darkcomet | 82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
Size

1.6MB
MD5

eadb15713eac3cdd68ba2894159c712a
SHA1

5d5e3b7f6fb857962e4e0bae1621f92c6d079a5c
SHA256

82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c
SHA512

c361424c7fc256197857be6cb29527bb977dbb2a78e5ad84421f81becf973d2a70e26e7aa149706357b3c78457c09e7b91d72348bbc505b8fbf76e95e79c405b
SSDEEP

49152:Xz1Yx8+L3BF4oyfKjyecVkpmldm+kzTSC:XhW9K5ijypCpmi+kzTx

Score

10^/10

darkcomet newstub persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

newstub

warrior0007.no-ip.biz:1604

warrior0007.no-ip.biz:8027

Mutex

DC_MUTEX-WXZ81F5

Attributes

gencode
hea0E4tQnUVF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
1544	harmacrypter.exe
1536	Winupdate.exe

Loads dropped DLL 11 IoCs

pid	Process
1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
1544	harmacrypter.exe
1544	harmacrypter.exe
1544	harmacrypter.exe
1544	harmacrypter.exe
1536	Winupdate.exe
1536	Winupdate.exe
1536	Winupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DC-START = "C:\\Program Files (x86)\\update3.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\harmacrypter.exe	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
File created	\??\c:\windows\SysWOW64\__tmp_rar_sfx_access_check_7085206	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
File created	\??\c:\windows\SysWOW64\harmacrypter.exe	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 1536	1544	harmacrypter.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Winupdate.exe	harmacrypter.exe
File created	C:\Program Files (x86)\update3.exe	harmacrypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1976	reg.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	harmacrypter.exe
Token: SeIncreaseQuotaPrivilege	1536	Winupdate.exe
Token: SeSecurityPrivilege	1536	Winupdate.exe
Token: SeTakeOwnershipPrivilege	1536	Winupdate.exe
Token: SeLoadDriverPrivilege	1536	Winupdate.exe
Token: SeSystemProfilePrivilege	1536	Winupdate.exe
Token: SeSystemtimePrivilege	1536	Winupdate.exe
Token: SeProfSingleProcessPrivilege	1536	Winupdate.exe
Token: SeIncBasePriorityPrivilege	1536	Winupdate.exe
Token: SeCreatePagefilePrivilege	1536	Winupdate.exe
Token: SeBackupPrivilege	1536	Winupdate.exe
Token: SeRestorePrivilege	1536	Winupdate.exe
Token: SeShutdownPrivilege	1536	Winupdate.exe
Token: SeDebugPrivilege	1536	Winupdate.exe
Token: SeSystemEnvironmentPrivilege	1536	Winupdate.exe
Token: SeChangeNotifyPrivilege	1536	Winupdate.exe
Token: SeRemoteShutdownPrivilege	1536	Winupdate.exe
Token: SeUndockPrivilege	1536	Winupdate.exe
Token: SeManageVolumePrivilege	1536	Winupdate.exe
Token: SeImpersonatePrivilege	1536	Winupdate.exe
Token: SeCreateGlobalPrivilege	1536	Winupdate.exe
Token: 33	1536	Winupdate.exe
Token: 34	1536	Winupdate.exe
Token: 35	1536	Winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1536	Winupdate.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1544	1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	27
PID 1200 wrote to memory of 1544	1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	27
PID 1200 wrote to memory of 1544	1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	27
PID 1200 wrote to memory of 1544	1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	27
PID 1200 wrote to memory of 1544	1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	27
PID 1200 wrote to memory of 1544	1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	27
PID 1200 wrote to memory of 1544	1200	82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe	27
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 1536	1544	harmacrypter.exe	28
PID 1544 wrote to memory of 884	1544	harmacrypter.exe	29
PID 1544 wrote to memory of 884	1544	harmacrypter.exe	29
PID 1544 wrote to memory of 884	1544	harmacrypter.exe	29
PID 1544 wrote to memory of 884	1544	harmacrypter.exe	29
PID 1544 wrote to memory of 884	1544	harmacrypter.exe	29
PID 1544 wrote to memory of 884	1544	harmacrypter.exe	29
PID 1544 wrote to memory of 884	1544	harmacrypter.exe	29
PID 884 wrote to memory of 1976	884	cmd.exe	31
PID 884 wrote to memory of 1976	884	cmd.exe	31
PID 884 wrote to memory of 1976	884	cmd.exe	31
PID 884 wrote to memory of 1976	884	cmd.exe	31
PID 884 wrote to memory of 1976	884	cmd.exe	31
PID 884 wrote to memory of 1976	884	cmd.exe	31
PID 884 wrote to memory of 1976	884	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe
"C:\Users\Admin\AppData\Local\Temp\82a2969365c75d03cb6b3915577d8d6417c4874ab3a51b5cd6ff3d2b6a28738c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1200
- C:\windows\SysWOW64\harmacrypter.exe
  "C:\windows\system32\harmacrypter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Program Files (x86)\Winupdate.exe
    "C:\Program Files (x86)\Winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "DC-START" /t REG_SZ /d "C:\Program Files (x86)\update3.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:884
  - - \??\c:\windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "DC-START" /t REG_SZ /d "C:\Program Files (x86)\update3.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Winupdate.exe

Filesize
5KB

MD5
5b639dfb68cf301e63bfe20ff138850f

SHA1
33338e04efe0034524296e09f311cbc558e1fc7a

SHA256
8abc68926d7fcb9ca7f12e813b82ad8e82f6a05a0cd9da5f37934a95ad6695f3

SHA512
b457bd1a8d5977caeaac752363d85f5f5d5edfd4a769b97ac1e77a1f6e28c70d344f960caea8d199a85ba13f4480c468a37d57c431ee0459afe0488f78f79c99

Download Submit
C:\Program Files (x86)\Winupdate.exe

Filesize
5KB

MD5
5b639dfb68cf301e63bfe20ff138850f

SHA1
33338e04efe0034524296e09f311cbc558e1fc7a

SHA256
8abc68926d7fcb9ca7f12e813b82ad8e82f6a05a0cd9da5f37934a95ad6695f3

SHA512
b457bd1a8d5977caeaac752363d85f5f5d5edfd4a769b97ac1e77a1f6e28c70d344f960caea8d199a85ba13f4480c468a37d57c431ee0459afe0488f78f79c99

Download Submit
C:\Windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
C:\windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
\Program Files (x86)\Winupdate.exe

Filesize
5KB

MD5
5b639dfb68cf301e63bfe20ff138850f

SHA1
33338e04efe0034524296e09f311cbc558e1fc7a

SHA256
8abc68926d7fcb9ca7f12e813b82ad8e82f6a05a0cd9da5f37934a95ad6695f3

SHA512
b457bd1a8d5977caeaac752363d85f5f5d5edfd4a769b97ac1e77a1f6e28c70d344f960caea8d199a85ba13f4480c468a37d57c431ee0459afe0488f78f79c99

Download Submit
\Program Files (x86)\Winupdate.exe

Filesize
5KB

MD5
5b639dfb68cf301e63bfe20ff138850f

SHA1
33338e04efe0034524296e09f311cbc558e1fc7a

SHA256
8abc68926d7fcb9ca7f12e813b82ad8e82f6a05a0cd9da5f37934a95ad6695f3

SHA512
b457bd1a8d5977caeaac752363d85f5f5d5edfd4a769b97ac1e77a1f6e28c70d344f960caea8d199a85ba13f4480c468a37d57c431ee0459afe0488f78f79c99

Download Submit
\Program Files (x86)\Winupdate.exe

Filesize
5KB

MD5
5b639dfb68cf301e63bfe20ff138850f

SHA1
33338e04efe0034524296e09f311cbc558e1fc7a

SHA256
8abc68926d7fcb9ca7f12e813b82ad8e82f6a05a0cd9da5f37934a95ad6695f3

SHA512
b457bd1a8d5977caeaac752363d85f5f5d5edfd4a769b97ac1e77a1f6e28c70d344f960caea8d199a85ba13f4480c468a37d57c431ee0459afe0488f78f79c99

Download Submit
\Program Files (x86)\Winupdate.exe

Filesize
5KB

MD5
5b639dfb68cf301e63bfe20ff138850f

SHA1
33338e04efe0034524296e09f311cbc558e1fc7a

SHA256
8abc68926d7fcb9ca7f12e813b82ad8e82f6a05a0cd9da5f37934a95ad6695f3

SHA512
b457bd1a8d5977caeaac752363d85f5f5d5edfd4a769b97ac1e77a1f6e28c70d344f960caea8d199a85ba13f4480c468a37d57c431ee0459afe0488f78f79c99

Download Submit
\Windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
\Windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
\Windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
\Windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
\Windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
\Windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
\Windows\SysWOW64\harmacrypter.exe

Filesize
1.7MB

MD5
a368449eea721569ea57c0da914e94b9

SHA1
483015e89187decd3606d73bbff8204b4988acc1

SHA256
5069bee0a3f3bb347f77c2fb72e0eedd29563e557c915737eb5ba2dec76e294f

SHA512
ccc5f423dce867e155b53396915a2d0049ed4fe91376ae80cd90ed165a25ee958d573958823e65f4ad6a233a5612d42d7235966f1571910ad640af2cd77a3dc8

Download Submit
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1536-73-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1536-71-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1536-79-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1536-68-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1536-85-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1536-86-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1544-66-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-82-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads