darkcomet | c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d

Analysis

max time kernel
120s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe
Size

520KB
MD5

c11cdd2f63aa1ab1b2614dea9a8598fc
SHA1

d295e15983a547806c945148b9042d8c8f62ed39
SHA256

c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d
SHA512

e8c5015d0866805756540e03bf3bef3cd51d9364e48a52bfda3bbc5ad74e791d0437ac0f360b7f2ec44cc578a9214d14b135443a2e7caf715e99b9315cdf0951
SSDEEP

6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbh:f9fC3hh29Ya77A90aFtDfT5IMbh

Score

10^/10

darkcomet privateeye discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

PrivateEye

ratblackshades.no-ip.biz:1604

Mutex

DC_MUTEX-ACC1R98

Attributes

gencode
8GG5LVVGljSF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 3 IoCs

pid	Process
808	winupd.exe
1816	winupd.exe
4852	winupd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4128 set thread context of 5068	4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	90
PID 808 set thread context of 1816	808	winupd.exe	98
PID 808 set thread context of 4852	808	winupd.exe	99

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4852-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-38-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-39-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-42-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-46-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-47-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-48-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-49-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-50-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-51-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-52-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-53-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4852-54-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1412	116	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
116	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4852	winupd.exe
Token: SeSecurityPrivilege	4852	winupd.exe
Token: SeTakeOwnershipPrivilege	4852	winupd.exe
Token: SeLoadDriverPrivilege	4852	winupd.exe
Token: SeSystemProfilePrivilege	4852	winupd.exe
Token: SeSystemtimePrivilege	4852	winupd.exe
Token: SeProfSingleProcessPrivilege	4852	winupd.exe
Token: SeIncBasePriorityPrivilege	4852	winupd.exe
Token: SeCreatePagefilePrivilege	4852	winupd.exe
Token: SeBackupPrivilege	4852	winupd.exe
Token: SeRestorePrivilege	4852	winupd.exe
Token: SeShutdownPrivilege	4852	winupd.exe
Token: SeDebugPrivilege	4852	winupd.exe
Token: SeSystemEnvironmentPrivilege	4852	winupd.exe
Token: SeChangeNotifyPrivilege	4852	winupd.exe
Token: SeRemoteShutdownPrivilege	4852	winupd.exe
Token: SeUndockPrivilege	4852	winupd.exe
Token: SeManageVolumePrivilege	4852	winupd.exe
Token: SeImpersonatePrivilege	4852	winupd.exe
Token: SeCreateGlobalPrivilege	4852	winupd.exe
Token: 33	4852	winupd.exe
Token: 34	4852	winupd.exe
Token: 35	4852	winupd.exe
Token: 36	4852	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe
5068	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe
808	winupd.exe
1816	winupd.exe
4852	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 5068	4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	90
PID 4128 wrote to memory of 5068	4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	90
PID 4128 wrote to memory of 5068	4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	90
PID 4128 wrote to memory of 5068	4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	90
PID 4128 wrote to memory of 5068	4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	90
PID 4128 wrote to memory of 5068	4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	90
PID 4128 wrote to memory of 5068	4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	90
PID 4128 wrote to memory of 5068	4128	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	90
PID 5068 wrote to memory of 808	5068	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	91
PID 5068 wrote to memory of 808	5068	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	91
PID 5068 wrote to memory of 808	5068	c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe	91
PID 808 wrote to memory of 1816	808	winupd.exe	98
PID 808 wrote to memory of 1816	808	winupd.exe	98
PID 808 wrote to memory of 1816	808	winupd.exe	98
PID 808 wrote to memory of 1816	808	winupd.exe	98
PID 808 wrote to memory of 1816	808	winupd.exe	98
PID 808 wrote to memory of 1816	808	winupd.exe	98
PID 808 wrote to memory of 1816	808	winupd.exe	98
PID 808 wrote to memory of 1816	808	winupd.exe	98
PID 808 wrote to memory of 4852	808	winupd.exe	99
PID 808 wrote to memory of 4852	808	winupd.exe	99
PID 808 wrote to memory of 4852	808	winupd.exe	99
PID 808 wrote to memory of 4852	808	winupd.exe	99
PID 808 wrote to memory of 4852	808	winupd.exe	99
PID 808 wrote to memory of 4852	808	winupd.exe	99
PID 808 wrote to memory of 4852	808	winupd.exe	99
PID 808 wrote to memory of 4852	808	winupd.exe	99
PID 1816 wrote to memory of 116	1816	winupd.exe	100
PID 1816 wrote to memory of 116	1816	winupd.exe	100
PID 1816 wrote to memory of 116	1816	winupd.exe	100
PID 1816 wrote to memory of 116	1816	winupd.exe	100
PID 1816 wrote to memory of 116	1816	winupd.exe	100

C:\Users\Admin\AppData\Local\Temp\c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe
"C:\Users\Admin\AppData\Local\Temp\c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe
  "C:\Users\Admin\AppData\Local\Temp\c88ac47c919fccf20c62258cb2c0536e46a95fadc1317783a8acc26398f2db9d.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\system32\ipconfig.exe"
        5⤵
        Gathers network information
        
        PID:116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 272
        6⤵
        Program crash
        
        PID:1412
  - - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 116 -ip 116
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Filesize
520KB

MD5
aacdf7e84f6f67bb8fd210098d3895d4

SHA1
b71ce74b4d34be30fbd774cfac83bd56732c69a4

SHA256
6518e6f259db4852d474c9d7ee20b62608da1944db641c398c84f17060658549

SHA512
21c61431262043d0bed6a8c38ccfb5ebf4a90dee64ba030dd2346ab364cf77fd250ca2ed84ba63b88a165f17aca012695e3e60494d4e7a156e3d7524fac8a0b7

Download Submit
memory/808-27-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/808-34-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/808-23-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1816-43-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1816-35-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4128-3-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4128-4-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4128-10-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4128-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4128-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4852-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-54-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-38-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-42-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-52-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-46-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-48-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4852-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5068-7-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5068-21-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5068-5-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5068-20-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download