darkcomet | 4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b

General

Target

4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe
Size

559KB
MD5

68d4862582ead747c602162f317e6af2
SHA1

72d5522daaba8b1163405d52a3ed053c2735c0b5
SHA256

4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b
SHA512

16b19b016b78a3825c3aa3568ce540689dcaac40879f5f0af6ec492d774d2a016617c50f2d9969b59da55a7425f1c99e1636de5c9ef7ef9a4e13b2132474e00f

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

mcsft.exemcsft.exe

pid process

3808 mcsft.exe
3096 mcsft.exe

pid	process
3808	mcsft.exe
3096	mcsft.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

yara_rule
upx
C:\Users\Admin\AppData\Roaming\mcsft.exe	upx
C:\Users\Admin\AppData\Roaming\mcsft.exe	upx
behavioral2/memory/3096-11-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\mcsft.exe	upx
behavioral2/memory/3096-15-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/3096-16-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mcsft.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mcsft.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mcsft.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Users\\Admin\\AppData\\Roaming\\mcsft.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mcsft.exe

description pid process target process

PID 3808 set thread context of 3096 3808 mcsft.exe mcsft.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3808 set thread context of 3096	3808	mcsft.exe	mcsft.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mcsft.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mcsft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mcsft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mcsft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	mcsft.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

mcsft.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier mcsft.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	mcsft.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

mcsft.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3096	mcsft.exe
Token: SeSecurityPrivilege	3096	mcsft.exe
Token: SeTakeOwnershipPrivilege	3096	mcsft.exe
Token: SeLoadDriverPrivilege	3096	mcsft.exe
Token: SeSystemProfilePrivilege	3096	mcsft.exe
Token: SeSystemtimePrivilege	3096	mcsft.exe
Token: SeProfSingleProcessPrivilege	3096	mcsft.exe
Token: SeIncBasePriorityPrivilege	3096	mcsft.exe
Token: SeCreatePagefilePrivilege	3096	mcsft.exe
Token: SeBackupPrivilege	3096	mcsft.exe
Token: SeRestorePrivilege	3096	mcsft.exe
Token: SeShutdownPrivilege	3096	mcsft.exe
Token: SeDebugPrivilege	3096	mcsft.exe
Token: SeSystemEnvironmentPrivilege	3096	mcsft.exe
Token: SeChangeNotifyPrivilege	3096	mcsft.exe
Token: SeRemoteShutdownPrivilege	3096	mcsft.exe
Token: SeUndockPrivilege	3096	mcsft.exe
Token: SeManageVolumePrivilege	3096	mcsft.exe
Token: SeImpersonatePrivilege	3096	mcsft.exe
Token: SeCreateGlobalPrivilege	3096	mcsft.exe
Token: 33	3096	mcsft.exe
Token: 34	3096	mcsft.exe
Token: 35	3096	mcsft.exe
Token: 36	3096	mcsft.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exemcsft.exemcsft.exe

pid process

4684 4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe
3808 mcsft.exe
3096 mcsft.exe

pid	process
4684	4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe
3808	mcsft.exe
3096	mcsft.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.execmd.exemcsft.exe

description	pid	process	target process
PID 4684 wrote to memory of 492	4684	4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe	cmd.exe
PID 4684 wrote to memory of 492	4684	4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe	cmd.exe
PID 4684 wrote to memory of 492	4684	4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe	cmd.exe
PID 492 wrote to memory of 3232	492	cmd.exe	reg.exe
PID 492 wrote to memory of 3232	492	cmd.exe	reg.exe
PID 492 wrote to memory of 3232	492	cmd.exe	reg.exe
PID 4684 wrote to memory of 3808	4684	4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe	mcsft.exe
PID 4684 wrote to memory of 3808	4684	4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe	mcsft.exe
PID 4684 wrote to memory of 3808	4684	4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe	mcsft.exe
PID 3808 wrote to memory of 3096	3808	mcsft.exe	mcsft.exe
PID 3808 wrote to memory of 3096	3808	mcsft.exe	mcsft.exe
PID 3808 wrote to memory of 3096	3808	mcsft.exe	mcsft.exe
PID 3808 wrote to memory of 3096	3808	mcsft.exe	mcsft.exe
PID 3808 wrote to memory of 3096	3808	mcsft.exe	mcsft.exe
PID 3808 wrote to memory of 3096	3808	mcsft.exe	mcsft.exe
PID 3808 wrote to memory of 3096	3808	mcsft.exe	mcsft.exe
PID 3808 wrote to memory of 3096	3808	mcsft.exe	mcsft.exe

C:\Users\Admin\AppData\Local\Temp\4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe
"C:\Users\Admin\AppData\Local\Temp\4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KZTSr.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f
3⤵
- Adds Run key to start application
PID:3232

C:\Users\Admin\AppData\Roaming\mcsft.exe
"C:\Users\Admin\AppData\Roaming\mcsft.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Roaming\mcsft.exe
C:\Users\Admin\AppData\Roaming\mcsft.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KZTSr.bat
MD5
a5feca573884d76f559b996d45e8ad9a

SHA1
0e81a993f3af4e31d60653dc2513186f0495f1c8

SHA256
c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f

SHA512
a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda

Download Submit
C:\Users\Admin\AppData\Roaming\mcsft.exe
MD5
57955d6df8446a9425baf080214a6d37

SHA1
4d9e39b7bcbfa637dd0b9d3761ea0296c15ab7e3

SHA256
deb3601f1f009caad838f63983712eb095b1da9b94d755b47a5a31635cb7f139

SHA512
837d904c428a38ea6062907991a2bacc9cbb4ff479fe1c209f56964380bdb9f12cd3c1720321e8e78a0c0a30ab56f4ea54ba96fdb27d72bfd00e5c66843bb473

Download Submit
C:\Users\Admin\AppData\Roaming\mcsft.exe
MD5
57955d6df8446a9425baf080214a6d37

SHA1
4d9e39b7bcbfa637dd0b9d3761ea0296c15ab7e3

SHA256
deb3601f1f009caad838f63983712eb095b1da9b94d755b47a5a31635cb7f139

SHA512
837d904c428a38ea6062907991a2bacc9cbb4ff479fe1c209f56964380bdb9f12cd3c1720321e8e78a0c0a30ab56f4ea54ba96fdb27d72bfd00e5c66843bb473

Download Submit
C:\Users\Admin\AppData\Roaming\mcsft.exe
MD5
57955d6df8446a9425baf080214a6d37

SHA1
4d9e39b7bcbfa637dd0b9d3761ea0296c15ab7e3

SHA256
deb3601f1f009caad838f63983712eb095b1da9b94d755b47a5a31635cb7f139

SHA512
837d904c428a38ea6062907991a2bacc9cbb4ff479fe1c209f56964380bdb9f12cd3c1720321e8e78a0c0a30ab56f4ea54ba96fdb27d72bfd00e5c66843bb473

Download Submit
memory/492-2-0x0000000000000000-mapping.dmp

Download
memory/3096-11-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3096-14-0x0000000073C10000-0x0000000073CA3000-memory.dmp

Filesize
588KB

Download
memory/3096-12-0x00000000004B3320-mapping.dmp

Download
memory/3096-15-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3096-16-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3232-4-0x0000000000000000-mapping.dmp

Download
memory/3808-8-0x0000000073C10000-0x0000000073CA3000-memory.dmp

Filesize
588KB

Download
memory/3808-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads