darkcomet | 7a4255ae6f3b241f21c3c85beb25988e665c03675ce8c932e22903973cb6b79f

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkComet.exe
Size

8.2MB
MD5

c6641cb74bdd9e7f003dc6c9e67e1cab
SHA1

5251c38bfcc670befbb9f8bf77df70edd96ab07b
SHA256

cc38b7bb164fefe0d0d71a17cb09fb055b1cc14c2793ffa6341f70a7425fb249
SHA512

daba3b53a0fa0f0018d259364dfb5a417b00d9ff9688ca38a006a3cfa1ef9e86b4aadb70c444ed14944467024546570367324f71ce100deaaf3f39598ba2e874
SSDEEP

196608:z/pm75SOeWhEbgEpO2QfUG/f5rVcPU/YKdoAVY5pBoEOFD:51/UgQ/9VcPUJBSROl

Score

10^/10

darkcomet xworm discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

Attributes

Install_directory
%Public%
install_file
Utilman.exe
pastebin_url
https://pastebin.com/raw/LqnQsuPh
telegram
https://api.telegram.org/bot7737805452:AAF8gLCy7lakGIkiT8m22TUsfVQMxjiM1wE/sendMessage?chat_id=7044899953

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016ace-21.dat	family_xworm
behavioral1/memory/1076-24-0x0000000000F30000-0x0000000000F48000-memory.dmp	family_xworm
behavioral1/memory/2008-49-0x0000000001300000-0x0000000001318000-memory.dmp	family_xworm
behavioral1/memory/2504-51-0x0000000000290000-0x00000000002A8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1524	powershell.exe
2460	powershell.exe
1780	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2944	exe.exe
2440	dc.exe
1076	Utilman.exe
2008	Utilman.exe
2504	Utilman.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	DarkComet.exe
2128	DarkComet.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkComet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2880	cmd.exe
2656	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2656	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1780	powershell.exe
1524	powershell.exe
2460	powershell.exe
1076	Utilman.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	Utilman.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1076	Utilman.exe
Token: SeDebugPrivilege	2008	Utilman.exe
Token: SeDebugPrivilege	2504	Utilman.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1076	Utilman.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2944	2128	DarkComet.exe	30
PID 2128 wrote to memory of 2944	2128	DarkComet.exe	30
PID 2128 wrote to memory of 2944	2128	DarkComet.exe	30
PID 2128 wrote to memory of 2944	2128	DarkComet.exe	30
PID 2128 wrote to memory of 2440	2128	DarkComet.exe	31
PID 2128 wrote to memory of 2440	2128	DarkComet.exe	31
PID 2128 wrote to memory of 2440	2128	DarkComet.exe	31
PID 2128 wrote to memory of 2440	2128	DarkComet.exe	31
PID 2128 wrote to memory of 2880	2128	DarkComet.exe	32
PID 2128 wrote to memory of 2880	2128	DarkComet.exe	32
PID 2128 wrote to memory of 2880	2128	DarkComet.exe	32
PID 2128 wrote to memory of 2880	2128	DarkComet.exe	32
PID 2880 wrote to memory of 2656	2880	cmd.exe	34
PID 2880 wrote to memory of 2656	2880	cmd.exe	34
PID 2880 wrote to memory of 2656	2880	cmd.exe	34
PID 2880 wrote to memory of 2656	2880	cmd.exe	34
PID 2944 wrote to memory of 1076	2944	exe.exe	35
PID 2944 wrote to memory of 1076	2944	exe.exe	35
PID 2944 wrote to memory of 1076	2944	exe.exe	35
PID 1076 wrote to memory of 1780	1076	Utilman.exe	37
PID 1076 wrote to memory of 1780	1076	Utilman.exe	37
PID 1076 wrote to memory of 1780	1076	Utilman.exe	37
PID 1076 wrote to memory of 1524	1076	Utilman.exe	39
PID 1076 wrote to memory of 1524	1076	Utilman.exe	39
PID 1076 wrote to memory of 1524	1076	Utilman.exe	39
PID 1076 wrote to memory of 2460	1076	Utilman.exe	41
PID 1076 wrote to memory of 2460	1076	Utilman.exe	41
PID 1076 wrote to memory of 2460	1076	Utilman.exe	41
PID 1076 wrote to memory of 2368	1076	Utilman.exe	43
PID 1076 wrote to memory of 2368	1076	Utilman.exe	43
PID 1076 wrote to memory of 2368	1076	Utilman.exe	43
PID 1320 wrote to memory of 2008	1320	taskeng.exe	46
PID 1320 wrote to memory of 2008	1320	taskeng.exe	46
PID 1320 wrote to memory of 2008	1320	taskeng.exe	46
PID 1320 wrote to memory of 2504	1320	taskeng.exe	47
PID 1320 wrote to memory of 2504	1320	taskeng.exe	47
PID 1320 wrote to memory of 2504	1320	taskeng.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DarkComet.exe
"C:\Users\Admin\AppData\Local\Temp\DarkComet.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\exe.exe
  "C:\Users\Admin\AppData\Local\Temp\exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\Utilman.exe
    "C:\Users\Admin\AppData\Local\Temp\Utilman.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Utilman.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Utilman.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Utilman.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2460
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Utilman" /tr "C:\Users\Public\Utilman.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2368
- C:\Users\Admin\AppData\Local\Temp\dc.exe
  "C:\Users\Admin\AppData\Local\Temp\dc.exe"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\dc.exe" "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2656

C:\Windows\system32\taskeng.exe
taskeng.exe {BD2F2E0C-8F20-4B16-8021-D4EB126CF9BA} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Public\Utilman.exe
  C:\Users\Public\Utilman.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Users\Public\Utilman.exe
  C:\Users\Public\Utilman.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Utilman.exe

Filesize
75KB

MD5
c42a461d499e77fc64a3dafa3257bbd1

SHA1
983ad2a668a6288c158de07542d82bb6bb970ff7

SHA256
eb89c38989c24b4c08c14a8bffd518366955a14c9fefc3f63fb9397585b6e166

SHA512
369608c993d61dfdbed03c7820811b8062b52a5c6f81bcd745cef200959cd325425d777a8bd11e7300106b36b70d945845e8e2f1df9cfcfb8dad85ef67dff051

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3e07654a8aad24fb6180632e2b95144b

SHA1
0b9906e0209f2a759c5058f9bf818cac07083be0

SHA256
6592fcc24217e981bb78d894dd5f0ba5866821c53a884bd229ee7b47ea27f10e

SHA512
c77b3ae2b4ba619ec9cde1388730ad0b2a04365c463c361d5431d72dc5c26b2ef7a050dffe5835c235a755f5fb6aac58aa8ba7ea7bb15df3c90a81844e366c26

Download Submit
\Users\Admin\AppData\Local\Temp\dc.exe

Filesize
11.3MB

MD5
d761f3aa64064a706a521ba14d0f8741

SHA1
ab7382bcfdf494d0327fccce9c884592bcc1adeb

SHA256
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6

SHA512
d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f

Download Submit
\Users\Admin\AppData\Local\Temp\exe.exe

Filesize
255KB

MD5
95d3044c971365f4d5db6bc22c640782

SHA1
856324404d13836d967961fed6e4a250f5e5532c

SHA256
c73e816a2aa5841c53e1ace023a75045ef8dfd5b26cc2fda2baa824dbe9f0ea3

SHA512
9358c8165a13fe8fbe22e151fcd5a3d4a20f1a68cf2f11c6d015808f3d95acd122599d46e7aab47614134c850fba7900bc1bcc5ded8dc10e237f8d1004ed3fc9

Download Submit
memory/1076-24-0x0000000000F30000-0x0000000000F48000-memory.dmp

Filesize
96KB

Download
memory/1524-38-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1524-37-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1780-30-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/1780-31-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2008-49-0x0000000001300000-0x0000000001318000-memory.dmp

Filesize
96KB

Download
memory/2440-25-0x0000000000400000-0x0000000000F67000-memory.dmp

Filesize
11.4MB

Download
memory/2504-51-0x0000000000290000-0x00000000002A8000-memory.dmp

Filesize
96KB

Download
memory/2944-15-0x0000000000A00000-0x0000000000A44000-memory.dmp

Filesize
272KB

Download
memory/2944-12-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download