darkcomet | 7a4255ae6f3b241f21c3c85beb25988e665c03675ce8c932e22903973cb6b79f

Analysis

max time kernel
12s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkComet.exe
Size

8.2MB
MD5

c6641cb74bdd9e7f003dc6c9e67e1cab
SHA1

5251c38bfcc670befbb9f8bf77df70edd96ab07b
SHA256

cc38b7bb164fefe0d0d71a17cb09fb055b1cc14c2793ffa6341f70a7425fb249
SHA512

daba3b53a0fa0f0018d259364dfb5a417b00d9ff9688ca38a006a3cfa1ef9e86b4aadb70c444ed14944467024546570367324f71ce100deaaf3f39598ba2e874
SSDEEP

196608:z/pm75SOeWhEbgEpO2QfUG/f5rVcPU/YKdoAVY5pBoEOFD:51/UgQ/9VcPUJBSROl

Score

10^/10

darkcomet xworm discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

Attributes

Install_directory
%Public%
install_file
Utilman.exe
pastebin_url
https://pastebin.com/raw/LqnQsuPh
telegram
https://api.telegram.org/bot7737805452:AAF8gLCy7lakGIkiT8m22TUsfVQMxjiM1wE/sendMessage?chat_id=7044899953

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016de9-19.dat	family_xworm
behavioral1/memory/2696-21-0x0000000001240000-0x0000000001258000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2544	powershell.exe
1844	powershell.exe
1252	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
540	exe.exe
2332	dc.exe
2696	Utilman.exe

Loads dropped DLL 2 IoCs

pid	Process
1236	DarkComet.exe
1236	DarkComet.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2708	PING.EXE
2096	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2708	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2544	powershell.exe
1844	powershell.exe
1252	powershell.exe
2696	Utilman.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	Utilman.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2696	Utilman.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2696	Utilman.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 540	1236	DarkComet.exe	31
PID 1236 wrote to memory of 540	1236	DarkComet.exe	31
PID 1236 wrote to memory of 540	1236	DarkComet.exe	31
PID 1236 wrote to memory of 540	1236	DarkComet.exe	31
PID 1236 wrote to memory of 2332	1236	DarkComet.exe	32
PID 1236 wrote to memory of 2332	1236	DarkComet.exe	32
PID 1236 wrote to memory of 2332	1236	DarkComet.exe	32
PID 1236 wrote to memory of 2332	1236	DarkComet.exe	32
PID 1236 wrote to memory of 2096	1236	DarkComet.exe	33
PID 1236 wrote to memory of 2096	1236	DarkComet.exe	33
PID 1236 wrote to memory of 2096	1236	DarkComet.exe	33
PID 1236 wrote to memory of 2096	1236	DarkComet.exe	33
PID 540 wrote to memory of 2696	540	exe.exe	35
PID 540 wrote to memory of 2696	540	exe.exe	35
PID 540 wrote to memory of 2696	540	exe.exe	35
PID 2096 wrote to memory of 2708	2096	cmd.exe	36
PID 2096 wrote to memory of 2708	2096	cmd.exe	36
PID 2096 wrote to memory of 2708	2096	cmd.exe	36
PID 2096 wrote to memory of 2708	2096	cmd.exe	36
PID 2696 wrote to memory of 2544	2696	Utilman.exe	38
PID 2696 wrote to memory of 2544	2696	Utilman.exe	38
PID 2696 wrote to memory of 2544	2696	Utilman.exe	38
PID 2696 wrote to memory of 1844	2696	Utilman.exe	40
PID 2696 wrote to memory of 1844	2696	Utilman.exe	40
PID 2696 wrote to memory of 1844	2696	Utilman.exe	40
PID 2696 wrote to memory of 1252	2696	Utilman.exe	42
PID 2696 wrote to memory of 1252	2696	Utilman.exe	42
PID 2696 wrote to memory of 1252	2696	Utilman.exe	42
PID 2696 wrote to memory of 2800	2696	Utilman.exe	44
PID 2696 wrote to memory of 2800	2696	Utilman.exe	44
PID 2696 wrote to memory of 2800	2696	Utilman.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DarkComet.exe
"C:\Users\Admin\AppData\Local\Temp\DarkComet.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\exe.exe
  "C:\Users\Admin\AppData\Local\Temp\exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\Utilman.exe
    "C:\Users\Admin\AppData\Local\Temp\Utilman.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Utilman.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Utilman.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Utilman.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1252
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Utilman" /tr "C:\Users\Public\Utilman.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2800
- C:\Users\Admin\AppData\Local\Temp\dc.exe
  "C:\Users\Admin\AppData\Local\Temp\dc.exe"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\dc.exe" "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Utilman.exe

Filesize
75KB

MD5
c42a461d499e77fc64a3dafa3257bbd1

SHA1
983ad2a668a6288c158de07542d82bb6bb970ff7

SHA256
eb89c38989c24b4c08c14a8bffd518366955a14c9fefc3f63fb9397585b6e166

SHA512
369608c993d61dfdbed03c7820811b8062b52a5c6f81bcd745cef200959cd325425d777a8bd11e7300106b36b70d945845e8e2f1df9cfcfb8dad85ef67dff051

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f317d390fc3e3beb405d83438d64dbf7

SHA1
5b13bdc3f65c86c5649f1eaf888fd34664deecda

SHA256
508ed573f8d9cd543013247cbd5b1a7288918a8eab6765b473c565d5653da323

SHA512
aaa4c555413538d90e2cfa8e6e483a6a83990e407128b8efaa109501a22a0375b2ff7a74b7cd110524cf773bf54d99925df61e2ba45f34e5a2505808a38e229b

Download Submit
\Users\Admin\AppData\Local\Temp\dc.exe

Filesize
11.3MB

MD5
d761f3aa64064a706a521ba14d0f8741

SHA1
ab7382bcfdf494d0327fccce9c884592bcc1adeb

SHA256
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6

SHA512
d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f

Download Submit
\Users\Admin\AppData\Local\Temp\exe.exe

Filesize
255KB

MD5
95d3044c971365f4d5db6bc22c640782

SHA1
856324404d13836d967961fed6e4a250f5e5532c

SHA256
c73e816a2aa5841c53e1ace023a75045ef8dfd5b26cc2fda2baa824dbe9f0ea3

SHA512
9358c8165a13fe8fbe22e151fcd5a3d4a20f1a68cf2f11c6d015808f3d95acd122599d46e7aab47614134c850fba7900bc1bcc5ded8dc10e237f8d1004ed3fc9

Download Submit
memory/540-7-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

Filesize
4KB

Download
memory/540-11-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/1844-37-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1844-38-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2332-25-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/2544-30-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2544-31-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download
memory/2696-21-0x0000000001240000-0x0000000001258000-memory.dmp

Filesize
96KB

Download