004b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
C:\Users\Admin\AppData\Local\Temp\MC CRACK.EXE

Filesize
208KB

MD5
85105fa9d30c66263ccdf625a15eef8b

SHA1
33cbdf543c98c908bdf811de239357242bfbe62e

SHA256
681e4997c68c4eb7d44579037315f5f68e4aea57c663302307bf7eeea2b03f23

SHA512
79526f4a930022630f569cd877ac38da880c9d9a4f2b98f4f2a5aad7db3119da959a8b5b1691819c83e240ee8db52aebc40d4922959e47ac957a80c34f2b1302

Download Submit
C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\MINECRAFT CRACK.EXE

Filesize
673KB

MD5
ef54695cf8333ddd53e987dbd573a47c

SHA1
3a023f9f9c83e7a4611f2c4c40ccae0eb840848c

SHA256
a9fcd0743832f054bed93f9d5b6863f42d5d4c43f905ef4c9ab67c5647a72ed2

SHA512
530345612d805f2b9c42a4fb199810c08a65ee8b820c805f5e20b9527acd239065d4133075325780b10ebbc443710b386c6d6e595762b0562f552d952e6b1d66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\83aa4cc77f591dfc2374580bbd95f6ba_e32e1c79-b88e-4709-94fb-81034ca3398e

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\83aa4cc77f591dfc2374580bbd95f6ba_e32e1c79-b88e-4709-94fb-81034ca3398e

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/844-141-0x0000000000000000-mapping.dmp

Download
memory/844-151-0x0000000073900000-0x0000000073EB1000-memory.dmp

Filesize
5.7MB

Download
memory/900-143-0x0000000000000000-mapping.dmp

Download
memory/3540-138-0x0000000000000000-mapping.dmp

Download
memory/3540-152-0x00000000032E0000-0x00000000042E0000-memory.dmp

Filesize
16.0MB

Download
memory/3540-180-0x00000000032E0000-0x00000000042E0000-memory.dmp

Filesize
16.0MB

Download
memory/3540-185-0x00000000032E0000-0x00000000042E0000-memory.dmp

Filesize
16.0MB

Download
memory/3540-191-0x00000000032E0000-0x00000000042E0000-memory.dmp

Filesize
16.0MB

Download
memory/3540-193-0x00000000032E0000-0x00000000042E0000-memory.dmp

Filesize
16.0MB

Download
memory/4332-159-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

Filesize
16.0MB

Download
memory/4332-145-0x0000000000000000-mapping.dmp

Download
memory/4332-189-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

Filesize
16.0MB

Download
memory/4384-135-0x0000000000000000-mapping.dmp

Download
memory/5024-147-0x0000000073900000-0x0000000073EB1000-memory.dmp

Filesize
5.7MB

Download
memory/5024-132-0x0000000000000000-mapping.dmp

Download