darkcomet | dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262

Analysis

max time kernel
152s
max time network
177s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Size

1.1MB
MD5

80a6f592279ea5ee33110734677e5d62
SHA1

15a6965cc45a865f94fb05f3931d27acba174415
SHA256

dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262
SHA512

9a495f0091e00b9ca0e93bd18c348dbeef8c788a9825b283b75912b50b6ca6ac2192a846a47f77494589ec5963407fc85669f6aeac5c826e777d2dc54dd79960
SSDEEP

24576:dYi0aeKVUQBoBsrjOP2mnQQsMEqs1MLbp68xcjuJmSOn79F3vqu:dYiLeK7IsrjOP2WNsCs1MLrxUuJm/n7f

Score

10^/10

darkcomet ot-10aug persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

OT-10aug

h23.us.to:65432

t4rt4r.zapto.org:9384

Mutex

DC_MUTEX-742F3S6

Attributes

InstallPath
W1Nrar\svchost.exe
gencode
wB67Vbr5dSJp
install
true
offline_keylogger
true
persistence
false
reg_key
Host Process for Windows Services

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\W1Nrar\\svchost.exe"	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe

Executes dropped EXE 2 IoCs

pid	Process
1384	svchost.exe
1464	svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1776-54-0x0000000000400000-0x00000000007CE000-memory.dmp	upx
behavioral1/memory/1776-55-0x0000000000400000-0x00000000007CE000-memory.dmp	upx
behavioral1/memory/1776-61-0x0000000000400000-0x00000000007CE000-memory.dmp	upx
behavioral1/files/0x0009000000013a04-79.dat	upx
behavioral1/memory/948-82-0x0000000003430000-0x00000000037FE000-memory.dmp	upx
behavioral1/files/0x0009000000013a04-80.dat	upx
behavioral1/files/0x0009000000013a04-83.dat	upx
behavioral1/memory/1384-84-0x0000000000400000-0x00000000007CE000-memory.dmp	upx
behavioral1/files/0x0009000000013a04-86.dat	upx
behavioral1/memory/1384-99-0x0000000000400000-0x00000000007CE000-memory.dmp	upx
behavioral1/files/0x0009000000013a04-105.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\W1Nrar\\svchost.exe"	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1384 set thread context of 1464	1384	svchost.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeSecurityPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeTakeOwnershipPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeLoadDriverPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeSystemProfilePrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeSystemtimePrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeProfSingleProcessPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeIncBasePriorityPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeCreatePagefilePrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeBackupPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeRestorePrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeShutdownPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeDebugPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeSystemEnvironmentPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeChangeNotifyPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeRemoteShutdownPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeUndockPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeManageVolumePrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeImpersonatePrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeCreateGlobalPrivilege	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: 33	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: 34	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: 35	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
Token: SeIncreaseQuotaPrivilege	1464	svchost.exe
Token: SeSecurityPrivilege	1464	svchost.exe
Token: SeTakeOwnershipPrivilege	1464	svchost.exe
Token: SeLoadDriverPrivilege	1464	svchost.exe
Token: SeSystemProfilePrivilege	1464	svchost.exe
Token: SeSystemtimePrivilege	1464	svchost.exe
Token: SeProfSingleProcessPrivilege	1464	svchost.exe
Token: SeIncBasePriorityPrivilege	1464	svchost.exe
Token: SeCreatePagefilePrivilege	1464	svchost.exe
Token: SeBackupPrivilege	1464	svchost.exe
Token: SeRestorePrivilege	1464	svchost.exe
Token: SeShutdownPrivilege	1464	svchost.exe
Token: SeDebugPrivilege	1464	svchost.exe
Token: SeSystemEnvironmentPrivilege	1464	svchost.exe
Token: SeChangeNotifyPrivilege	1464	svchost.exe
Token: SeRemoteShutdownPrivilege	1464	svchost.exe
Token: SeUndockPrivilege	1464	svchost.exe
Token: SeManageVolumePrivilege	1464	svchost.exe
Token: SeImpersonatePrivilege	1464	svchost.exe
Token: SeCreateGlobalPrivilege	1464	svchost.exe
Token: 33	1464	svchost.exe
Token: 34	1464	svchost.exe
Token: 35	1464	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1464	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 1776 wrote to memory of 948	1776	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	28
PID 948 wrote to memory of 1384	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	29
PID 948 wrote to memory of 1384	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	29
PID 948 wrote to memory of 1384	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	29
PID 948 wrote to memory of 1384	948	dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe	29
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30
PID 1384 wrote to memory of 1464	1384	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
"C:\Users\Admin\AppData\Local\Temp\dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe
  "C:\Users\Admin\AppData\Local\Temp\dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Roaming\W1Nrar\svchost.exe
    "C:\Users\Admin\AppData\Roaming\W1Nrar\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Users\Admin\AppData\Roaming\W1Nrar\svchost.exe
      "C:\Users\Admin\AppData\Roaming\W1Nrar\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\W1Nrar\svchost.exe

Filesize
1.1MB

MD5
80a6f592279ea5ee33110734677e5d62

SHA1
15a6965cc45a865f94fb05f3931d27acba174415

SHA256
dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262

SHA512
9a495f0091e00b9ca0e93bd18c348dbeef8c788a9825b283b75912b50b6ca6ac2192a846a47f77494589ec5963407fc85669f6aeac5c826e777d2dc54dd79960

Download Submit
C:\Users\Admin\AppData\Roaming\W1Nrar\svchost.exe

Filesize
1.1MB

MD5
80a6f592279ea5ee33110734677e5d62

SHA1
15a6965cc45a865f94fb05f3931d27acba174415

SHA256
dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262

SHA512
9a495f0091e00b9ca0e93bd18c348dbeef8c788a9825b283b75912b50b6ca6ac2192a846a47f77494589ec5963407fc85669f6aeac5c826e777d2dc54dd79960

Download Submit
C:\Users\Admin\AppData\Roaming\W1Nrar\svchost.exe

Filesize
1.1MB

MD5
80a6f592279ea5ee33110734677e5d62

SHA1
15a6965cc45a865f94fb05f3931d27acba174415

SHA256
dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262

SHA512
9a495f0091e00b9ca0e93bd18c348dbeef8c788a9825b283b75912b50b6ca6ac2192a846a47f77494589ec5963407fc85669f6aeac5c826e777d2dc54dd79960

Download Submit
\Users\Admin\AppData\Roaming\W1Nrar\svchost.exe

Filesize
1.1MB

MD5
80a6f592279ea5ee33110734677e5d62

SHA1
15a6965cc45a865f94fb05f3931d27acba174415

SHA256
dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262

SHA512
9a495f0091e00b9ca0e93bd18c348dbeef8c788a9825b283b75912b50b6ca6ac2192a846a47f77494589ec5963407fc85669f6aeac5c826e777d2dc54dd79960

Download Submit
\Users\Admin\AppData\Roaming\W1Nrar\svchost.exe

Filesize
1.1MB

MD5
80a6f592279ea5ee33110734677e5d62

SHA1
15a6965cc45a865f94fb05f3931d27acba174415

SHA256
dde6d8365ab5c6e79d83754deaa326e3cf649d5793270fbddecfbd16f42f9262

SHA512
9a495f0091e00b9ca0e93bd18c348dbeef8c788a9825b283b75912b50b6ca6ac2192a846a47f77494589ec5963407fc85669f6aeac5c826e777d2dc54dd79960

Download Submit
memory/948-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-82-0x0000000003430000-0x00000000037FE000-memory.dmp

Filesize
3.8MB

Download
memory/948-97-0x0000000003430000-0x00000000037FE000-memory.dmp

Filesize
3.8MB

Download
memory/948-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/948-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1384-84-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1384-99-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1464-108-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1464-109-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1464-110-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1776-61-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1776-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1776-54-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1776-55-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads