Overview

overview

10

Static

static

10

RAT/Adwind.jar

windows7-x64

1

RAT/Adwind.jar

windows10-2004-x64

10

RAT/Blackkomet.exe

windows7-x64

10

RAT/Blackkomet.exe

windows10-2004-x64

10

RAT/CobaltStrike.docm

windows7-x64

10

RAT/CobaltStrike.docm

windows10-2004-x64

10

RAT/CrimsonRAT.exe

windows7-x64

10

RAT/CrimsonRAT.exe

windows10-2004-x64

10

RAT/NJRat.exe

windows7-x64

10

RAT/NJRat.exe

windows10-2004-x64

10

RAT/NetWire.doc

windows7-x64

10

RAT/NetWire.doc

windows10-2004-x64

7

RAT/NetWire.exe

windows7-x64

10

RAT/NetWire.exe

windows10-2004-x64

10

RAT/Remcos.exe

windows7-x64

10

RAT/Remcos.exe

windows10-2004-x64

10

RAT/RevengeRAT.exe

windows7-x64

10

RAT/RevengeRAT.exe

windows10-2004-x64

10

RAT/VanToM-Rat.exe

windows7-x64

7

RAT/VanToM-Rat.exe

windows10-2004-x64

7

RAT/WarzoneRAT.exe

windows7-x64

10

RAT/WarzoneRAT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-03-2024 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RAT/Blackkomet.exe

  • Size

    756KB

  • MD5

    c7dcd585b7e8b046f209052bcd6dd84b

  • SHA1

    604dcfae9eed4f65c80a4a39454db409291e08fa

  • SHA256

    0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

  • SHA512

    c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

  • SSDEEP

    12288:XOANXryu1S69QwWBIlVi4o858nFBKgmvtOwUATgDQ3:eANOCS6qwWB0V5o8mnqvtrdgDQ3

Score
10/10
darkcometevasionpersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Sets file to hidden 1 TTPs 20 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 20 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RAT\Blackkomet.exe
    "C:\Users\Admin\AppData\Local\Temp\RAT\Blackkomet.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      PID:2240
    • C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\RAT\Blackkomet.exe" +s +h
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:1000
    • C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\RAT" +s +h
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:4572
    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        • Drops file in System32 directory
        PID:2760
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        3⤵
        • Sets file to hidden
        • Drops file in System32 directory
        • Views/modifies file attributes
        PID:1568
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        3⤵
        • Sets file to hidden
        • Drops file in System32 directory
        • Views/modifies file attributes
        PID:64
      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
        "C:\Windows\system32\Windupdt\winupdate.exe"
        3⤵
          PID:1144
          • C:\Windows\SysWOW64\notepad.exe
            notepad
            4⤵
              PID:3080
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
              4⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:2092
            • C:\Windows\SysWOW64\attrib.exe
              attrib "C:\Windows\SysWOW64\Windupdt" +s +h
              4⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:4668
            • C:\Windows\SysWOW64\Windupdt\winupdate.exe
              "C:\Windows\system32\Windupdt\winupdate.exe"
              4⤵
                PID:4436
                • C:\Windows\SysWOW64\notepad.exe
                  notepad
                  5⤵
                    PID:728
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                    5⤵
                    • Sets file to hidden
                    • Views/modifies file attributes
                    PID:620
                  • C:\Windows\SysWOW64\attrib.exe
                    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                    5⤵
                    • Sets file to hidden
                    • Views/modifies file attributes
                    PID:4976
                  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                    "C:\Windows\system32\Windupdt\winupdate.exe"
                    5⤵
                      PID:4776
                      • C:\Windows\SysWOW64\notepad.exe
                        notepad
                        6⤵
                          PID:928
                        • C:\Windows\SysWOW64\attrib.exe
                          attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                          6⤵
                          • Sets file to hidden
                          • Views/modifies file attributes
                          PID:3224
                        • C:\Windows\SysWOW64\attrib.exe
                          attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                          6⤵
                          • Sets file to hidden
                          • Views/modifies file attributes
                          PID:4204
                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                          "C:\Windows\system32\Windupdt\winupdate.exe"
                          6⤵
                            PID:4720
                            • C:\Windows\SysWOW64\notepad.exe
                              notepad
                              7⤵
                                PID:3048
                              • C:\Windows\SysWOW64\attrib.exe
                                attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                7⤵
                                • Sets file to hidden
                                • Views/modifies file attributes
                                PID:768
                              • C:\Windows\SysWOW64\attrib.exe
                                attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                7⤵
                                • Sets file to hidden
                                • Views/modifies file attributes
                                PID:4256
                              • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                "C:\Windows\system32\Windupdt\winupdate.exe"
                                7⤵
                                  PID:1000
                                  • C:\Windows\SysWOW64\notepad.exe
                                    notepad
                                    8⤵
                                      PID:4824
                                    • C:\Windows\SysWOW64\attrib.exe
                                      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                      8⤵
                                      • Sets file to hidden
                                      • Views/modifies file attributes
                                      PID:424
                                    • C:\Windows\SysWOW64\attrib.exe
                                      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                      8⤵
                                      • Sets file to hidden
                                      • Views/modifies file attributes
                                      PID:3176
                                    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                      "C:\Windows\system32\Windupdt\winupdate.exe"
                                      8⤵
                                        PID:1296
                                        • C:\Windows\SysWOW64\notepad.exe
                                          notepad
                                          9⤵
                                            PID:64
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                            9⤵
                                            • Sets file to hidden
                                            • Views/modifies file attributes
                                            PID:1292
                                          • C:\Windows\SysWOW64\attrib.exe
                                            attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                            9⤵
                                            • Sets file to hidden
                                            • Views/modifies file attributes
                                            PID:2212
                                          • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                            "C:\Windows\system32\Windupdt\winupdate.exe"
                                            9⤵
                                              PID:1176
                                              • C:\Windows\SysWOW64\notepad.exe
                                                notepad
                                                10⤵
                                                  PID:4980
                                                • C:\Windows\SysWOW64\attrib.exe
                                                  attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                  10⤵
                                                  • Sets file to hidden
                                                  • Views/modifies file attributes
                                                  PID:1488
                                                • C:\Windows\SysWOW64\attrib.exe
                                                  attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                  10⤵
                                                  • Sets file to hidden
                                                  • Views/modifies file attributes
                                                  PID:3344
                                                • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                  "C:\Windows\system32\Windupdt\winupdate.exe"
                                                  10⤵
                                                    PID:1052
                                                    • C:\Windows\SysWOW64\notepad.exe
                                                      notepad
                                                      11⤵
                                                        PID:2356
                                                      • C:\Windows\SysWOW64\attrib.exe
                                                        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
                                                        11⤵
                                                        • Sets file to hidden
                                                        • Views/modifies file attributes
                                                        PID:4308
                                                      • C:\Windows\SysWOW64\attrib.exe
                                                        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
                                                        11⤵
                                                        • Sets file to hidden
                                                        • Views/modifies file attributes
                                                        PID:4192
                                                      • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                        "C:\Windows\system32\Windupdt\winupdate.exe"
                                                        11⤵
                                                          PID:3528
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          11⤵
                                                            PID:4776
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          10⤵
                                                            PID:2660
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          9⤵
                                                            PID:4724
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          8⤵
                                                            PID:4316
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          7⤵
                                                            PID:4016
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          6⤵
                                                            PID:4808
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          5⤵
                                                            PID:3848
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          4⤵
                                                            PID:4396
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          3⤵
                                                            PID:3460
                                                        • C:\Windows\SysWOW64\notepad.exe
                                                          C:\Windows\SysWOW64\notepad.exe
                                                          2⤵
                                                            PID:1176

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Windows\SysWOW64\Windupdt\winupdate.exe
                                                          Filesize

                                                          756KB

                                                          MD5

                                                          c7dcd585b7e8b046f209052bcd6dd84b

                                                          SHA1

                                                          604dcfae9eed4f65c80a4a39454db409291e08fa

                                                          SHA256

                                                          0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

                                                          SHA512

                                                          c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

                                                          Download Submit

                                                        • memory/1000-65-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/1000-68-0x0000000013140000-0x000000001320F000-memory.dmp

                                                          Filesize

                                                          828KB

                                                          Download

                                                        • memory/1052-80-0x0000000002100000-0x0000000002101000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/1144-44-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/1144-48-0x0000000013140000-0x000000001320F000-memory.dmp

                                                          Filesize

                                                          828KB

                                                          Download

                                                        • memory/1176-35-0x0000000000F40000-0x0000000000F41000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/1176-78-0x0000000013140000-0x000000001320F000-memory.dmp

                                                          Filesize

                                                          828KB

                                                          Download

                                                        • memory/1176-75-0x0000000000700000-0x0000000000701000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/1296-73-0x0000000013140000-0x000000001320F000-memory.dmp

                                                          Filesize

                                                          828KB

                                                          Download

                                                        • memory/1296-70-0x00000000006E0000-0x00000000006E1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/2240-2-0x0000000000510000-0x0000000000511000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/2400-37-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/2400-42-0x0000000013140000-0x000000001320F000-memory.dmp

                                                          Filesize

                                                          828KB

                                                          Download

                                                        • memory/2848-0-0x00000000021F0000-0x00000000021F1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/2848-38-0x0000000013140000-0x000000001320F000-memory.dmp

                                                          Filesize

                                                          828KB

                                                          Download

                                                        • memory/4436-53-0x0000000013140000-0x000000001320F000-memory.dmp

                                                          Filesize

                                                          828KB

                                                          Download

                                                        • memory/4436-50-0x0000000001F00000-0x0000000001F01000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/4720-64-0x0000000013140000-0x000000001320F000-memory.dmp

                                                          Filesize

                                                          828KB

                                                          Download

                                                        • memory/4720-60-0x0000000000590000-0x0000000000591000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/4776-58-0x0000000013140000-0x000000001320F000-memory.dmp

                                                          Filesize

                                                          828KB

                                                          Download

                                                        • memory/4776-55-0x0000000002090000-0x0000000002091000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download