darkcomet | f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30

Analysis

max time kernel
152s
max time network
154s
platform
windows10_x64
resource
win10v20210408
submitted
23-09-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe
Size

1.7MB
MD5

8e6fb813fdbfb1b6815c8f7c47a5ac13
SHA1

4b8c92a3a6c63d6c296b0c121619b23599168030
SHA256

f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30
SHA512

374fab3c87d3e03fd14081939833b1ac6192d7c35d86e6fef936bc6fd15f80e4b9f6fa09dd1bf8ba60b75f97e5603783c1b28fc673e47a4c9bc44bbaebdf28f4

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RAT.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\Chrome.exe"	RAT.EXE

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

Chrome.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Chrome.exe
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 5 IoCs

Processes:

CHROME.EXERAT.EXECHROME.EXEChrome.exeCHROME.EXE

pid process

1056 CHROME.EXE
1168 RAT.EXE
1920 CHROME.EXE
2468 Chrome.exe
2784 CHROME.EXE
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Chrome.exe

pid	process
1056	CHROME.EXE
1168	RAT.EXE
1920	CHROME.EXE
2468	Chrome.exe
2784	CHROME.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RAT.EXE	upx
C:\Users\Admin\AppData\Local\Temp\RAT.EXE	upx
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe	upx
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RAT.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\Chrome.exe"	RAT.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Chrome.exe

pid process

2468 Chrome.exe

pid	process
2468	Chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

RAT.EXEChrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1168	RAT.EXE
Token: SeSecurityPrivilege	1168	RAT.EXE
Token: SeTakeOwnershipPrivilege	1168	RAT.EXE
Token: SeLoadDriverPrivilege	1168	RAT.EXE
Token: SeSystemProfilePrivilege	1168	RAT.EXE
Token: SeSystemtimePrivilege	1168	RAT.EXE
Token: SeProfSingleProcessPrivilege	1168	RAT.EXE
Token: SeIncBasePriorityPrivilege	1168	RAT.EXE
Token: SeCreatePagefilePrivilege	1168	RAT.EXE
Token: SeBackupPrivilege	1168	RAT.EXE
Token: SeRestorePrivilege	1168	RAT.EXE
Token: SeShutdownPrivilege	1168	RAT.EXE
Token: SeDebugPrivilege	1168	RAT.EXE
Token: SeSystemEnvironmentPrivilege	1168	RAT.EXE
Token: SeChangeNotifyPrivilege	1168	RAT.EXE
Token: SeRemoteShutdownPrivilege	1168	RAT.EXE
Token: SeUndockPrivilege	1168	RAT.EXE
Token: SeManageVolumePrivilege	1168	RAT.EXE
Token: SeImpersonatePrivilege	1168	RAT.EXE
Token: SeCreateGlobalPrivilege	1168	RAT.EXE
Token: 33	1168	RAT.EXE
Token: 34	1168	RAT.EXE
Token: 35	1168	RAT.EXE
Token: 36	1168	RAT.EXE
Token: SeIncreaseQuotaPrivilege	2468	Chrome.exe
Token: SeSecurityPrivilege	2468	Chrome.exe
Token: SeTakeOwnershipPrivilege	2468	Chrome.exe
Token: SeLoadDriverPrivilege	2468	Chrome.exe
Token: SeSystemProfilePrivilege	2468	Chrome.exe
Token: SeSystemtimePrivilege	2468	Chrome.exe
Token: SeProfSingleProcessPrivilege	2468	Chrome.exe
Token: SeIncBasePriorityPrivilege	2468	Chrome.exe
Token: SeCreatePagefilePrivilege	2468	Chrome.exe
Token: SeBackupPrivilege	2468	Chrome.exe
Token: SeRestorePrivilege	2468	Chrome.exe
Token: SeShutdownPrivilege	2468	Chrome.exe
Token: SeDebugPrivilege	2468	Chrome.exe
Token: SeSystemEnvironmentPrivilege	2468	Chrome.exe
Token: SeChangeNotifyPrivilege	2468	Chrome.exe
Token: SeRemoteShutdownPrivilege	2468	Chrome.exe
Token: SeUndockPrivilege	2468	Chrome.exe
Token: SeManageVolumePrivilege	2468	Chrome.exe
Token: SeImpersonatePrivilege	2468	Chrome.exe
Token: SeCreateGlobalPrivilege	2468	Chrome.exe
Token: 33	2468	Chrome.exe
Token: 34	2468	Chrome.exe
Token: 35	2468	Chrome.exe
Token: 36	2468	Chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Chrome.exe

pid process

2468 Chrome.exe

pid	process
2468	Chrome.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exeRAT.EXEcmd.execmd.exeChrome.exe

description	pid	process	target process
PID 992 wrote to memory of 1168	992	f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe	RAT.EXE
PID 992 wrote to memory of 1168	992	f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe	RAT.EXE
PID 992 wrote to memory of 1168	992	f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe	RAT.EXE
PID 1168 wrote to memory of 1496	1168	RAT.EXE	cmd.exe
PID 1168 wrote to memory of 1496	1168	RAT.EXE	cmd.exe
PID 1168 wrote to memory of 1496	1168	RAT.EXE	cmd.exe
PID 1168 wrote to memory of 1572	1168	RAT.EXE	cmd.exe
PID 1168 wrote to memory of 1572	1168	RAT.EXE	cmd.exe
PID 1168 wrote to memory of 1572	1168	RAT.EXE	cmd.exe
PID 1572 wrote to memory of 2328	1572	cmd.exe	attrib.exe
PID 1572 wrote to memory of 2328	1572	cmd.exe	attrib.exe
PID 1572 wrote to memory of 2328	1572	cmd.exe	attrib.exe
PID 1496 wrote to memory of 2180	1496	cmd.exe	attrib.exe
PID 1496 wrote to memory of 2180	1496	cmd.exe	attrib.exe
PID 1496 wrote to memory of 2180	1496	cmd.exe	attrib.exe
PID 1168 wrote to memory of 2468	1168	RAT.EXE	Chrome.exe
PID 1168 wrote to memory of 2468	1168	RAT.EXE	Chrome.exe
PID 1168 wrote to memory of 2468	1168	RAT.EXE	Chrome.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe
PID 2468 wrote to memory of 3036	2468	Chrome.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	Chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	Chrome.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2328 attrib.exe
2180 attrib.exe

pid	process
2328	attrib.exe
2180	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe
"C:\Users\Admin\AppData\Local\Temp\f9b5b222b0911d095cdae3ae34c5c3f647ff0c08b40246fcabd3e7a03abcbb30.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"
2⤵
- Executes dropped EXE
PID:1056

C:\Users\Admin\AppData\Local\Temp\RAT.EXE
"C:\Users\Admin\AppData\Local\Temp\RAT.EXE"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RAT.EXE" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\RAT.EXE" +s +h
4⤵
- Views/modifies file attributes
PID:2180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Views/modifies file attributes
PID:2328

C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"
3⤵
- Executes dropped EXE
PID:1920

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe"
3⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2468

C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"
4⤵
- Executes dropped EXE
PID:2784

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:3036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe
MD5
f5f8623a89fd87a2cfd4a16976ae1a86

SHA1
a3324a1def25c62b5999956acd4707368f724bb6

SHA256
1a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd

SHA512
0f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\Chrome.exe
MD5
f5f8623a89fd87a2cfd4a16976ae1a86

SHA1
a3324a1def25c62b5999956acd4707368f724bb6

SHA256
1a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd

SHA512
0f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
MD5
ea66582423b8ed237daae8b927191f22

SHA1
3430aaba69b10b33853e3187f640c91fa50f97cc

SHA256
fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1

SHA512
2d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
MD5
ea66582423b8ed237daae8b927191f22

SHA1
3430aaba69b10b33853e3187f640c91fa50f97cc

SHA256
fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1

SHA512
2d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
MD5
ea66582423b8ed237daae8b927191f22

SHA1
3430aaba69b10b33853e3187f640c91fa50f97cc

SHA256
fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1

SHA512
2d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
MD5
ea66582423b8ed237daae8b927191f22

SHA1
3430aaba69b10b33853e3187f640c91fa50f97cc

SHA256
fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1

SHA512
2d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE
MD5
ea66582423b8ed237daae8b927191f22

SHA1
3430aaba69b10b33853e3187f640c91fa50f97cc

SHA256
fd8c15460abcda6b44fb970a84426617368bb2925f0c2b9e410dff20feb923d1

SHA512
2d342ab1dbd92189fb663a36610e29868456195fee70d812661630f055d0131c51ea628847e0fb4c16b3d36113fe08488f98a880c2808dc7f11f2dc88b0c44d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAT.EXE
MD5
f5f8623a89fd87a2cfd4a16976ae1a86

SHA1
a3324a1def25c62b5999956acd4707368f724bb6

SHA256
1a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd

SHA512
0f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAT.EXE
MD5
f5f8623a89fd87a2cfd4a16976ae1a86

SHA1
a3324a1def25c62b5999956acd4707368f724bb6

SHA256
1a4fbc010ec2664ddc8407601d6ff0df6db4fee5469cc7a9168abca413a1febd

SHA512
0f6385ad06e843d5f6094f187ac2dbbfb50b202e7f546a0d59e5d7fc7b7e082163468cb132926188d1d505752e907df36b0cdb3ef83a11dc08c4d4a86b01c938

Download Submit
memory/1168-115-0x0000000000000000-mapping.dmp

Download
memory/1168-118-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1496-119-0x0000000000000000-mapping.dmp

Download
memory/1572-120-0x0000000000000000-mapping.dmp

Download
memory/2180-124-0x0000000000000000-mapping.dmp

Download
memory/2328-123-0x0000000000000000-mapping.dmp

Download
memory/2468-125-0x0000000000000000-mapping.dmp

Download
memory/2468-130-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/3036-131-0x0000000000000000-mapping.dmp

Download
memory/3036-132-0x0000000003300000-0x00000000033AE000-memory.dmp

Filesize
696KB

Download