darkcomet | e50757dcc45f3d97c87c16c9fa322907d44f35c8b6e200302823018f63e3a185

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Size

748KB
MD5

4dd4b9b27ab77cf5e6e4b774baa9cba2
SHA1

3865a1b5105d28b8ff012253029a3f4a40aab2ac
SHA256

e50757dcc45f3d97c87c16c9fa322907d44f35c8b6e200302823018f63e3a185
SHA512

608d1d5260d56b9c803878dc699da45ed571201b2d55fb4807518a5b94e2369cf65ddd9b0b364af9fe2f053786e041d17f6c329f03abb7ac72b872920c2e78e9
SSDEEP

12288:AZ8szR7ChTq/MoeNGeVT5STAPKGPx0NVNBE8t0JfHkw6BE5qy2Bn8+gx7kxHI6je:ARlC5ueNPTSTAPKGPx0NVNBE8tSfHAB+

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Executes dropped EXE 2 IoCs

pid	Process
2388	winupdate.exe
2132	winupdate.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
2388	winupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2388 set thread context of 2132	2388	winupdate.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeSecurityPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeTakeOwnershipPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeLoadDriverPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeSystemProfilePrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeSystemtimePrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeProfSingleProcessPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeIncBasePriorityPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeCreatePagefilePrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeBackupPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeRestorePrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeShutdownPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeDebugPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeSystemEnvironmentPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeChangeNotifyPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeRemoteShutdownPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeUndockPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeManageVolumePrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeImpersonatePrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeCreateGlobalPrivilege	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: 33	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: 34	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: 35	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
Token: SeIncreaseQuotaPrivilege	2132	winupdate.exe
Token: SeSecurityPrivilege	2132	winupdate.exe
Token: SeTakeOwnershipPrivilege	2132	winupdate.exe
Token: SeLoadDriverPrivilege	2132	winupdate.exe
Token: SeSystemProfilePrivilege	2132	winupdate.exe
Token: SeSystemtimePrivilege	2132	winupdate.exe
Token: SeProfSingleProcessPrivilege	2132	winupdate.exe
Token: SeIncBasePriorityPrivilege	2132	winupdate.exe
Token: SeCreatePagefilePrivilege	2132	winupdate.exe
Token: SeBackupPrivilege	2132	winupdate.exe
Token: SeRestorePrivilege	2132	winupdate.exe
Token: SeShutdownPrivilege	2132	winupdate.exe
Token: SeDebugPrivilege	2132	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2132	winupdate.exe
Token: SeChangeNotifyPrivilege	2132	winupdate.exe
Token: SeRemoteShutdownPrivilege	2132	winupdate.exe
Token: SeUndockPrivilege	2132	winupdate.exe
Token: SeManageVolumePrivilege	2132	winupdate.exe
Token: SeImpersonatePrivilege	2132	winupdate.exe
Token: SeCreateGlobalPrivilege	2132	winupdate.exe
Token: 33	2132	winupdate.exe
Token: 34	2132	winupdate.exe
Token: 35	2132	winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2132	winupdate.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2212 wrote to memory of 2928	2212	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	28
PID 2928 wrote to memory of 2388	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	29
PID 2928 wrote to memory of 2388	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	29
PID 2928 wrote to memory of 2388	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	29
PID 2928 wrote to memory of 2388	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	29
PID 2928 wrote to memory of 2388	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	29
PID 2928 wrote to memory of 2388	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	29
PID 2928 wrote to memory of 2388	2928	4dd4b9b27ab77cf5e6e4b774baa9cba2.exe	29
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30
PID 2388 wrote to memory of 2132	2388	winupdate.exe	30

C:\Users\Admin\AppData\Local\Temp\4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
"C:\Users\Admin\AppData\Local\Temp\4dd4b9b27ab77cf5e6e4b774baa9cba2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\4dd4b9b27ab77cf5e6e4b774baa9cba2.exe
  "C:\Users\Admin\AppData\Local\Temp\4dd4b9b27ab77cf5e6e4b774baa9cba2.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windupdt\winupdate.exe
    "C:\Windupdt\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windupdt\winupdate.exe
      "C:\Windupdt\winupdate.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windupdt\winupdate.exe

Filesize
61KB

MD5
1674e4096951d546c811ee770d96a5e3

SHA1
21321da9f982ee4ef61c8f61b172a8e11f606642

SHA256
85367a3c9bd4c16be641af369c6377f51083c68c0cf620908a382b5b328935a5

SHA512
b553acb61aba93f239d89ef01c17972523cb7cae804d91b7ccc2737ce468afdc4625957a1643bf37dae71a1fcb08b906823e256381e5c5adc350f5eba012e2e4

Download Submit
C:\Windupdt\winupdate.exe

Filesize
31KB

MD5
1f6b6823351bc06a047c64e646df18f9

SHA1
7bcbb914476cf989575f10a162608c4ef7b0958f

SHA256
2e34a90054a24c12d711580458836112e347f038ae61714c0b40b6262ed41479

SHA512
81d27f8654ffd87743ee94187ae004c161322066115de2d91ecb5d5ab7e7e52a3219e876552fec67f413e887e557310ee34a01309bc4640c42b299d6f527215d

Download Submit
C:\Windupdt\winupdate.exe

Filesize
48KB

MD5
08a497531d44923123f091049d8ccd6b

SHA1
bb74e20aed21c69918d92a75958afb6b3666768a

SHA256
81603c20ea7418d0b384e0986c5bd79550171dae4a66b379550afb8d2094f5b6

SHA512
34cf090110becf95ace8d2e0c1495788f300c6cfe1694aef7a4293c8f2e2e0d0e66fe28eb102f275e20b9942036b38ca7688ea64cd8d4ab8114814b2ab2c06f1

Download Submit
C:\Windupdt\winupdate.exe

Filesize
92KB

MD5
00a04a84e6fb073678dff8e81c76956a

SHA1
3f3ae4b4b1787681cef516a4a5b96eeb91154690

SHA256
5c704a36895aab9008a5ac6eb9325415ab59c28cc3b819201b563e329d2029b0

SHA512
d813a4d15df59bb8779d1bdd93d7a0e6f8d5fe31870f7308d8d4bf65f7a64ef3b8d6e48fdec51e60ce5565dd1b80d94ea4dedd0ab6208ba87be136a760e3272c

Download Submit
\Windupdt\winupdate.exe

Filesize
125KB

MD5
61496b4f241a1d252ae57dce6e6f420d

SHA1
c5c2369d24824387df0203ce074220d6a960ee0e

SHA256
936a09e6366b0fbf3a495b7428845e488e4a92d241a8ee916ef81729072481bb

SHA512
5568937ffd9c483a657fd88f7933ba05dc283a1782980b016367b78eb7636c9e5f136d0018d9a2c0d632ba5ef4752129173fd7086ca32162b8b2dc21edab5a74

Download Submit
\Windupdt\winupdate.exe

Filesize
119KB

MD5
6df4fa3837ecd10cbe0cdd61e2eacdc1

SHA1
aeded9a140ddad0696085ae869ef0e825790122e

SHA256
3f67d3ed5dd3611cdb3498f0cf21c74f52fef84734784c86ed6cdc42494387cb

SHA512
985d09cf50af09db1588b2b03761a5710e30088789939003716181d6a488f8b0a17686f1bfdf19305f2d0ec731384b2d4cce87c9fae9e97cdc0a216184aa3088

Download Submit
memory/2132-46-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2132-43-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2132-51-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2132-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2132-44-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2132-45-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2132-47-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2132-48-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2132-49-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2132-50-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-1-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-9-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-16-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-15-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-11-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-27-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-5-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-19-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-18-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2928-2-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-7-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-3-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2928-17-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads