darkcomet | 7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe
Size

520KB
MD5

feb6bf93671559e74b626e8b88e80626
SHA1

effe88b5d988256431c78cf837f849952fd4b1ce
SHA256

7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697
SHA512

bef5f9fa450f30a62bdf04020ff3c9e05b8d87a5ea6740ba50d5bf869e3f6919a623c62ddc9d228fe22a0556cb0125e10da2045ff0330f53254990fac6e6ceef
SSDEEP

6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMb+:f9fC3hh29Ya77A90aFtDfT5IMb+

Score

10^/10

darkcomet privateeye discovery rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

PrivateEye

ratblackshades.no-ip.biz:1604

Mutex

DC_MUTEX-ACC1R98

Attributes

gencode
8GG5LVVGljSF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 3 IoCs

pid	Process
5004	winupd.exe
3440	winupd.exe
2068	winupd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 4156	3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	89
PID 5004 set thread context of 3440	5004	winupd.exe	93
PID 5004 set thread context of 2068	5004	winupd.exe	94

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2068-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-39-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-30-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-44-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-46-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-47-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-48-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-49-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-50-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-51-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-52-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-53-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2068-54-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2332	2956	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2956	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2068	winupd.exe
Token: SeSecurityPrivilege	2068	winupd.exe
Token: SeTakeOwnershipPrivilege	2068	winupd.exe
Token: SeLoadDriverPrivilege	2068	winupd.exe
Token: SeSystemProfilePrivilege	2068	winupd.exe
Token: SeSystemtimePrivilege	2068	winupd.exe
Token: SeProfSingleProcessPrivilege	2068	winupd.exe
Token: SeIncBasePriorityPrivilege	2068	winupd.exe
Token: SeCreatePagefilePrivilege	2068	winupd.exe
Token: SeBackupPrivilege	2068	winupd.exe
Token: SeRestorePrivilege	2068	winupd.exe
Token: SeShutdownPrivilege	2068	winupd.exe
Token: SeDebugPrivilege	2068	winupd.exe
Token: SeSystemEnvironmentPrivilege	2068	winupd.exe
Token: SeChangeNotifyPrivilege	2068	winupd.exe
Token: SeRemoteShutdownPrivilege	2068	winupd.exe
Token: SeUndockPrivilege	2068	winupd.exe
Token: SeManageVolumePrivilege	2068	winupd.exe
Token: SeImpersonatePrivilege	2068	winupd.exe
Token: SeCreateGlobalPrivilege	2068	winupd.exe
Token: 33	2068	winupd.exe
Token: 34	2068	winupd.exe
Token: 35	2068	winupd.exe
Token: 36	2068	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe
4156	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe
5004	winupd.exe
3440	winupd.exe
2068	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 4156	3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	89
PID 3044 wrote to memory of 4156	3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	89
PID 3044 wrote to memory of 4156	3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	89
PID 3044 wrote to memory of 4156	3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	89
PID 3044 wrote to memory of 4156	3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	89
PID 3044 wrote to memory of 4156	3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	89
PID 3044 wrote to memory of 4156	3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	89
PID 3044 wrote to memory of 4156	3044	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	89
PID 4156 wrote to memory of 5004	4156	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	90
PID 4156 wrote to memory of 5004	4156	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	90
PID 4156 wrote to memory of 5004	4156	7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe	90
PID 5004 wrote to memory of 3440	5004	winupd.exe	93
PID 5004 wrote to memory of 3440	5004	winupd.exe	93
PID 5004 wrote to memory of 3440	5004	winupd.exe	93
PID 5004 wrote to memory of 3440	5004	winupd.exe	93
PID 5004 wrote to memory of 3440	5004	winupd.exe	93
PID 5004 wrote to memory of 3440	5004	winupd.exe	93
PID 5004 wrote to memory of 3440	5004	winupd.exe	93
PID 5004 wrote to memory of 3440	5004	winupd.exe	93
PID 5004 wrote to memory of 2068	5004	winupd.exe	94
PID 5004 wrote to memory of 2068	5004	winupd.exe	94
PID 5004 wrote to memory of 2068	5004	winupd.exe	94
PID 5004 wrote to memory of 2068	5004	winupd.exe	94
PID 5004 wrote to memory of 2068	5004	winupd.exe	94
PID 5004 wrote to memory of 2068	5004	winupd.exe	94
PID 5004 wrote to memory of 2068	5004	winupd.exe	94
PID 5004 wrote to memory of 2068	5004	winupd.exe	94
PID 3440 wrote to memory of 2956	3440	winupd.exe	95
PID 3440 wrote to memory of 2956	3440	winupd.exe	95
PID 3440 wrote to memory of 2956	3440	winupd.exe	95
PID 3440 wrote to memory of 2956	3440	winupd.exe	95
PID 3440 wrote to memory of 2956	3440	winupd.exe	95

C:\Users\Admin\AppData\Local\Temp\7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe
"C:\Users\Admin\AppData\Local\Temp\7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe
  "C:\Users\Admin\AppData\Local\Temp\7122fdb607392a4805afb8271355b331718f642a06e8df5bc86ec8d2ad53b697.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\system32\ipconfig.exe"
        5⤵
        Gathers network information
        
        PID:2956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 272
        6⤵
        Program crash
        
        PID:2332
  - - C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2956 -ip 2956
1⤵
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Filesize
520KB

MD5
01644bd767cdf9e8dac73905d734cb78

SHA1
d98d2dda200f670b2795aa136da061e43223bacc

SHA256
9e6e316a7e0630ccf3eb837a1acb3af79d263be2195757f63a1009ec7642ad05

SHA512
906528bc7d15fb2ead5c9337260e9b2002058ac2f596bb30632fbdd445fc06b9f0ae94ddab0ca40f263e0556d18e7bdf0df43c9719d6db8baf3c5624fad678ce

Download Submit
memory/2068-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-46-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-53-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-52-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-48-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-44-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-54-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2068-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3044-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3044-9-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3044-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3044-3-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3044-4-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3440-42-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4156-21-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4156-20-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4156-5-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4156-7-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5004-27-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5004-23-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/5004-38-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download