darkcomet | f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2b

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe
Size

3.9MB
MD5

44dde37c12dd61c7123df3a666511e00
SHA1

a200e649ff75e59693d19a40dd7e9a228e15a2d5
SHA256

f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2b
SHA512

78fd89ec0953814d1f520e25190bf1b730d7b018ebd17d0082e86690315bb3f949d57587ae6891d8275887f16cca31c8cbc1c7d534895c3abcca0ff766456431
SSDEEP

98304:IlX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBAlB6D4tyX6kuT4IkQApCgvms0Cv05J5C+:IlX3KMj7yBNUVPhd5G0Z5DxdM3hZpmB+

Score

10^/10

darkcomet discovery persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Soundcrd.exe

Executes dropped EXE 3 IoCs

pid	Process
2424	Soundcrd.exe
2860	Soundcrd.exe
2864	Soundcrd.exe

Loads dropped DLL 6 IoCs

pid	Process
3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe
3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe
3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe
3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe
3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe
2424	Soundcrd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 2860	2424	Soundcrd.exe	34
PID 2424 set thread context of 2864	2424	Soundcrd.exe	35

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2860-56-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-55-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-57-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-54-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-58-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-59-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-60-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-52-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-61-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2864-62-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2864-65-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2864-64-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2860-69-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2864-70-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2860-73-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-77-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-81-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-85-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2860-89-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Soundcrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Soundcrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Soundcrd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Soundcrd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Soundcrd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2860	Soundcrd.exe
Token: SeSecurityPrivilege	2860	Soundcrd.exe
Token: SeTakeOwnershipPrivilege	2860	Soundcrd.exe
Token: SeLoadDriverPrivilege	2860	Soundcrd.exe
Token: SeSystemProfilePrivilege	2860	Soundcrd.exe
Token: SeSystemtimePrivilege	2860	Soundcrd.exe
Token: SeProfSingleProcessPrivilege	2860	Soundcrd.exe
Token: SeIncBasePriorityPrivilege	2860	Soundcrd.exe
Token: SeCreatePagefilePrivilege	2860	Soundcrd.exe
Token: SeBackupPrivilege	2860	Soundcrd.exe
Token: SeRestorePrivilege	2860	Soundcrd.exe
Token: SeShutdownPrivilege	2860	Soundcrd.exe
Token: SeDebugPrivilege	2860	Soundcrd.exe
Token: SeSystemEnvironmentPrivilege	2860	Soundcrd.exe
Token: SeChangeNotifyPrivilege	2860	Soundcrd.exe
Token: SeRemoteShutdownPrivilege	2860	Soundcrd.exe
Token: SeUndockPrivilege	2860	Soundcrd.exe
Token: SeManageVolumePrivilege	2860	Soundcrd.exe
Token: SeImpersonatePrivilege	2860	Soundcrd.exe
Token: SeCreateGlobalPrivilege	2860	Soundcrd.exe
Token: 33	2860	Soundcrd.exe
Token: 34	2860	Soundcrd.exe
Token: 35	2860	Soundcrd.exe
Token: SeDebugPrivilege	2864	Soundcrd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe
2424	Soundcrd.exe
2864	Soundcrd.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2232	3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe	30
PID 3004 wrote to memory of 2232	3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe	30
PID 3004 wrote to memory of 2232	3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe	30
PID 3004 wrote to memory of 2232	3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe	30
PID 2232 wrote to memory of 2880	2232	cmd.exe	32
PID 2232 wrote to memory of 2880	2232	cmd.exe	32
PID 2232 wrote to memory of 2880	2232	cmd.exe	32
PID 2232 wrote to memory of 2880	2232	cmd.exe	32
PID 3004 wrote to memory of 2424	3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe	33
PID 3004 wrote to memory of 2424	3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe	33
PID 3004 wrote to memory of 2424	3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe	33
PID 3004 wrote to memory of 2424	3004	f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe	33
PID 2424 wrote to memory of 2860	2424	Soundcrd.exe	34
PID 2424 wrote to memory of 2860	2424	Soundcrd.exe	34
PID 2424 wrote to memory of 2860	2424	Soundcrd.exe	34
PID 2424 wrote to memory of 2860	2424	Soundcrd.exe	34
PID 2424 wrote to memory of 2860	2424	Soundcrd.exe	34
PID 2424 wrote to memory of 2860	2424	Soundcrd.exe	34
PID 2424 wrote to memory of 2860	2424	Soundcrd.exe	34
PID 2424 wrote to memory of 2860	2424	Soundcrd.exe	34
PID 2424 wrote to memory of 2860	2424	Soundcrd.exe	34
PID 2424 wrote to memory of 2864	2424	Soundcrd.exe	35
PID 2424 wrote to memory of 2864	2424	Soundcrd.exe	35
PID 2424 wrote to memory of 2864	2424	Soundcrd.exe	35
PID 2424 wrote to memory of 2864	2424	Soundcrd.exe	35
PID 2424 wrote to memory of 2864	2424	Soundcrd.exe	35
PID 2424 wrote to memory of 2864	2424	Soundcrd.exe	35
PID 2424 wrote to memory of 2864	2424	Soundcrd.exe	35
PID 2424 wrote to memory of 2864	2424	Soundcrd.exe	35
PID 2424 wrote to memory of 2864	2424	Soundcrd.exe	35

C:\Users\Admin\AppData\Local\Temp\f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe
"C:\Users\Admin\AppData\Local\Temp\f7e4432b673f9fad3c21ef20cef633b50a9bae397b9015ce81d6ca3be99a0c2bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\WdAyt.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2880
- C:\Users\Admin\AppData\Roaming\Soundcrd.exe
  "C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Roaming\Soundcrd.exe
    C:\Users\Admin\AppData\Roaming\Soundcrd.exe
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Users\Admin\AppData\Roaming\Soundcrd.exe
    C:\Users\Admin\AppData\Roaming\Soundcrd.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WdAyt.bat

Filesize
139B

MD5
173bcce4810d4901872d0ef4f0bfea4e

SHA1
561b03fdfe68b6419fddf57f32e1aab9a6126a2f

SHA256
10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

SHA512
2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

Download Submit
C:\Users\Admin\AppData\Roaming\Soundcrd.exe

Filesize
3.9MB

MD5
bcb96d8d96bca248c5e8aa104d092671

SHA1
b9716852dd7642d1e8ddfa493ea6b4b95b2ebe0c

SHA256
33927349e7524a7c91dccfbc07616f5bc6ab67ec0e93146cce4d7ca36c3aa6b7

SHA512
b3d76d53de92f3335e29fcf4e90b4467c3eecfd35e4c41a6b35a9da991ae4254fdb017d245a918b163d010b09a60ab5b1989c9fe46c70a7beca9392e1e701cf6

Download Submit
memory/2424-68-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2424-51-0x00000000029E0000-0x0000000002DCB000-memory.dmp

Filesize
3.9MB

Download
memory/2860-69-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-52-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-89-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-85-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-56-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-57-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-54-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-58-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-59-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-60-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-81-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-61-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2860-73-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2864-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3004-2-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/3004-46-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/3004-44-0x0000000003750000-0x0000000003B3B000-memory.dmp

Filesize
3.9MB

Download
memory/3004-42-0x0000000003750000-0x0000000003B3B000-memory.dmp

Filesize
3.9MB

Download
memory/3004-43-0x0000000003750000-0x0000000003B3B000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads