darkcomet | 879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
Size

1.5MB
MD5

9f846304ca03af9cd8c24364305f51d6
SHA1

bf0f159c9f477058f6f4b1af7c91b18a3bfc4d49
SHA256

879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad
SHA512

d61ca65e9f0fec86f049f23b9913f7c56440b522a9636641e167f51b24cec36f6260d96905ecac1fdc28c1669094d6e574dcaa70d04ad3c3060912f437f1c77f
SSDEEP

24576:n/y/69r+q6e/2YeY+yTZ8h7IETl/GjNwBVSInELrKE0Wx8fglv/K:nKEiql2Y9iEGGjNxJXUIllv/K

Score

10^/10

darkcomet bot persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

bot

canardwc.zapto.org:1604

Mutex

DC_MUTEX-VSDJA8C

Attributes

gencode
E9ARHzMPTXjL
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

patch.exepatch.exeCRACK_~1.EXE

pid process

988 patch.exe
836 patch.exe
1884 CRACK_~1.EXE

pid	process
988	patch.exe
836	patch.exe
1884	CRACK_~1.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx
behavioral1/memory/988-70-0x0000000000400000-0x000000000067E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx
behavioral1/memory/988-84-0x0000000000400000-0x000000000067E000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe	upx

Loads dropped DLL 6 IoCs

Processes:

879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exepatch.exepatch.exeCRACK_~1.EXE

pid	process
1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
988	patch.exe
988	patch.exe
1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
836	patch.exe
1884	CRACK_~1.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exepatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecran = "\"\\.exeTrue\""	patch.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

patch.exe

description pid process target process

PID 988 set thread context of 836 988 patch.exe patch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 988 set thread context of 836	988	patch.exe	patch.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

patch.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	836	patch.exe
Token: SeSecurityPrivilege	836	patch.exe
Token: SeTakeOwnershipPrivilege	836	patch.exe
Token: SeLoadDriverPrivilege	836	patch.exe
Token: SeSystemProfilePrivilege	836	patch.exe
Token: SeSystemtimePrivilege	836	patch.exe
Token: SeProfSingleProcessPrivilege	836	patch.exe
Token: SeIncBasePriorityPrivilege	836	patch.exe
Token: SeCreatePagefilePrivilege	836	patch.exe
Token: SeBackupPrivilege	836	patch.exe
Token: SeRestorePrivilege	836	patch.exe
Token: SeShutdownPrivilege	836	patch.exe
Token: SeDebugPrivilege	836	patch.exe
Token: SeSystemEnvironmentPrivilege	836	patch.exe
Token: SeChangeNotifyPrivilege	836	patch.exe
Token: SeRemoteShutdownPrivilege	836	patch.exe
Token: SeUndockPrivilege	836	patch.exe
Token: SeManageVolumePrivilege	836	patch.exe
Token: SeImpersonatePrivilege	836	patch.exe
Token: SeCreateGlobalPrivilege	836	patch.exe
Token: 33	836	patch.exe
Token: 34	836	patch.exe
Token: 35	836	patch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

patch.exe

pid process

836 patch.exe

pid	process
836	patch.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exepatch.exe

description	pid	process	target process
PID 1768 wrote to memory of 988	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 1768 wrote to memory of 988	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 1768 wrote to memory of 988	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 1768 wrote to memory of 988	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 1768 wrote to memory of 988	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 1768 wrote to memory of 988	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 1768 wrote to memory of 988	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 988 wrote to memory of 836	988	patch.exe	patch.exe
PID 1768 wrote to memory of 1884	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE
PID 1768 wrote to memory of 1884	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE
PID 1768 wrote to memory of 1884	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE
PID 1768 wrote to memory of 1884	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE
PID 1768 wrote to memory of 1884	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE
PID 1768 wrote to memory of 1884	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE
PID 1768 wrote to memory of 1884	1768	879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe	CRACK_~1.EXE

C:\Users\Admin\AppData\Local\Temp\879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe
"C:\Users\Admin\AppData\Local\Temp\879a1cbf5a37d27f313bc5028decf8eb73385d78699071fb27d1addab00224ad.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:836

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
Filesize
1.0MB

MD5
8a2b12a27fdf10348d290d79f9ec9e79

SHA1
13581a9f08ef3f16610ef14f3760b7d5bfdc4b38

SHA256
a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b

SHA512
4570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
Filesize
1.0MB

MD5
8a2b12a27fdf10348d290d79f9ec9e79

SHA1
13581a9f08ef3f16610ef14f3760b7d5bfdc4b38

SHA256
a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b

SHA512
4570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
Filesize
1.0MB

MD5
8a2b12a27fdf10348d290d79f9ec9e79

SHA1
13581a9f08ef3f16610ef14f3760b7d5bfdc4b38

SHA256
a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b

SHA512
4570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CRACK_~1.EXE
Filesize
1.0MB

MD5
8a2b12a27fdf10348d290d79f9ec9e79

SHA1
13581a9f08ef3f16610ef14f3760b7d5bfdc4b38

SHA256
a5fa1c7ae5396a27a9e746062060535ed77c6acf06da1cf783656e0066ad770b

SHA512
4570dd1710895ea2de81c181bf1a015d4ef064cb5cfb536219f63ff07ba32030f3f1ec3b4574ad54f12a40bb719bd0798f7e22a6e7ac842f3966ad94067edfa3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\patch.exe
Filesize
1.0MB

MD5
9378cd24a793c9b90fddf97d92d1b09c

SHA1
899eab9097900a28a294d0f63d480202b89be6fa

SHA256
775e2482bc8399f664d447887707a2b796f059dd531a83d299179a64f31fbf58

SHA512
600407dd8acacedac9415245492cf7a1e6f18418ef3faed72bf7c12579ad0616cc99278ba9b0988d8432c2d4d362a8059f02e4d95c9e7a85e660eace02c5cb12

Download Submit
memory/836-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-99-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-98-0x0000000000CD0000-0x0000000000F4E000-memory.dmp

Filesize
2.5MB

Download
memory/836-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-97-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-81-0x000000000048F888-mapping.dmp

Download
memory/836-96-0x0000000000CD0000-0x0000000000F4E000-memory.dmp

Filesize
2.5MB

Download
memory/836-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-91-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/836-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/988-72-0x0000000000D90000-0x000000000100E000-memory.dmp

Filesize
2.5MB

Download
memory/988-56-0x0000000000000000-mapping.dmp

Download
memory/988-84-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/988-70-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/988-74-0x0000000003690000-0x000000000390E000-memory.dmp

Filesize
2.5MB

Download
memory/1768-66-0x00000000024B0000-0x000000000272E000-memory.dmp

Filesize
2.5MB

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1884-88-0x0000000000000000-mapping.dmp

Download