darkcomet | 14a6bd1c424617202ef7c0c2fd0110be91aa582d729b094a6c7313d8ebaac21b

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

680e9c3f35d592e5bb67970823e35252.exe
Size

761KB
MD5

680e9c3f35d592e5bb67970823e35252
SHA1

02ee1040fba1b643d5d0e5ff9e5974269d6b8f66
SHA256

14a6bd1c424617202ef7c0c2fd0110be91aa582d729b094a6c7313d8ebaac21b
SHA512

8ba0c46e8582ae01e935e515e1100eb5f31f9fa82daea351ec41779cbc1ea40d62eea8ef832e84c9e4a8fc4001edd7df75c8ab06f89db7b052b6be78dc355bdf
SSDEEP

12288:XikXBz7TsdZtk5QviGzWILqUsjDGQ1fTjw1/ICteJV2/Y/R468AWcga03U:M1K/IeUG/XwKCtiVCARH8ABl

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	680e9c3f35d592e5bb67970823e35252.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2684	winupdate.exe
2660	winupdate.exe

Loads dropped DLL 8 IoCs

pid	Process
1108	680e9c3f35d592e5bb67970823e35252.exe
2684	winupdate.exe
2684	winupdate.exe
2684	winupdate.exe
2684	winupdate.exe
2660	winupdate.exe
2660	winupdate.exe
2660	winupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	680e9c3f35d592e5bb67970823e35252.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	winupdate.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2684 set thread context of 2660	2684	winupdate.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2724	PING.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeSecurityPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeTakeOwnershipPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeLoadDriverPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeSystemProfilePrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeSystemtimePrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeProfSingleProcessPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeIncBasePriorityPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeCreatePagefilePrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeBackupPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeRestorePrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeShutdownPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeDebugPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeSystemEnvironmentPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeChangeNotifyPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeRemoteShutdownPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeUndockPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeManageVolumePrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeImpersonatePrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeCreateGlobalPrivilege	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: 33	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: 34	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: 35	1108	680e9c3f35d592e5bb67970823e35252.exe
Token: SeIncreaseQuotaPrivilege	2660	winupdate.exe
Token: SeSecurityPrivilege	2660	winupdate.exe
Token: SeTakeOwnershipPrivilege	2660	winupdate.exe
Token: SeLoadDriverPrivilege	2660	winupdate.exe
Token: SeSystemProfilePrivilege	2660	winupdate.exe
Token: SeSystemtimePrivilege	2660	winupdate.exe
Token: SeProfSingleProcessPrivilege	2660	winupdate.exe
Token: SeIncBasePriorityPrivilege	2660	winupdate.exe
Token: SeCreatePagefilePrivilege	2660	winupdate.exe
Token: SeBackupPrivilege	2660	winupdate.exe
Token: SeRestorePrivilege	2660	winupdate.exe
Token: SeShutdownPrivilege	2660	winupdate.exe
Token: SeDebugPrivilege	2660	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2660	winupdate.exe
Token: SeChangeNotifyPrivilege	2660	winupdate.exe
Token: SeRemoteShutdownPrivilege	2660	winupdate.exe
Token: SeUndockPrivilege	2660	winupdate.exe
Token: SeManageVolumePrivilege	2660	winupdate.exe
Token: SeImpersonatePrivilege	2660	winupdate.exe
Token: SeCreateGlobalPrivilege	2660	winupdate.exe
Token: 33	2660	winupdate.exe
Token: 34	2660	winupdate.exe
Token: 35	2660	winupdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2960	DllHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2396	680e9c3f35d592e5bb67970823e35252.exe
2684	winupdate.exe
2660	winupdate.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 2396 wrote to memory of 1108	2396	680e9c3f35d592e5bb67970823e35252.exe	28
PID 1108 wrote to memory of 2684	1108	680e9c3f35d592e5bb67970823e35252.exe	30
PID 1108 wrote to memory of 2684	1108	680e9c3f35d592e5bb67970823e35252.exe	30
PID 1108 wrote to memory of 2684	1108	680e9c3f35d592e5bb67970823e35252.exe	30
PID 1108 wrote to memory of 2684	1108	680e9c3f35d592e5bb67970823e35252.exe	30
PID 1108 wrote to memory of 2684	1108	680e9c3f35d592e5bb67970823e35252.exe	30
PID 1108 wrote to memory of 2684	1108	680e9c3f35d592e5bb67970823e35252.exe	30
PID 1108 wrote to memory of 2684	1108	680e9c3f35d592e5bb67970823e35252.exe	30
PID 1108 wrote to memory of 2612	1108	680e9c3f35d592e5bb67970823e35252.exe	31
PID 1108 wrote to memory of 2612	1108	680e9c3f35d592e5bb67970823e35252.exe	31
PID 1108 wrote to memory of 2612	1108	680e9c3f35d592e5bb67970823e35252.exe	31
PID 1108 wrote to memory of 2612	1108	680e9c3f35d592e5bb67970823e35252.exe	31
PID 2612 wrote to memory of 2724	2612	cmd.exe	33
PID 2612 wrote to memory of 2724	2612	cmd.exe	33
PID 2612 wrote to memory of 2724	2612	cmd.exe	33
PID 2612 wrote to memory of 2724	2612	cmd.exe	33
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34
PID 2684 wrote to memory of 2660	2684	winupdate.exe	34

C:\Users\Admin\AppData\Local\Temp\680e9c3f35d592e5bb67970823e35252.exe
"C:\Users\Admin\AppData\Local\Temp\680e9c3f35d592e5bb67970823e35252.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\680e9c3f35d592e5bb67970823e35252.exe
  C:\Users\Admin\AppData\Local\Temp\680e9c3f35d592e5bb67970823e35252.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windupdt\winupdate.exe
    "C:\Windupdt\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windupdt\winupdate.exe
      C:\Windupdt\winupdate.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\680e9c3f35d592e5bb67970823e35252.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 5
      4⤵
      Runs ping.exe
      PID:2724

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8753.JPG

Filesize
9KB

MD5
16e7b983534549016ca8dcfa37c2395e

SHA1
80eb017f4ff62317ca21e85ddaa7bdc6d670e0c8

SHA256
02bf0ac2c766584d438848e5799b76d400a8d8510c73bf27c96600b3da4d0367

SHA512
84391d0e29d4e3c4fcccefbb01fb3cdb930dd14349dcbb401153b73236c640bb68a641776b7db80be45abbcebfdad22d1ad998ea9f9217dfe31723bb87a4e3af

Download Submit
C:\Windupdt\winupdate.exe

Filesize
624KB

MD5
ea186433ee7ab7f455c3159efbaa2d35

SHA1
0e270aff2ce476c1645720bedb2340e4b33f20e7

SHA256
568ad8b14acc448ffc27bb7d23b25b796ac96b2515bea8e88dd6498455fd5a44

SHA512
415e12a6eef0aae24fe51b355e8f0265b7a38ab3dab482d9f7df60ea745a643c8ff7c85235cfc7660d1c2a512a586cf7007d6c278f9528b6ef05281f77b3c738

Download Submit
C:\Windupdt\winupdate.exe

Filesize
675KB

MD5
f4f6f76cf5e5b92644a42bb636f14e52

SHA1
6c07dcb86375ae7d4c2ce4f4120aab673ae19833

SHA256
1be648fb0abd5f1c4ebadae4e5ae166b8ac94ca78607eba9ad98ad15fef886ac

SHA512
c60ee40b613c52c2826fdf3fa1a24957fe7f9ea95d567f03f6031f3c26bd3acab59067f9260c17b774e903ac98a8ea13582c968ff994c7a6fc305bf893e35a5e

Download Submit
C:\Windupdt\winupdate.exe

Filesize
456KB

MD5
c7faed14ca97da17d3836a3696cca8dd

SHA1
966ae52178f600281a6ec7ef0cee06eff82fde6e

SHA256
32b9a8f8ab0b8ed44dbf357db9ff63cd71eb32faa15546c0fd61d6e3fdc1d7e7

SHA512
1661c64d8a42928d1ce0563ec26fb82b816bcad9ad172023a969bf8a0e62c291261cbac8b9fee3d12e285e80c42cc2663e45587f0c1954560803d4283da76834

Download Submit
C:\Windupdt\winupdate.exe

Filesize
431KB

MD5
77b6f4eb93fdd617d3d9fefcee5fb812

SHA1
48ed2884576a7c8d9ccf9d7d7131dda171d711c0

SHA256
024cca7eb46a9826a19a23ae45618e9fa37a54af8972bea27adc4dc0c677cdb5

SHA512
b68e0d7d8f06ac5e830ca391692effd4e5b8f2d54e33ac309728dd7c86464e3db92f471af075811cd9d739c85b87d8355a29510672d8e5df0a8b15b23bdf96bb

Download Submit
\Windupdt\winupdate.exe

Filesize
761KB

MD5
680e9c3f35d592e5bb67970823e35252

SHA1
02ee1040fba1b643d5d0e5ff9e5974269d6b8f66

SHA256
14a6bd1c424617202ef7c0c2fd0110be91aa582d729b094a6c7313d8ebaac21b

SHA512
8ba0c46e8582ae01e935e515e1100eb5f31f9fa82daea351ec41779cbc1ea40d62eea8ef832e84c9e4a8fc4001edd7df75c8ab06f89db7b052b6be78dc355bdf

Download Submit
\Windupdt\winupdate.exe

Filesize
335KB

MD5
715f9e96a92e1004399e0f30c8e7e6e3

SHA1
d24d25afe3b5e4a69b8d20cc580c41ce88161404

SHA256
36331534b7bf4963a358c154617cc4907ee77cbe7fd8589302a62de3ba550f5a

SHA512
1f39ad6d6f245ccf5c2632627365a2afd01949d952dd56660ebbd498f44cf96489a47738f318bab1bd17cf3f343c319a182b924274df6de72deccee6aece4a32

Download Submit
\Windupdt\winupdate.exe

Filesize
373KB

MD5
cbae3618fb43c384be9bce22b95367b9

SHA1
c03517109179e4b826e44a618ecc9ac243f9eaa8

SHA256
416a777bfa5e1916aec6df804539b9bc268ad5cb31dbae1a70c87af272a2a28f

SHA512
510de4581786bc2db3e747774a567f48054f219024c184462655c7b94b520580639e8b2ed82e73dec467439b61f66cd510a5b0a35fc26c05778c8f696f1fb0c9

Download Submit
\Windupdt\winupdate.exe

Filesize
378KB

MD5
a47b5c2e7982a8868ac400b093610e61

SHA1
841da483204b4f586d4b298a98615e6cd6c36c18

SHA256
ae0cde5cbcf0e0a5ba5a61a9c60857f2283aa749cf039994c8f322d9f96ba679

SHA512
dede5df2fbbf0ab12cc3e7069d195a19474ad16df261d899b2bc4cd28824cadc7e0b54bc0a21144a8aaa4165e267ebc90465b369bd602ddf05e0e94d83aa342a

Download Submit
\Windupdt\winupdate.exe

Filesize
375KB

MD5
113f49c723a56aeae6afa991c1e90571

SHA1
4361a0d85503f618c520ef1aa69088c7e72fcb23

SHA256
a7e6583bd87f52461076a4d9f11091d011455c3e7d8b7cce454667bc6ab6ed86

SHA512
dc9127bda2f88fe71641d3e43047f768ca97c16e03529f1644939a77d15907764c33e8830261ccdf6dec6f506abe0ec45625d7763535c952cd2a82671bd3edcb

Download Submit
\Windupdt\winupdate.exe

Filesize
333KB

MD5
680b12e4ba24ae6601e15b63f488aab0

SHA1
327add5473e4021eb84727d18f30d7246565ed60

SHA256
49c901af84842cdd8a5a16c5b07a9993a5a0f39e1439568766017b85868f6380

SHA512
0097caca1310caadafa9ca374706d785b6dd007c017da969008de5c75eaf43bea873ef653ed045c1598cf945e3d0e3cc5a0aacc27ac7e3900722a96a71451de2

Download Submit
\Windupdt\winupdate.exe

Filesize
252KB

MD5
624ee50756c60c65c89797753b7f6b20

SHA1
b627f79b1a5061380cfc02d8831fb47dd079b991

SHA256
7363054601b7cf705bc6c572bd503a79fe1d99af494a5c8f2e97bbc046793023

SHA512
ee74cd7dca5d76f41ec54b93335fd0831adda5033e0bed70f28823b100915556efb3fa4e7c1e77206f84740a7bb92e0379065b6b7e0cc756b4ca7a7ce5470af8

Download Submit
\Windupdt\winupdate.exe

Filesize
291KB

MD5
92c7ddcb60fbef409d3ac098f8906966

SHA1
02c3ca9f1bc043332bc6519e74bda407faf90478

SHA256
4ef84ee4d3311c14bad52f7e24ae6b637b3dcf7a54a4979573307d718b5d9828

SHA512
6d37ea37f548bacbd066c057630bff3ae7fa3ca37a83080a276784c0e8495c412da526c536a0b5a241ed72b7360699037ec8cd7ae48cc663e5cd6b32af9ebe93

Download Submit
memory/1108-10-0x0000000002150000-0x0000000002152000-memory.dmp

Filesize
8KB

Download
memory/1108-6-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1108-5-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1108-20-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1108-2-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1108-4-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1108-3-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2660-40-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2660-38-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2660-39-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2660-37-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2660-36-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2660-31-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2660-41-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2660-44-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2960-12-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2960-11-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/2960-43-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads