darkcomet | 79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0

General

Target

79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe
Size

544KB
MD5

70370dcb2ad41fb78d0439236518c6c2
SHA1

35d86808ab71511ca0aaf5268dad6644718d3eb3
SHA256

79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0
SHA512

7d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

sommerishere.sytes.net:1678

ommerishere.sytes.net:1678

ommerishere.sytes.net:1679

Mutex

DC_MUTEX-3YA4GBR

Attributes

gencode
C8EBUD2QBFHF
install
false
offline_keylogger
true
password
likethat@123
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

cssrr.execssrr.exe

pid process

2652 cssrr.exe
3968 cssrr.exe

pid	process
2652	cssrr.exe
3968	cssrr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cssrr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cssrr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SubFolder\\SubFolder\\cssrr.exe"	cssrr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cssrr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SubFolder\\SubFolder\\cssrr.exe"	cssrr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cssrr.exe

description pid process target process

PID 2652 set thread context of 3968 2652 cssrr.exe cssrr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2652 set thread context of 3968	2652	cssrr.exe	cssrr.exe

NTFS ADS 3 IoCs

Processes:

79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe\:ZONE.identifier:$DATA	79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

cssrr.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3968	cssrr.exe
Token: SeSecurityPrivilege	3968	cssrr.exe
Token: SeTakeOwnershipPrivilege	3968	cssrr.exe
Token: SeLoadDriverPrivilege	3968	cssrr.exe
Token: SeSystemProfilePrivilege	3968	cssrr.exe
Token: SeSystemtimePrivilege	3968	cssrr.exe
Token: SeProfSingleProcessPrivilege	3968	cssrr.exe
Token: SeIncBasePriorityPrivilege	3968	cssrr.exe
Token: SeCreatePagefilePrivilege	3968	cssrr.exe
Token: SeBackupPrivilege	3968	cssrr.exe
Token: SeRestorePrivilege	3968	cssrr.exe
Token: SeShutdownPrivilege	3968	cssrr.exe
Token: SeDebugPrivilege	3968	cssrr.exe
Token: SeSystemEnvironmentPrivilege	3968	cssrr.exe
Token: SeChangeNotifyPrivilege	3968	cssrr.exe
Token: SeRemoteShutdownPrivilege	3968	cssrr.exe
Token: SeUndockPrivilege	3968	cssrr.exe
Token: SeManageVolumePrivilege	3968	cssrr.exe
Token: SeImpersonatePrivilege	3968	cssrr.exe
Token: SeCreateGlobalPrivilege	3968	cssrr.exe
Token: 33	3968	cssrr.exe
Token: 34	3968	cssrr.exe
Token: 35	3968	cssrr.exe
Token: 36	3968	cssrr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cssrr.exe

pid process

3968 cssrr.exe

pid	process
3968	cssrr.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.execssrr.exe

description	pid	process	target process
PID 900 wrote to memory of 2020	900	79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe	cmd.exe
PID 900 wrote to memory of 2020	900	79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe	cmd.exe
PID 900 wrote to memory of 2020	900	79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe	cmd.exe
PID 900 wrote to memory of 2652	900	79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe	cssrr.exe
PID 900 wrote to memory of 2652	900	79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe	cssrr.exe
PID 900 wrote to memory of 2652	900	79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe	cssrr.exe
PID 2652 wrote to memory of 3152	2652	cssrr.exe	cmd.exe
PID 2652 wrote to memory of 3152	2652	cssrr.exe	cmd.exe
PID 2652 wrote to memory of 3152	2652	cssrr.exe	cmd.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe
PID 2652 wrote to memory of 3968	2652	cssrr.exe	cssrr.exe

C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe
"C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe":ZONE.identifier & exit
2⤵
- NTFS ADS
PID:2020

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe":ZONE.identifier & exit
3⤵
- NTFS ADS
PID:3152

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0.exe
MD5
70370dcb2ad41fb78d0439236518c6c2

SHA1
35d86808ab71511ca0aaf5268dad6644718d3eb3

SHA256
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0

SHA512
7d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe
MD5
70370dcb2ad41fb78d0439236518c6c2

SHA1
35d86808ab71511ca0aaf5268dad6644718d3eb3

SHA256
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0

SHA512
7d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe
MD5
70370dcb2ad41fb78d0439236518c6c2

SHA1
35d86808ab71511ca0aaf5268dad6644718d3eb3

SHA256
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0

SHA512
7d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe
MD5
70370dcb2ad41fb78d0439236518c6c2

SHA1
35d86808ab71511ca0aaf5268dad6644718d3eb3

SHA256
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0

SHA512
7d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SubFolder\SubFolder\cssrr.exe
MD5
70370dcb2ad41fb78d0439236518c6c2

SHA1
35d86808ab71511ca0aaf5268dad6644718d3eb3

SHA256
79ad6abe442b9e7120ca8b44d9c5f4a187d67d27d25d7ce2be64f011431633a0

SHA512
7d697c6a89c0b9b7eb57ba4df5feba4aeac410187187ab67779f8f300eb7f908925df62ef9b11923337f55b4a805ef68c719432caa3c880d1d26c63cd35fb0ee

Download Submit
memory/900-114-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2020-115-0x0000000000000000-mapping.dmp

Download
memory/2652-120-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/2652-117-0x0000000000000000-mapping.dmp

Download
memory/2652-126-0x0000000002E31000-0x0000000002E32000-memory.dmp

Filesize
4KB

Download
memory/3152-121-0x0000000000000000-mapping.dmp

Download
memory/3968-122-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3968-123-0x000000000048F888-mapping.dmp

Download
memory/3968-127-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads