darkcomet | bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

General

Target

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe
Size

331KB
MD5

eb2cc33b05f167b62155d3afdd33bca2
SHA1

884068cd29cc9ff4d8a1a1d898f5a868d547c334
SHA256

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af
SHA512

9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096
SSDEEP

6144:SM41YTICjnbHv1eNJa0rr7DxodlqFYZwfjJVYv0yGKb52Wf:SKjLv03aYDxodluYZw7JV+2Wf

Score

10^/10

darkcomet hawkeye keylogger persistence rat spyware stealer trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Executes dropped EXE 3 IoCs

Processes:

explorer.exesysglobl.exeiedvtool.exe

pid process

5108 explorer.exe
4868 sysglobl.exe
1960 iedvtool.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3632-140-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3632-141-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3632-142-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3632-145-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/3632-144-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exeexplorer.exesysglobl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sysglobl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sysglobl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\© Windows Live Messenger Music Status Plugin Module = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sysglobl.exe"	sysglobl.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeiedvtool.exe

description	pid	process	target process
PID 5108 set thread context of 3632	5108	explorer.exe	AppLaunch.exe
PID 1960 set thread context of 4104	1960	iedvtool.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exesysglobl.exeiedvtool.exe

pid	process
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
4868	sysglobl.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
5108	explorer.exe
1960	iedvtool.exe
1960	iedvtool.exe
5108	explorer.exe
1960	iedvtool.exe
5108	explorer.exe
1960	iedvtool.exe
1960	iedvtool.exe
1960	iedvtool.exe
5108	explorer.exe
5108	explorer.exe
1960	iedvtool.exe
1960	iedvtool.exe
5108	explorer.exe
5108	explorer.exe
1960	iedvtool.exe
1960	iedvtool.exe
5108	explorer.exe
5108	explorer.exe
1960	iedvtool.exe
1960	iedvtool.exe
5108	explorer.exe
5108	explorer.exe
1960	iedvtool.exe
5108	explorer.exe
1960	iedvtool.exe
5108	explorer.exe
5108	explorer.exe
1960	iedvtool.exe
1960	iedvtool.exe
5108	explorer.exe
1960	iedvtool.exe
1960	iedvtool.exe
5108	explorer.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exeexplorer.exeAppLaunch.exesysglobl.exeiedvtool.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4696	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe
Token: SeDebugPrivilege	5108	explorer.exe
Token: SeIncreaseQuotaPrivilege	3632	AppLaunch.exe
Token: SeSecurityPrivilege	3632	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	3632	AppLaunch.exe
Token: SeLoadDriverPrivilege	3632	AppLaunch.exe
Token: SeSystemProfilePrivilege	3632	AppLaunch.exe
Token: SeSystemtimePrivilege	3632	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	3632	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	3632	AppLaunch.exe
Token: SeCreatePagefilePrivilege	3632	AppLaunch.exe
Token: SeBackupPrivilege	3632	AppLaunch.exe
Token: SeRestorePrivilege	3632	AppLaunch.exe
Token: SeShutdownPrivilege	3632	AppLaunch.exe
Token: SeDebugPrivilege	3632	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	3632	AppLaunch.exe
Token: SeChangeNotifyPrivilege	3632	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	3632	AppLaunch.exe
Token: SeUndockPrivilege	3632	AppLaunch.exe
Token: SeManageVolumePrivilege	3632	AppLaunch.exe
Token: SeImpersonatePrivilege	3632	AppLaunch.exe
Token: SeCreateGlobalPrivilege	3632	AppLaunch.exe
Token: 33	3632	AppLaunch.exe
Token: 34	3632	AppLaunch.exe
Token: 35	3632	AppLaunch.exe
Token: 36	3632	AppLaunch.exe
Token: SeDebugPrivilege	4868	sysglobl.exe
Token: SeDebugPrivilege	1960	iedvtool.exe
Token: SeIncreaseQuotaPrivilege	4104	AppLaunch.exe
Token: SeSecurityPrivilege	4104	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	4104	AppLaunch.exe
Token: SeLoadDriverPrivilege	4104	AppLaunch.exe
Token: SeSystemProfilePrivilege	4104	AppLaunch.exe
Token: SeSystemtimePrivilege	4104	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	4104	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	4104	AppLaunch.exe
Token: SeCreatePagefilePrivilege	4104	AppLaunch.exe
Token: SeBackupPrivilege	4104	AppLaunch.exe
Token: SeRestorePrivilege	4104	AppLaunch.exe
Token: SeShutdownPrivilege	4104	AppLaunch.exe
Token: SeDebugPrivilege	4104	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	4104	AppLaunch.exe
Token: SeChangeNotifyPrivilege	4104	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	4104	AppLaunch.exe
Token: SeUndockPrivilege	4104	AppLaunch.exe
Token: SeManageVolumePrivilege	4104	AppLaunch.exe
Token: SeImpersonatePrivilege	4104	AppLaunch.exe
Token: SeCreateGlobalPrivilege	4104	AppLaunch.exe
Token: 33	4104	AppLaunch.exe
Token: 34	4104	AppLaunch.exe
Token: 35	4104	AppLaunch.exe
Token: 36	4104	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

3632 AppLaunch.exe

pid	process
3632	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exeexplorer.exesysglobl.exeiedvtool.exe

description	pid	process	target process
PID 4696 wrote to memory of 5108	4696	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe	explorer.exe
PID 4696 wrote to memory of 5108	4696	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe	explorer.exe
PID 4696 wrote to memory of 5108	4696	bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe	explorer.exe
PID 5108 wrote to memory of 3632	5108	explorer.exe	AppLaunch.exe
PID 5108 wrote to memory of 3632	5108	explorer.exe	AppLaunch.exe
PID 5108 wrote to memory of 3632	5108	explorer.exe	AppLaunch.exe
PID 5108 wrote to memory of 3632	5108	explorer.exe	AppLaunch.exe
PID 5108 wrote to memory of 3632	5108	explorer.exe	AppLaunch.exe
PID 5108 wrote to memory of 3632	5108	explorer.exe	AppLaunch.exe
PID 5108 wrote to memory of 3632	5108	explorer.exe	AppLaunch.exe
PID 5108 wrote to memory of 3632	5108	explorer.exe	AppLaunch.exe
PID 5108 wrote to memory of 4868	5108	explorer.exe	sysglobl.exe
PID 5108 wrote to memory of 4868	5108	explorer.exe	sysglobl.exe
PID 5108 wrote to memory of 4868	5108	explorer.exe	sysglobl.exe
PID 4868 wrote to memory of 1960	4868	sysglobl.exe	iedvtool.exe
PID 4868 wrote to memory of 1960	4868	sysglobl.exe	iedvtool.exe
PID 4868 wrote to memory of 1960	4868	sysglobl.exe	iedvtool.exe
PID 1960 wrote to memory of 4104	1960	iedvtool.exe	AppLaunch.exe
PID 1960 wrote to memory of 4104	1960	iedvtool.exe	AppLaunch.exe
PID 1960 wrote to memory of 4104	1960	iedvtool.exe	AppLaunch.exe
PID 1960 wrote to memory of 4104	1960	iedvtool.exe	AppLaunch.exe
PID 1960 wrote to memory of 4104	1960	iedvtool.exe	AppLaunch.exe
PID 1960 wrote to memory of 4104	1960	iedvtool.exe	AppLaunch.exe
PID 1960 wrote to memory of 4104	1960	iedvtool.exe	AppLaunch.exe
PID 1960 wrote to memory of 4104	1960	iedvtool.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe
"C:\Users\Admin\AppData\Local\Temp\bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Users\Admin\AppData\Local\Temp\sysglobl.exe
"C:\Users\Admin\AppData\Local\Temp\sysglobl.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\iedvtool.exe
"C:\Users\Admin\AppData\Local\Temp\iedvtool.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
Filesize
102B

MD5
9ce7cd302354cd9620e92b882dc708a7

SHA1
1760eebb77ffe46e49caba7d0e488cfe504053e5

SHA256
2437275ae372d5259895be8b178b57cef465775d020f00e8440f2d9c01948d9c

SHA512
693ff1642b5f4739cc9a8bedb8f4f8033a40407f6793e21b724257f9516cd383c1f911b823a25e0af5a803b2749b76f4881ad09d31926589f71bd8d91c023327

Download Submit
C:\Users\Admin\AppData\Local\Temp\iedvtool.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
C:\Users\Admin\AppData\Local\Temp\iedvtool.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysglobl.exe
Filesize
5KB

MD5
f497644617b3acfeb96112688987bdca

SHA1
f053af1485c7ed5da986c0ddf156a4e30fe21fe0

SHA256
9da37d8226e60103d6e1a5457e24f195d3fbc664b71ab759aeeb231a8c93f2ed

SHA512
934a1057a7c11e7eb015b9c666c632953197128775abccb779014c179f5653b728aa5383fd668147528b7148c9e444bd6a0df8a7a9ca8c30712c6c3a3c2e17e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysglobl.exe
Filesize
5KB

MD5
f497644617b3acfeb96112688987bdca

SHA1
f053af1485c7ed5da986c0ddf156a4e30fe21fe0

SHA256
9da37d8226e60103d6e1a5457e24f195d3fbc664b71ab759aeeb231a8c93f2ed

SHA512
934a1057a7c11e7eb015b9c666c632953197128775abccb779014c179f5653b728aa5383fd668147528b7148c9e444bd6a0df8a7a9ca8c30712c6c3a3c2e17e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
331KB

MD5
eb2cc33b05f167b62155d3afdd33bca2

SHA1
884068cd29cc9ff4d8a1a1d898f5a868d547c334

SHA256
bb88ff1c8a9fedda601ee817f7baf597f39f725322320fe6c39805e1a51ac6af

SHA512
9cc8623fcf7fc335e38b04f5aa84575f2467c0a5f0f731d1f17cca78fb6bca7d520affc3c0fe84e24610f80d13c1ed4a92201c5a305da89d60aebb088282d096

Download Submit
memory/1960-162-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-159-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/1960-150-0x0000000000000000-mapping.dmp

Download
memory/3632-139-0x0000000000000000-mapping.dmp

Download
memory/3632-141-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3632-144-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3632-145-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3632-140-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3632-142-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/4104-153-0x0000000000000000-mapping.dmp

Download
memory/4696-133-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4696-137-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-152-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/4868-146-0x0000000000000000-mapping.dmp

Download
memory/4868-161-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-143-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-160-0x0000000074E20000-0x00000000753D1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads