darkcomet | 03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca

General

Target

03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca.exe
Size

1.5MB
MD5

919e727137404624d1f88c477747aa85
SHA1

5136eab99b1c750ad54cff142cb960ec749e7385
SHA256

03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca
SHA512

1511b57c9e194444ad4e32c1b34f4df00e9bdadab9953d2f93722ebc7906ec56910b309760b83a683df40a90d82ee12955d0826d95da0bf2207a0fd930330c71

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

fut123.no-ip.biz:6968

Mutex

DC_MUTEX-QDT8201

Attributes

gencode
pQP26nCFHbNE
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

ETevhvcjIJb.exe

pid process

3208 ETevhvcjIJb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ETevhvcjIJb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ipf32ln = "C:\\Users\\Admin\\ipf32ln\\16311.vbs"	ETevhvcjIJb.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	ETevhvcjIJb.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

ETevhvcjIJb.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ETevhvcjIJb.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ETevhvcjIJb.exe

description pid process target process

PID 3208 set thread context of 416 3208 ETevhvcjIJb.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ETevhvcjIJb.exe

description	pid	process	target process
PID 3208 set thread context of 416	3208	ETevhvcjIJb.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ETevhvcjIJb.exe

pid	process
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe
3208	ETevhvcjIJb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegSvcs.exeETevhvcjIJb.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	416	RegSvcs.exe
Token: SeSecurityPrivilege	416	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	416	RegSvcs.exe
Token: SeLoadDriverPrivilege	416	RegSvcs.exe
Token: SeSystemProfilePrivilege	416	RegSvcs.exe
Token: SeSystemtimePrivilege	416	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	416	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	416	RegSvcs.exe
Token: SeCreatePagefilePrivilege	416	RegSvcs.exe
Token: SeBackupPrivilege	416	RegSvcs.exe
Token: SeRestorePrivilege	416	RegSvcs.exe
Token: SeShutdownPrivilege	416	RegSvcs.exe
Token: SeDebugPrivilege	416	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	416	RegSvcs.exe
Token: SeChangeNotifyPrivilege	416	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	416	RegSvcs.exe
Token: SeUndockPrivilege	416	RegSvcs.exe
Token: SeManageVolumePrivilege	416	RegSvcs.exe
Token: SeImpersonatePrivilege	416	RegSvcs.exe
Token: SeCreateGlobalPrivilege	416	RegSvcs.exe
Token: 33	416	RegSvcs.exe
Token: 34	416	RegSvcs.exe
Token: 35	416	RegSvcs.exe
Token: 36	416	RegSvcs.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe
Token: SeDebugPrivilege	3208	ETevhvcjIJb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

416 RegSvcs.exe

pid	process
416	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca.exeETevhvcjIJb.exe

description	pid	process	target process
PID 3676 wrote to memory of 3208	3676	03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca.exe	ETevhvcjIJb.exe
PID 3676 wrote to memory of 3208	3676	03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca.exe	ETevhvcjIJb.exe
PID 3676 wrote to memory of 3208	3676	03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca.exe	ETevhvcjIJb.exe
PID 3208 wrote to memory of 416	3208	ETevhvcjIJb.exe	RegSvcs.exe
PID 3208 wrote to memory of 416	3208	ETevhvcjIJb.exe	RegSvcs.exe
PID 3208 wrote to memory of 416	3208	ETevhvcjIJb.exe	RegSvcs.exe
PID 3208 wrote to memory of 416	3208	ETevhvcjIJb.exe	RegSvcs.exe
PID 3208 wrote to memory of 416	3208	ETevhvcjIJb.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca.exe
"C:\Users\Admin\AppData\Local\Temp\03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\ipf32ln\ETevhvcjIJb.exe
"C:\Users\Admin\ipf32ln\ETevhvcjIJb.exe" vFDa.FYS
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ipf32ln\BXDIFC~1.OGC
MD5
21ccd7694b26cbfb1002a15832fe6fad

SHA1
dbdcd68c47eff5f80648241792d872aa886fc590

SHA256
7dbdefaab3173efeaeb1e80d13441046687f9e67e1e5df197153e9ca1c73c0d3

SHA512
1b8bf35a3b148bb33f0ad68da0f4c30efa1b1532cce96844786c65cea2ff9281c1bec43b36456cee79c3509055b5d8b94edf642e9fa7a2f6237e8fef59f325ed

Download Submit
C:\Users\Admin\ipf32ln\ETevhvcjIJb.exe
MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\ipf32ln\ETevhvcjIJb.exe
MD5
e01ced5c12390ff5256694eda890b33a

SHA1
0bb74a9d3154d1269e5e456aa41e94b60f753f78

SHA256
66c1f3e71685f81f836e29e77844c737ceaa47ff787d6b233b05166973fa73ba

SHA512
93a35ef3749826c1256c4de0fffe099374dbc5cd3d8eccf22690cf2a4c7e63b508ddbe4e412758a84f9c6e9478b5173a6cf93606779af18542d5a2937183219d

Download Submit
C:\Users\Admin\ipf32ln\ZGDdzVslc.JHN
MD5
389bd8c604452f4783fa220b69a220fa

SHA1
603483c24d3b75bacda42dcfcd62ce4a5055852b

SHA256
bc79467fa5865183f1071d2db514b8b79cbb9487dd9b5f2a08a7ca1f86b8f2eb

SHA512
d5f225df727a6bb39f43d5a8ea74c50448ee00991f82c0199ff7d37df2927284d7b4d190356ccf23a955ed1d366fdfede29e0de3ff0648a49e9caa39ff515952

Download Submit
C:\Users\Admin\ipf32ln\vFDa.FYS
MD5
1f4d3b3863f80264918b817eae2546c1

SHA1
e092d1f9e4df2d60dbacbe90932bd1d063dad6b9

SHA256
6d2ae24f184615ee2685bc4b9199850f9261840b02ab60b06a2e2f8642ed0849

SHA512
597211d6a098f4009dabe7fd0791174c76a5c28a64c3fbdf6237d52f630031227768bd592cf160338e401218c87499f13d3811434bbea34845aff086a15022ea

Download Submit
memory/416-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/416-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/416-7-0x000000000048F888-mapping.dmp

Download
memory/3208-28-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-9-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-10-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-12-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-13-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-14-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-15-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-16-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-17-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-18-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-26-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-27-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-0-0x0000000000000000-mapping.dmp

Download
memory/3208-30-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-31-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-44-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-58-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-112-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-113-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-116-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-118-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-120-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-126-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-148-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-150-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-151-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-152-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-224-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-225-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-226-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-227-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-228-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-236-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3208-238-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads