darkcomet | 8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2

Analysis

max time kernel
151s
max time network
53s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe
Size

875KB
MD5

6ac1919b323d4d6ec6d7274410abe330
SHA1

a9fe775a162462cd8ef83e6d9a2765768e432f01
SHA256

8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2
SHA512

95c2ace0622a4182ec5d453a324841e0b6cc54470d03f5da77907f0782f6e9890ae085fbfa651b8c1c941cad23423469df2e18e5696a188e1146cb2808feed6f
SSDEEP

12288:dr5i38VeUbBiWuqHefYKBlhAF7ghw48XcCmsGKV3ox+4+gVM2FykVo39/399u0DP:C3kF3CYKBl8ghw4UcqGKV3oj+Y6t/t

Score

10^/10

darkcomet victima rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victima

mala-87.no-ip.org:1604

Mutex

DC_MUTEX-3MAFGMY

Attributes

gencode
8Z1er2KVl9bV
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Suspicious use of SetThreadContext 1 IoCs

Processes:

8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe

description pid process target process

PID 1184 set thread context of 900 1184 8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1184 set thread context of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe
Token: SeIncreaseQuotaPrivilege	900	cvtres.exe
Token: SeSecurityPrivilege	900	cvtres.exe
Token: SeTakeOwnershipPrivilege	900	cvtres.exe
Token: SeLoadDriverPrivilege	900	cvtres.exe
Token: SeSystemProfilePrivilege	900	cvtres.exe
Token: SeSystemtimePrivilege	900	cvtres.exe
Token: SeProfSingleProcessPrivilege	900	cvtres.exe
Token: SeIncBasePriorityPrivilege	900	cvtres.exe
Token: SeCreatePagefilePrivilege	900	cvtres.exe
Token: SeBackupPrivilege	900	cvtres.exe
Token: SeRestorePrivilege	900	cvtres.exe
Token: SeShutdownPrivilege	900	cvtres.exe
Token: SeDebugPrivilege	900	cvtres.exe
Token: SeSystemEnvironmentPrivilege	900	cvtres.exe
Token: SeChangeNotifyPrivilege	900	cvtres.exe
Token: SeRemoteShutdownPrivilege	900	cvtres.exe
Token: SeUndockPrivilege	900	cvtres.exe
Token: SeManageVolumePrivilege	900	cvtres.exe
Token: SeImpersonatePrivilege	900	cvtres.exe
Token: SeCreateGlobalPrivilege	900	cvtres.exe
Token: 33	900	cvtres.exe
Token: 34	900	cvtres.exe
Token: 35	900	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvtres.exe

pid process

900 cvtres.exe

pid	process
900	cvtres.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe

description	pid	process	target process
PID 1184 wrote to memory of 988	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	WScript.exe
PID 1184 wrote to memory of 988	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	WScript.exe
PID 1184 wrote to memory of 988	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	WScript.exe
PID 1184 wrote to memory of 988	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	WScript.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe
PID 1184 wrote to memory of 900	1184	8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe
"C:\Users\Admin\AppData\Local\Temp\8f1fb8b85fb5b2c5398c7061661d0cada9dea27004c7ca4152b67d8af39dcec2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc.vbs"
2⤵
PID:988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cc.vbs
Filesize
378B

MD5
823d8146f0eaa4a23ada912e42e7821a

SHA1
ecb22e79fad7a25d95e602acc37132fd881c5e94

SHA256
89ebc741d117424068d2ffbe400d709945e5897cc54437e80f0e4f9ae0509244

SHA512
574cf41618a1d258dd5a6496887556dca161833394a8bfcc19ffaff35d1bccf7999b54d9e43379838f53cb9e9120bb4f3ea7795dd8de4b167f6566d3dec1328b

Download Submit
memory/900-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/900-61-0x000000000048F888-mapping.dmp

Download
memory/900-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/900-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/900-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/900-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/988-57-0x0000000000000000-mapping.dmp

Download
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-55-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-56-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-64-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download