darkcomet | f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe
Size

520KB
MD5

fd70e2db35cfb4f56df1dd49f0846190
SHA1

3c398665ec66a57c213d82ffb53c41cc6574007c
SHA256

f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967
SHA512

edad6a9a96075f8eaf672373617876ae79911fb55ee311864e7556d4f12de038e0da879c91f37ecdff7e18db48e56ecec94d4c5c607b190d817c0746b452b217
SSDEEP

6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbF:f9fC3hh29Ya77A90aFtDfT5IMbF

Score

10^/10

darkcomet privateeye discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

PrivateEye

ratblackshades.no-ip.biz:1604

Mutex

DC_MUTEX-ACC1R98

Attributes

gencode
8GG5LVVGljSF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid	Process
4732	winupd.exe
3912	winupd.exe
1496	winupd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exewinupd.exe

description	pid	Process	procid_target
PID 224 set thread context of 4628	224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	94
PID 4732 set thread context of 3912	4732	winupd.exe	99
PID 4732 set thread context of 1496	4732	winupd.exe	100

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1496-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-39-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-42-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-46-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-47-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-48-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-49-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-50-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-51-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-52-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-53-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-54-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-55-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-56-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1496-57-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4780	3172	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exef4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exewinupd.exewinupd.exewinupd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
3172	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

winupd.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1496	winupd.exe
Token: SeSecurityPrivilege	1496	winupd.exe
Token: SeTakeOwnershipPrivilege	1496	winupd.exe
Token: SeLoadDriverPrivilege	1496	winupd.exe
Token: SeSystemProfilePrivilege	1496	winupd.exe
Token: SeSystemtimePrivilege	1496	winupd.exe
Token: SeProfSingleProcessPrivilege	1496	winupd.exe
Token: SeIncBasePriorityPrivilege	1496	winupd.exe
Token: SeCreatePagefilePrivilege	1496	winupd.exe
Token: SeBackupPrivilege	1496	winupd.exe
Token: SeRestorePrivilege	1496	winupd.exe
Token: SeShutdownPrivilege	1496	winupd.exe
Token: SeDebugPrivilege	1496	winupd.exe
Token: SeSystemEnvironmentPrivilege	1496	winupd.exe
Token: SeChangeNotifyPrivilege	1496	winupd.exe
Token: SeRemoteShutdownPrivilege	1496	winupd.exe
Token: SeUndockPrivilege	1496	winupd.exe
Token: SeManageVolumePrivilege	1496	winupd.exe
Token: SeImpersonatePrivilege	1496	winupd.exe
Token: SeCreateGlobalPrivilege	1496	winupd.exe
Token: 33	1496	winupd.exe
Token: 34	1496	winupd.exe
Token: 35	1496	winupd.exe
Token: 36	1496	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exef4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exewinupd.exewinupd.exewinupd.exe

pid	Process
224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe
4628	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe
4732	winupd.exe
3912	winupd.exe
1496	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exef4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exewinupd.exewinupd.exe

description	pid	Process	procid_target
PID 224 wrote to memory of 4628	224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	94
PID 224 wrote to memory of 4628	224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	94
PID 224 wrote to memory of 4628	224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	94
PID 224 wrote to memory of 4628	224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	94
PID 224 wrote to memory of 4628	224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	94
PID 224 wrote to memory of 4628	224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	94
PID 224 wrote to memory of 4628	224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	94
PID 224 wrote to memory of 4628	224	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	94
PID 4628 wrote to memory of 4732	4628	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	95
PID 4628 wrote to memory of 4732	4628	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	95
PID 4628 wrote to memory of 4732	4628	f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe	95
PID 4732 wrote to memory of 3912	4732	winupd.exe	99
PID 4732 wrote to memory of 3912	4732	winupd.exe	99
PID 4732 wrote to memory of 3912	4732	winupd.exe	99
PID 4732 wrote to memory of 3912	4732	winupd.exe	99
PID 4732 wrote to memory of 3912	4732	winupd.exe	99
PID 4732 wrote to memory of 3912	4732	winupd.exe	99
PID 4732 wrote to memory of 3912	4732	winupd.exe	99
PID 4732 wrote to memory of 3912	4732	winupd.exe	99
PID 4732 wrote to memory of 1496	4732	winupd.exe	100
PID 4732 wrote to memory of 1496	4732	winupd.exe	100
PID 4732 wrote to memory of 1496	4732	winupd.exe	100
PID 4732 wrote to memory of 1496	4732	winupd.exe	100
PID 4732 wrote to memory of 1496	4732	winupd.exe	100
PID 4732 wrote to memory of 1496	4732	winupd.exe	100
PID 4732 wrote to memory of 1496	4732	winupd.exe	100
PID 4732 wrote to memory of 1496	4732	winupd.exe	100
PID 3912 wrote to memory of 3172	3912	winupd.exe	101
PID 3912 wrote to memory of 3172	3912	winupd.exe	101
PID 3912 wrote to memory of 3172	3912	winupd.exe	101
PID 3912 wrote to memory of 3172	3912	winupd.exe	101
PID 3912 wrote to memory of 3172	3912	winupd.exe	101

C:\Users\Admin\AppData\Local\Temp\f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe
"C:\Users\Admin\AppData\Local\Temp\f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe
  "C:\Users\Admin\AppData\Local\Temp\f4ea9fff1bf1a064e7101035b0dd4e6a3c6b7b1ce2c88e569fb653a34f63d967N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\system32\ipconfig.exe"
        5⤵
        Gathers network information
        
        PID:3172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 272
        6⤵
        Program crash
        
        PID:4780
  - - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3172 -ip 3172
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Filesize
520KB

MD5
4dd635b7c6a2511a76ce067ba830b276

SHA1
4d6c7a53983c5742947ac28cd656f5c9fe62eaa0

SHA256
2866dec78d0cb1a6c14200f05887cecbf8e49c727c0055de416f4d893a3bbd1d

SHA512
c79b1c0a87fd4a2a2c709b55fc9a06d930aa9fba27d6a16b654b42fa3d905d4b328a327256dde455d974aec49afadb0b10a613e6f24fdf80bc3caddeea3ca1bc

Download Submit
memory/224-3-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/224-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/224-8-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/224-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/224-6-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1496-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-57-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-55-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-54-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-52-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-42-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-46-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-48-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1496-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3912-43-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4628-21-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4628-22-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4628-4-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4628-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4732-38-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4732-24-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4732-27-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download