darkcomet | a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

General

Target

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Size

252KB
MD5

532a6afb45c841f08a0ff9f104559334
SHA1

2fe9463e271b50907d72174992f4adf5c5c5eace
SHA256

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62
SHA512

313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\proverka_stiller.exe"	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

proverka_stiller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	proverka_stiller.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	proverka_stiller.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	proverka_stiller.exe

Executes dropped EXE 1 IoCs

Processes:

proverka_stiller.exe

pid process

924 proverka_stiller.exe

pid	process
924	proverka_stiller.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe	upx
\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe	upx
C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe	upx
C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe	upx

Loads dropped DLL 2 IoCs

Processes:

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

pid	process
1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\proverka_stiller.exe"	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exeproverka_stiller.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeSecurityPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeTakeOwnershipPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeLoadDriverPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeSystemProfilePrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeSystemtimePrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeProfSingleProcessPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeIncBasePriorityPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeCreatePagefilePrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeBackupPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeRestorePrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeShutdownPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeDebugPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeSystemEnvironmentPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeChangeNotifyPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeRemoteShutdownPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeUndockPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeManageVolumePrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeImpersonatePrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeCreateGlobalPrivilege	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: 33	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: 34	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: 35	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
Token: SeIncreaseQuotaPrivilege	924	proverka_stiller.exe
Token: SeSecurityPrivilege	924	proverka_stiller.exe
Token: SeTakeOwnershipPrivilege	924	proverka_stiller.exe
Token: SeLoadDriverPrivilege	924	proverka_stiller.exe
Token: SeSystemProfilePrivilege	924	proverka_stiller.exe
Token: SeSystemtimePrivilege	924	proverka_stiller.exe
Token: SeProfSingleProcessPrivilege	924	proverka_stiller.exe
Token: SeIncBasePriorityPrivilege	924	proverka_stiller.exe
Token: SeCreatePagefilePrivilege	924	proverka_stiller.exe
Token: SeBackupPrivilege	924	proverka_stiller.exe
Token: SeRestorePrivilege	924	proverka_stiller.exe
Token: SeShutdownPrivilege	924	proverka_stiller.exe
Token: SeDebugPrivilege	924	proverka_stiller.exe
Token: SeSystemEnvironmentPrivilege	924	proverka_stiller.exe
Token: SeChangeNotifyPrivilege	924	proverka_stiller.exe
Token: SeRemoteShutdownPrivilege	924	proverka_stiller.exe
Token: SeUndockPrivilege	924	proverka_stiller.exe
Token: SeManageVolumePrivilege	924	proverka_stiller.exe
Token: SeImpersonatePrivilege	924	proverka_stiller.exe
Token: SeCreateGlobalPrivilege	924	proverka_stiller.exe
Token: 33	924	proverka_stiller.exe
Token: 34	924	proverka_stiller.exe
Token: 35	924	proverka_stiller.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

proverka_stiller.exe

pid process

924 proverka_stiller.exe

pid	process
924	proverka_stiller.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe

description	pid	process	target process
PID 1744 wrote to memory of 924	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe	proverka_stiller.exe
PID 1744 wrote to memory of 924	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe	proverka_stiller.exe
PID 1744 wrote to memory of 924	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe	proverka_stiller.exe
PID 1744 wrote to memory of 924	1744	a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe	proverka_stiller.exe

C:\Users\Admin\AppData\Local\Temp\a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe
"C:\Users\Admin\AppData\Local\Temp\a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe"
2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe
Filesize
252KB

MD5
532a6afb45c841f08a0ff9f104559334

SHA1
2fe9463e271b50907d72174992f4adf5c5c5eace

SHA256
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

SHA512
313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe
Filesize
252KB

MD5
532a6afb45c841f08a0ff9f104559334

SHA1
2fe9463e271b50907d72174992f4adf5c5c5eace

SHA256
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

SHA512
313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

Download Submit
\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe
Filesize
252KB

MD5
532a6afb45c841f08a0ff9f104559334

SHA1
2fe9463e271b50907d72174992f4adf5c5c5eace

SHA256
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

SHA512
313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

Download Submit
\Users\Admin\AppData\Roaming\MSDCSC\proverka_stiller.exe
Filesize
252KB

MD5
532a6afb45c841f08a0ff9f104559334

SHA1
2fe9463e271b50907d72174992f4adf5c5c5eace

SHA256
a0f7c2f2ac9cd595abc825bbed28df20ffdbbf7664269cf3c49c106a267dba62

SHA512
313db495bc51449b94484e749a2bee932686fabdfcf2e1a6e2c8caa10fe034960408c2f6a9b90f31e3ae55a1881752fab4baf1bae1fc5d14cf073884c358e7a4

Download Submit
memory/924-57-0x0000000000000000-mapping.dmp

Download
memory/1744-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads