darkcomet | 5e9b31834d9951e950f884bea2a45bafb99c1761fbb8b7be4301467f55795d1a

Analysis

max time kernel
1s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e75d27a4dec7334e548a776a58137877.exe
Size

318KB
MD5

e75d27a4dec7334e548a776a58137877
SHA1

85e46d71cd015e4714459d2fe73f6c9a066199f5
SHA256

5e9b31834d9951e950f884bea2a45bafb99c1761fbb8b7be4301467f55795d1a
SHA512

28669e18a2ea427fa90f11ec4ed5f024bd3a28a4602bfe091fc6155e3b2f170f9f7f245a0912aa6cca627c6bc9802d4b39a75043c57d6d5e4c4ac3896710755f
SSDEEP

6144:TKjZaimwIqlazWEIBk4ZAs3CaYo/TRg4w6kT1kYftg5d672:dZqIzW35RFn9g311kYfi6K

Score

10^/10

darkcomet hawkeye keylogger rat spyware stealer trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Deletes itself 1 IoCs

pid	Process
2080	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2080	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1520	e75d27a4dec7334e548a776a58137877.exe
1520	e75d27a4dec7334e548a776a58137877.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2816-30-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-31-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-44-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-45-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-57-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-50-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-54-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-34-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-32-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-27-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-25-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2816-77-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2080 set thread context of 2816	2080	explorer.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2080	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	e75d27a4dec7334e548a776a58137877.exe
Token: SeDebugPrivilege	2080	explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2080	1520	e75d27a4dec7334e548a776a58137877.exe	28
PID 1520 wrote to memory of 2080	1520	e75d27a4dec7334e548a776a58137877.exe	28
PID 1520 wrote to memory of 2080	1520	e75d27a4dec7334e548a776a58137877.exe	28
PID 1520 wrote to memory of 2080	1520	e75d27a4dec7334e548a776a58137877.exe	28
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32
PID 2080 wrote to memory of 2816	2080	explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe
"C:\Users\Admin\AppData\Local\Temp\e75d27a4dec7334e548a776a58137877.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
    "C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"
    3⤵
    PID:2788
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    PID:2816

C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
"C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"
1⤵
PID:2984
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  2⤵
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
70B

MD5
10f8e5ef710815f8042993d8a493148c

SHA1
ca1311ec6a490dd0cae48a970d9bd52347c26a66

SHA256
8b388565259a47221d1ea8753f40c174862c43b0e097026e8e99c7d785aaaea8

SHA512
d81dbf5ede3ae69894fecd63201b1b8b7b5529396643dda74ec96b415d7e50fb53dedf2b784f28e014d61892bd90b41d50f94aa1cad2a6b874c610c79826a157

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe

Filesize
24KB

MD5
7a85c5282e3f340421324fa7263a3084

SHA1
0368779fbf6a7160a45794c010bb17698141fce1

SHA256
daf4c0d09e443f7757c97b5e86757f367eaaf659f4e0722372f3caa919098690

SHA512
89a6d47314dbe311e7df6f0c1c370685d45585cd5a3eeb3a5816e116bbf82378dba1b5c83817e7d28bc26f53a0edc3fbc25e193236a13176ea3dc648d065d26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe

Filesize
39KB

MD5
38abcaec6ee62213f90b1717d830a1bb

SHA1
d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9

SHA256
6fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768

SHA512
77eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe

Filesize
104KB

MD5
a1e520b6ef395102f9d557887f1117f9

SHA1
cf4f746f80510270909e80d145b805f6ed3b5016

SHA256
d84c9e21245cffb9a046e6a45cbddf2d3f5c317fc85912342b5747ff11966565

SHA512
6e988569fa4f151d5b5c49365758b0d6657763f44359adb22f04c6c63e66a79ff488caeb3f2ebd42826a23459cd283ec7ee65e75062bb569da98914934daea5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe

Filesize
109KB

MD5
7d14209cd266271f0e66fd569938044c

SHA1
bb0313ab985b329334f5cd8f9eccbf1484763a62

SHA256
e6aefa3a8f792fbb9e3d325d1b698649c64f1eeee2ebb8352c4816859ad75f8b

SHA512
b886904f5f06a356e3fd2f1bf4894a90a8646f0606601a7d2b051851000a399c947849573d0aee9223cfde1201e31a475172376e15fe9955b74f923a2c801b05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
50KB

MD5
931b0b7cc648027e2cb923f341ab76a8

SHA1
3643e08f634a0b9c67b1b2235ac4131220b02bce

SHA256
7eff1c09d4ddb22c67cd7137332f874337d161685a8e033621cc8d2baecc09e8

SHA512
314eab5314556499b676d9b529ba4e865fa1996b60f3768518aef3c593639d9ca8848b3aa0326b8c8184c844054cac9c581f014d0a38a9653437e205344ac350

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
22KB

MD5
bb7977f22430b90b9776f72a650511e4

SHA1
f908072ae6a9d3eff4a13ec9c404af6f0aac6c40

SHA256
f910d745e60224a9695714e120b58af2ffb5f99b1f519c7ac5afea3399b63ba8

SHA512
52475507052d43dcbdf4d2616d633f9f5d66ee5f3c25756529516243914e7182c9095723ae1c4c662c6692ffe42d52d2f8493dd1b1075ea88270bce1cf853c7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
29KB

MD5
a9751886302ac681869c6c0beabec865

SHA1
1a39348e1dfdc839a4f2653f0a7cb36c254d2c41

SHA256
b86a79fb727e4420d843fffa58a2ecba892baa769bebd87fad161bf9d2c9255f

SHA512
56dcaba0a67bb50a55bae9f6c3cf481174fb4dd0d26ae89a0d737f270b239606919a2f178b80374c901d2f1db32383d020d5d8e5511a6974544ddbbf3c00d3e9

Download Submit
\Users\Admin\AppData\Local\Temp\System\nwtray.exe

Filesize
96KB

MD5
e6c21c397a8d884aaa88e6f97a11cd72

SHA1
47855567bcfdf529fa4eb6a71e805b0c3c28c3be

SHA256
6e0dae9b5e64c3b9e249673a6105a3a8ad0899aad1091177bb63d33e996c4f4b

SHA512
6c4c552443bcc025db9993235e732b5a85c1081524c8f94421cdaed8554411c918646cc97054fe0c35f175293441000727bee6771d54edb6809bb1c7a291018d

Download Submit
\Users\Admin\AppData\Local\Temp\System\nwtray.exe

Filesize
13KB

MD5
97e7dbef237e8fcc545db83854eed0b6

SHA1
a5f417a4a004c2eb29c46138cd5b0c978b8a9121

SHA256
32f3dace1881c458c4f8f94159d6bd1344bd2b230d742c2a43267c0cd94e2880

SHA512
53c55c6c38952ba6a4edeea942a598d6f21cd0be1e94b0cad86a8705479bb3ce799b85671db36eddde45ca3cd27c912912839e5f230f4b25b0bdd6ccf183a42d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
47KB

MD5
52feb447276ae7744ab3809a19876401

SHA1
a1ce6ec34dc3642b5c60d61d85bc2ae3f806af22

SHA256
7b117b14e6f3b427dc482f9c032b778f8e16b92ff65f971559431cc9998b11b5

SHA512
b07a15a895573d6a936f91b1f08a3d55bdb92887228b8d0185de7a0b113449bf5d561350a2304bf1c0ece803b3314b79cad1aa1e2f16847625c2edfa2d7df930

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
29KB

MD5
97b0eaec006c172b00edb87710972767

SHA1
0d0948ee771abd3c1adc4f20952751eaf38963f0

SHA256
96b9e8ab664b9475398fade240fa617e956b72a35b9482b8aeaa06c602f15c4e

SHA512
06daf878ec4e634c4a77f93cd10e4fd78252d1718bd499c7a8ced4cce2091038b558102fd76a7476478d063c8b4bc85194149c40a0613832fe43e49e30f446df

Download Submit
memory/1520-2-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-15-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-0-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-1-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/1520-74-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2080-14-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2080-76-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2080-75-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/2080-17-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2080-16-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-79-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/2788-46-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-78-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-49-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-47-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/2816-50-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-23-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-30-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-57-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-32-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-27-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-25-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-54-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-31-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-44-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-45-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2816-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2984-58-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-63-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-80-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-56-0x00000000008C0000-0x0000000000900000-memory.dmp

Filesize
256KB

Download
memory/2984-81-0x00000000742F0000-0x000000007489B000-memory.dmp

Filesize
5.7MB

Download