darkcomet | 5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932

General

Target

5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Size

756KB
MD5

30cd1eb2e9eb2de1b915df13e69d9ab5
SHA1

b08ebca830448d2607741169c8c96de385b90a92
SHA256

5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932
SHA512

1d64fc1205609d4e3139dc43340e8e62c81810ddee9ab532883dda49b3c315292c3e826071effafbb8b4aabc61ffe3587f5e8fdc7bb384a4e05ceeba8bf2f9bb

Score

10^/10

darkcomet p_olsen persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

P_Olsen

C2

secure.gotdns.com:5053

Mutex

DC_MUTEX-CKVKEKE

Attributes

InstallPath
Final Fantasy\FFXIV.exe
gencode
8K1HPoiJsS4s
install
true
offline_keylogger
true
persistence
true
reg_key
FFupdater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Favorites\\Final Fantasy\\FFXIV.exe"	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe

Executes dropped EXE 1 IoCs

Processes:

FFXIV.exe

pid process

1392 FFXIV.exe

pid	process
1392	FFXIV.exe

Loads dropped DLL 2 IoCs

Processes:

5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe

pid	process
1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\FFupdater = "C:\\Users\\Admin\\Favorites\\Final Fantasy\\FFXIV.exe"	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exeFFXIV.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeSecurityPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeTakeOwnershipPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeLoadDriverPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeSystemProfilePrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeSystemtimePrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeProfSingleProcessPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeIncBasePriorityPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeCreatePagefilePrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeBackupPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeRestorePrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeShutdownPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeDebugPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeSystemEnvironmentPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeChangeNotifyPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeRemoteShutdownPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeUndockPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeManageVolumePrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeImpersonatePrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeCreateGlobalPrivilege	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: 33	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: 34	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: 35	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
Token: SeIncreaseQuotaPrivilege	1392	FFXIV.exe
Token: SeSecurityPrivilege	1392	FFXIV.exe
Token: SeTakeOwnershipPrivilege	1392	FFXIV.exe
Token: SeLoadDriverPrivilege	1392	FFXIV.exe
Token: SeSystemProfilePrivilege	1392	FFXIV.exe
Token: SeSystemtimePrivilege	1392	FFXIV.exe
Token: SeProfSingleProcessPrivilege	1392	FFXIV.exe
Token: SeIncBasePriorityPrivilege	1392	FFXIV.exe
Token: SeCreatePagefilePrivilege	1392	FFXIV.exe
Token: SeBackupPrivilege	1392	FFXIV.exe
Token: SeRestorePrivilege	1392	FFXIV.exe
Token: SeShutdownPrivilege	1392	FFXIV.exe
Token: SeDebugPrivilege	1392	FFXIV.exe
Token: SeSystemEnvironmentPrivilege	1392	FFXIV.exe
Token: SeChangeNotifyPrivilege	1392	FFXIV.exe
Token: SeRemoteShutdownPrivilege	1392	FFXIV.exe
Token: SeUndockPrivilege	1392	FFXIV.exe
Token: SeManageVolumePrivilege	1392	FFXIV.exe
Token: SeImpersonatePrivilege	1392	FFXIV.exe
Token: SeCreateGlobalPrivilege	1392	FFXIV.exe
Token: 33	1392	FFXIV.exe
Token: 34	1392	FFXIV.exe
Token: 35	1392	FFXIV.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FFXIV.exe

pid process

1392 FFXIV.exe

pid	process
1392	FFXIV.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe

description	pid	process	target process
PID 1132 wrote to memory of 1392	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe	FFXIV.exe
PID 1132 wrote to memory of 1392	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe	FFXIV.exe
PID 1132 wrote to memory of 1392	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe	FFXIV.exe
PID 1132 wrote to memory of 1392	1132	5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe	FFXIV.exe

C:\Users\Admin\AppData\Local\Temp\5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe
"C:\Users\Admin\AppData\Local\Temp\5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\Favorites\Final Fantasy\FFXIV.exe
"C:\Users\Admin\Favorites\Final Fantasy\FFXIV.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Favorites\Final Fantasy\FFXIV.exe
Filesize
756KB

MD5
30cd1eb2e9eb2de1b915df13e69d9ab5

SHA1
b08ebca830448d2607741169c8c96de385b90a92

SHA256
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932

SHA512
1d64fc1205609d4e3139dc43340e8e62c81810ddee9ab532883dda49b3c315292c3e826071effafbb8b4aabc61ffe3587f5e8fdc7bb384a4e05ceeba8bf2f9bb

Download Submit
C:\Users\Admin\Favorites\Final Fantasy\FFXIV.exe
Filesize
756KB

MD5
30cd1eb2e9eb2de1b915df13e69d9ab5

SHA1
b08ebca830448d2607741169c8c96de385b90a92

SHA256
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932

SHA512
1d64fc1205609d4e3139dc43340e8e62c81810ddee9ab532883dda49b3c315292c3e826071effafbb8b4aabc61ffe3587f5e8fdc7bb384a4e05ceeba8bf2f9bb

Download Submit
\Users\Admin\Favorites\Final Fantasy\FFXIV.exe
Filesize
756KB

MD5
30cd1eb2e9eb2de1b915df13e69d9ab5

SHA1
b08ebca830448d2607741169c8c96de385b90a92

SHA256
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932

SHA512
1d64fc1205609d4e3139dc43340e8e62c81810ddee9ab532883dda49b3c315292c3e826071effafbb8b4aabc61ffe3587f5e8fdc7bb384a4e05ceeba8bf2f9bb

Download Submit
\Users\Admin\Favorites\Final Fantasy\FFXIV.exe
Filesize
756KB

MD5
30cd1eb2e9eb2de1b915df13e69d9ab5

SHA1
b08ebca830448d2607741169c8c96de385b90a92

SHA256
5f21c7279140fe637b951a0678c7fe6fd84198a43cf26d3b21e1e37ebc12b932

SHA512
1d64fc1205609d4e3139dc43340e8e62c81810ddee9ab532883dda49b3c315292c3e826071effafbb8b4aabc61ffe3587f5e8fdc7bb384a4e05ceeba8bf2f9bb

Download Submit
memory/1132-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1392-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads