darkcomet | cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a

General

Target

cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
Size

1.7MB
MD5

1692e19808bfcf5553f903dd6137d51f
SHA1

ccb040f6a225dc17f87ce45b47bb5b0efcca0231
SHA256

cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a
SHA512

1dde3ec8f380aa2599f6b403416c7084014175b5a6e5ee3f1f283073a9a719e005264b250c6fac5e8ce86cb8dc5b9d46a98c436530229bd93448427331ffcf7c

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4196-0-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4196-2-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/4196-3-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABsound.exe	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABsound.exe	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe = "C:\\Users\\Admin\\AppData\\Roaming\\ASound.exe"	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe

description	pid	process	target process
PID 4632 set thread context of 4196	4632	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4196	vbc.exe
Token: SeSecurityPrivilege	4196	vbc.exe
Token: SeTakeOwnershipPrivilege	4196	vbc.exe
Token: SeLoadDriverPrivilege	4196	vbc.exe
Token: SeSystemProfilePrivilege	4196	vbc.exe
Token: SeSystemtimePrivilege	4196	vbc.exe
Token: SeProfSingleProcessPrivilege	4196	vbc.exe
Token: SeIncBasePriorityPrivilege	4196	vbc.exe
Token: SeCreatePagefilePrivilege	4196	vbc.exe
Token: SeBackupPrivilege	4196	vbc.exe
Token: SeRestorePrivilege	4196	vbc.exe
Token: SeShutdownPrivilege	4196	vbc.exe
Token: SeDebugPrivilege	4196	vbc.exe
Token: SeSystemEnvironmentPrivilege	4196	vbc.exe
Token: SeChangeNotifyPrivilege	4196	vbc.exe
Token: SeRemoteShutdownPrivilege	4196	vbc.exe
Token: SeUndockPrivilege	4196	vbc.exe
Token: SeManageVolumePrivilege	4196	vbc.exe
Token: SeImpersonatePrivilege	4196	vbc.exe
Token: SeCreateGlobalPrivilege	4196	vbc.exe
Token: 33	4196	vbc.exe
Token: 34	4196	vbc.exe
Token: 35	4196	vbc.exe
Token: 36	4196	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

4196 vbc.exe

pid	process
4196	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe

description	pid	process	target process
PID 4632 wrote to memory of 4196	4632	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe	vbc.exe
PID 4632 wrote to memory of 4196	4632	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe	vbc.exe
PID 4632 wrote to memory of 4196	4632	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe	vbc.exe
PID 4632 wrote to memory of 4196	4632	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe	vbc.exe
PID 4632 wrote to memory of 4196	4632	cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe
"C:\Users\Admin\AppData\Local\Temp\cd07d3848faaba1e4fe9fb1166c020af055029c7b8387341f554c21e17260e7a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4196-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4196-1-0x0000000000400000-mapping.dmp

Download
memory/4196-2-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4196-3-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads