darkcomet | 7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1

General

Target

7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe
Size

1.5MB
MD5

b4f71adf9ec04a2b87e7588d8af2ba9e
SHA1

316b8b6e5a80eb8d2e061a80527ff7be6731c25e
SHA256

7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1
SHA512

36b1259f6769582ae28a14ebf64ac7c8133f5513f8595892a3eb3de8d71b12966967e67f82ea0a301bc91f9f912d79862905048853e22b26c070aaf9368908d2

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

2032 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe

pid process

1104 7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2032	vbc.exe

pid	process
1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe"	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exevbc.exe

description	pid	process	target process
PID 1104 set thread context of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 2032 set thread context of 1176	2032	vbc.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2032	vbc.exe
Token: SeSecurityPrivilege	2032	vbc.exe
Token: SeTakeOwnershipPrivilege	2032	vbc.exe
Token: SeLoadDriverPrivilege	2032	vbc.exe
Token: SeSystemProfilePrivilege	2032	vbc.exe
Token: SeSystemtimePrivilege	2032	vbc.exe
Token: SeProfSingleProcessPrivilege	2032	vbc.exe
Token: SeIncBasePriorityPrivilege	2032	vbc.exe
Token: SeCreatePagefilePrivilege	2032	vbc.exe
Token: SeBackupPrivilege	2032	vbc.exe
Token: SeRestorePrivilege	2032	vbc.exe
Token: SeShutdownPrivilege	2032	vbc.exe
Token: SeDebugPrivilege	2032	vbc.exe
Token: SeSystemEnvironmentPrivilege	2032	vbc.exe
Token: SeChangeNotifyPrivilege	2032	vbc.exe
Token: SeRemoteShutdownPrivilege	2032	vbc.exe
Token: SeUndockPrivilege	2032	vbc.exe
Token: SeManageVolumePrivilege	2032	vbc.exe
Token: SeImpersonatePrivilege	2032	vbc.exe
Token: SeCreateGlobalPrivilege	2032	vbc.exe
Token: 33	2032	vbc.exe
Token: 34	2032	vbc.exe
Token: 35	2032	vbc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exevbc.exe

description	pid	process	target process
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 1104 wrote to memory of 2032	1104	7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe	vbc.exe
PID 2032 wrote to memory of 1176	2032	vbc.exe	iexplore.exe
PID 2032 wrote to memory of 1176	2032	vbc.exe	iexplore.exe
PID 2032 wrote to memory of 1176	2032	vbc.exe	iexplore.exe
PID 2032 wrote to memory of 1176	2032	vbc.exe	iexplore.exe
PID 2032 wrote to memory of 1176	2032	vbc.exe	iexplore.exe
PID 2032 wrote to memory of 1176	2032	vbc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe
"C:\Users\Admin\AppData\Local\Temp\7a8916c13c6b816bc756134acdf71c4cb9f28e9dd0f6009783a84e2b26437af1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:1176

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe
MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1104-59-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1104-64-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1176-67-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1176-68-0x00000000004748DA-mapping.dmp

Download
memory/2032-61-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2032-62-0x000000000049F92C-mapping.dmp

Download
memory/2032-69-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2032-70-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads