darkcomet | e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489

General

Target

e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.exe
Size

768KB
MD5

899337cce4b767d4bec2c815b8ad3a93
SHA1

69fdf433387745a9fccf3c4cba5c25de13b4e050
SHA256

e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489
SHA512

fe8696c89688fb588481d17b398ce5514fd4f174daa4e1bee316708b4ef52388e92397dcd3a331001bb6ec7b3fd7014b729b250ceee893a184a283af82872351

Score

10^/10

darkcomet evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Server.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Sysfiles/"	Server.exe

Executes dropped EXE 2 IoCs

Processes:

7za.exeServer.exe

pid process

3980 7za.exe
2060 Server.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
3980	7za.exe
2060	Server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlog = "C:\\Windows\\system32\\Sysfiles/"	Server.exe

Drops file in System32 directory 3 IoCs

Processes:

Server.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Sysfiles\	Server.exe
File opened for modification	C:\Windows\SysWOW64\Sysfiles\	Server.exe
File opened for modification	C:\Windows\SysWOW64\	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Server.exe

pid process

2060 Server.exe

pid	process
2060	Server.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Server.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2060	Server.exe
Token: SeSecurityPrivilege	2060	Server.exe
Token: SeTakeOwnershipPrivilege	2060	Server.exe
Token: SeLoadDriverPrivilege	2060	Server.exe
Token: SeSystemProfilePrivilege	2060	Server.exe
Token: SeSystemtimePrivilege	2060	Server.exe
Token: SeProfSingleProcessPrivilege	2060	Server.exe
Token: SeIncBasePriorityPrivilege	2060	Server.exe
Token: SeCreatePagefilePrivilege	2060	Server.exe
Token: SeBackupPrivilege	2060	Server.exe
Token: SeRestorePrivilege	2060	Server.exe
Token: SeShutdownPrivilege	2060	Server.exe
Token: SeDebugPrivilege	2060	Server.exe
Token: SeSystemEnvironmentPrivilege	2060	Server.exe
Token: SeChangeNotifyPrivilege	2060	Server.exe
Token: SeRemoteShutdownPrivilege	2060	Server.exe
Token: SeUndockPrivilege	2060	Server.exe
Token: SeManageVolumePrivilege	2060	Server.exe
Token: SeImpersonatePrivilege	2060	Server.exe
Token: SeCreateGlobalPrivilege	2060	Server.exe
Token: 33	2060	Server.exe
Token: 34	2060	Server.exe
Token: 35	2060	Server.exe
Token: 36	2060	Server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Server.exe

pid process

2060 Server.exe

pid	process
2060	Server.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.execmd.exeServer.execmd.execmd.exe

description	pid	process	target process
PID 3708 wrote to memory of 1684	3708	e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.exe	cmd.exe
PID 3708 wrote to memory of 1684	3708	e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.exe	cmd.exe
PID 3708 wrote to memory of 1684	3708	e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.exe	cmd.exe
PID 1684 wrote to memory of 3980	1684	cmd.exe	7za.exe
PID 1684 wrote to memory of 3980	1684	cmd.exe	7za.exe
PID 1684 wrote to memory of 3980	1684	cmd.exe	7za.exe
PID 3708 wrote to memory of 2060	3708	e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.exe	Server.exe
PID 3708 wrote to memory of 2060	3708	e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.exe	Server.exe
PID 3708 wrote to memory of 2060	3708	e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.exe	Server.exe
PID 2060 wrote to memory of 2176	2060	Server.exe	cmd.exe
PID 2060 wrote to memory of 2176	2060	Server.exe	cmd.exe
PID 2060 wrote to memory of 2176	2060	Server.exe	cmd.exe
PID 2060 wrote to memory of 2296	2060	Server.exe	cmd.exe
PID 2060 wrote to memory of 2296	2060	Server.exe	cmd.exe
PID 2060 wrote to memory of 2296	2060	Server.exe	cmd.exe
PID 2296 wrote to memory of 3532	2296	cmd.exe	attrib.exe
PID 2296 wrote to memory of 3532	2296	cmd.exe	attrib.exe
PID 2296 wrote to memory of 3532	2296	cmd.exe	attrib.exe
PID 2176 wrote to memory of 3808	2176	cmd.exe	attrib.exe
PID 2176 wrote to memory of 3808	2176	cmd.exe	attrib.exe
PID 2176 wrote to memory of 3808	2176	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3808 attrib.exe
3532 attrib.exe

pid	process
3808	attrib.exe
3532	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.exe
"C:\Users\Admin\AppData\Local\Temp\e1761b88f8654510f8412e5700e5d61221b7a1dcf0def40f52c2445e029a7489.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy""
2⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Roaming\7za.exe
"C:\Users\Admin\AppData\Roaming\7za.exe" "x" "-y" "C:\Users\Admin\AppData\Roaming\Server.7z" "-pHVLnt5Dy"
3⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\AppData\Roaming\Server.exe
C:\Users\Admin\AppData\Roaming\Server.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Server.exe" +s +h
4⤵
- Views/modifies file attributes
PID:3808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming" +s +h
4⤵
- Views/modifies file attributes
PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5
a481b39a248eda17e7e24005175fb99b

SHA1
4406c7a9912632b143b8e9b1b50a7ec4a14bbcdc

SHA256
cab4d8b19391e8eb2a70456ae3a357e81b60a3f24037ceaad9c45f38050b8288

SHA512
e3c5654874eafa8fe69beb5a997fbfee318b663039319144bb659a661d9771dd11f7033aaa82a6540f8cd5569838bf0ff0e4039d7a98afe6ebcc8731ca949149

Download Submit
C:\Users\Admin\AppData\Roaming\7za.exe

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Roaming\7za.exe

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Roaming\Server.7z

MD5
1bc6737d2b029e8242c7256a8e4f5861

SHA1
6e96bfebf7168d37210c697e73131f720221e247

SHA256
166f39c1a96a2ce7dd52e259e5be499e815ae70aba41469d84a16afbe4c511a7

SHA512
7d2b3b0554a431c332a8309907d174ea10ac832dab81ba4d91137d2b23195b28bceea6541ef8880df24d65cfb2d2d1b26e50b11ade9f167997f3e49cbd669bfb

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

MD5
a481b39a248eda17e7e24005175fb99b

SHA1
4406c7a9912632b143b8e9b1b50a7ec4a14bbcdc

SHA256
cab4d8b19391e8eb2a70456ae3a357e81b60a3f24037ceaad9c45f38050b8288

SHA512
e3c5654874eafa8fe69beb5a997fbfee318b663039319144bb659a661d9771dd11f7033aaa82a6540f8cd5569838bf0ff0e4039d7a98afe6ebcc8731ca949149

Download Submit
memory/1684-114-0x0000000000000000-mapping.dmp

Download
memory/2060-120-0x0000000000000000-mapping.dmp

Download
memory/2060-122-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2176-123-0x0000000000000000-mapping.dmp

Download
memory/2296-124-0x0000000000000000-mapping.dmp

Download
memory/3532-125-0x0000000000000000-mapping.dmp

Download
memory/3808-126-0x0000000000000000-mapping.dmp

Download
memory/3980-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads