darkcomet | bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
Size

759KB
MD5

5a8b8f6969ad1562fa7429de7da84ac0
SHA1

b7fd78d674bd0c72a685fb3c8957118c6bc9d5e3
SHA256

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0
SHA512

a8aa1ea5a7b6ec10d75d9179f8e51b3c2be6a4acf86524e326ea1c6207a99f4ed5ce05a2ea7b1f405d4ce88db6fc27c2ce1d86fbfe482d0cdbe1416dc353364e
SSDEEP

12288:awoEPOA85/98nxvUy96snJFHyVKMsYghTsKi1033G6366G7pkz8fdjzfJpFSa2jf:/S5OnjAuSVKvPhTsKiIi6p81PEjf

Score

10^/10

darkcomet infected persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Infected

saerchap.no-ip.biz:1604

Mutex

DC_MUTEX-TBLTDNE

Attributes

gencode
0y0oASJgFJ6Q
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

msconfig.exe

pid process

616 msconfig.exe

pid	process
616	msconfig.exe

Loads dropped DLL 6 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

pid	process
1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\FacbookUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\FacbookUpdate.exe"	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

description	pid	process	target process
PID 1324 set thread context of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

pid	process
1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exemsconfig.exe

description	pid	process
Token: SeDebugPrivilege	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
Token: SeIncreaseQuotaPrivilege	616	msconfig.exe
Token: SeSecurityPrivilege	616	msconfig.exe
Token: SeTakeOwnershipPrivilege	616	msconfig.exe
Token: SeLoadDriverPrivilege	616	msconfig.exe
Token: SeSystemProfilePrivilege	616	msconfig.exe
Token: SeSystemtimePrivilege	616	msconfig.exe
Token: SeProfSingleProcessPrivilege	616	msconfig.exe
Token: SeIncBasePriorityPrivilege	616	msconfig.exe
Token: SeCreatePagefilePrivilege	616	msconfig.exe
Token: SeBackupPrivilege	616	msconfig.exe
Token: SeRestorePrivilege	616	msconfig.exe
Token: SeShutdownPrivilege	616	msconfig.exe
Token: SeDebugPrivilege	616	msconfig.exe
Token: SeSystemEnvironmentPrivilege	616	msconfig.exe
Token: SeChangeNotifyPrivilege	616	msconfig.exe
Token: SeRemoteShutdownPrivilege	616	msconfig.exe
Token: SeUndockPrivilege	616	msconfig.exe
Token: SeManageVolumePrivilege	616	msconfig.exe
Token: SeImpersonatePrivilege	616	msconfig.exe
Token: SeCreateGlobalPrivilege	616	msconfig.exe
Token: 33	616	msconfig.exe
Token: 34	616	msconfig.exe
Token: 35	616	msconfig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msconfig.exe

pid process

616 msconfig.exe

pid	process
616	msconfig.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.execsc.exe

description	pid	process	target process
PID 1324 wrote to memory of 832	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	csc.exe
PID 1324 wrote to memory of 832	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	csc.exe
PID 1324 wrote to memory of 832	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	csc.exe
PID 1324 wrote to memory of 832	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	csc.exe
PID 832 wrote to memory of 1476	832	csc.exe	cvtres.exe
PID 832 wrote to memory of 1476	832	csc.exe	cvtres.exe
PID 832 wrote to memory of 1476	832	csc.exe	cvtres.exe
PID 832 wrote to memory of 1476	832	csc.exe	cvtres.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 1324 wrote to memory of 616	1324	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe

C:\Users\Admin\AppData\Local\Temp\bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
"C:\Users\Admin\AppData\Local\Temp\bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8l0ss90e.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2751.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2750.tmp"
3⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exe
C:\Users\Admin\AppData\Local\Temp\\AppLaunch\msconfig.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8l0ss90e.dll
Filesize
4KB

MD5
6c8a200b04a44e4d33365e7240a071dc

SHA1
be8349a3a4d35c88968148f28717fdbb2f7943de

SHA256
5883f3339f0f5d154c423111139fefe09aa9f1a36951b4bf7f9bb343da543add

SHA512
907dc3643eb74dedcb77543a95434f9d274be8201727c38def0f043e759c9922aa94ddc8eff34b167aca0f777e2f86440caa9ea7fe0e17514cecfcd98c3bfbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2751.tmp
Filesize
1KB

MD5
948cf8c977cf883958fd17c4a408d942

SHA1
e2cc662d5d146974cd4eb214b56e7815706be309

SHA256
7d71778630513a36436f36042dfea92e51c110241c653ed3bc0a71a862a8d3e2

SHA512
0d50b20e8c9b5688313293b13f2d0600df7abad48ddb33f495eb00974ea93354444e7eadd6254ee03ad11187511d4b73f03e3e42fa07176976d4dc3a3dedfc64

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8l0ss90e.0.cs
Filesize
1KB

MD5
726a6cdc1c8c93a4187bde307bdcce62

SHA1
7be83ba9aa298ee36171b41c2696091eb9096230

SHA256
f80bab86984f7b0a86e23622bc49bd78c54acbf179e9fb4be1ee14fa0a6616d0

SHA512
0ba2ca78052eb3f0bbcb533f2a511d4d2fa459893c0e7f795d255124f079f7b7b6532631ebf72516ec6b67cce132d0b955e87f7369b5fd08c26afb4160e86cdd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8l0ss90e.cmdline
Filesize
195B

MD5
e7dca528bfd4adc7c6c733e2f7d65f5c

SHA1
b3bf3e40d1d019966957b01b09c743b8dbd9f17a

SHA256
848fe8bdb6108ada5845dbcd1fb5df27f79e909f8bd09dbc0260183af2464e6a

SHA512
29a9472bb9828fc372734b5136eca75b8b364277b96eda4da48bb7a9cf71506ed7be09058ce07d2203ec1650287fbc32f32c355025d0128ae5e0c06066ad98bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2750.tmp
Filesize
652B

MD5
f358e3286cc090d9dac725359706ae51

SHA1
d47ce867576c5e440192ba85fc5eb06e94b9f33b

SHA256
caad91b87ea3604dc71345726665ba32aef48fb1e1e7f999099fb741ab75077e

SHA512
ef368277122c7b20d296b557087b59403e5fc022556965013b0354351c57f9934d2c1ae2bfbf4e4d8962d24b52ea5e75ad3ceafafc867b4ca81af3860b95039f

Download Submit
\Users\Admin\AppData\Local\Temp\8l0ss90e.dll
Filesize
4KB

MD5
6c8a200b04a44e4d33365e7240a071dc

SHA1
be8349a3a4d35c88968148f28717fdbb2f7943de

SHA256
5883f3339f0f5d154c423111139fefe09aa9f1a36951b4bf7f9bb343da543add

SHA512
907dc3643eb74dedcb77543a95434f9d274be8201727c38def0f043e759c9922aa94ddc8eff34b167aca0f777e2f86440caa9ea7fe0e17514cecfcd98c3bfbf8

Download Submit
\Users\Admin\AppData\Local\Temp\8l0ss90e.dll
Filesize
4KB

MD5
6c8a200b04a44e4d33365e7240a071dc

SHA1
be8349a3a4d35c88968148f28717fdbb2f7943de

SHA256
5883f3339f0f5d154c423111139fefe09aa9f1a36951b4bf7f9bb343da543add

SHA512
907dc3643eb74dedcb77543a95434f9d274be8201727c38def0f043e759c9922aa94ddc8eff34b167aca0f777e2f86440caa9ea7fe0e17514cecfcd98c3bfbf8

Download Submit
\Users\Admin\AppData\Local\Temp\8l0ss90e.dll
Filesize
4KB

MD5
6c8a200b04a44e4d33365e7240a071dc

SHA1
be8349a3a4d35c88968148f28717fdbb2f7943de

SHA256
5883f3339f0f5d154c423111139fefe09aa9f1a36951b4bf7f9bb343da543add

SHA512
907dc3643eb74dedcb77543a95434f9d274be8201727c38def0f043e759c9922aa94ddc8eff34b167aca0f777e2f86440caa9ea7fe0e17514cecfcd98c3bfbf8

Download Submit
\Users\Admin\AppData\Local\Temp\8l0ss90e.dll
Filesize
4KB

MD5
6c8a200b04a44e4d33365e7240a071dc

SHA1
be8349a3a4d35c88968148f28717fdbb2f7943de

SHA256
5883f3339f0f5d154c423111139fefe09aa9f1a36951b4bf7f9bb343da543add

SHA512
907dc3643eb74dedcb77543a95434f9d274be8201727c38def0f043e759c9922aa94ddc8eff34b167aca0f777e2f86440caa9ea7fe0e17514cecfcd98c3bfbf8

Download Submit
\Users\Admin\AppData\Local\Temp\8l0ss90e.dll
Filesize
4KB

MD5
6c8a200b04a44e4d33365e7240a071dc

SHA1
be8349a3a4d35c88968148f28717fdbb2f7943de

SHA256
5883f3339f0f5d154c423111139fefe09aa9f1a36951b4bf7f9bb343da543add

SHA512
907dc3643eb74dedcb77543a95434f9d274be8201727c38def0f043e759c9922aa94ddc8eff34b167aca0f777e2f86440caa9ea7fe0e17514cecfcd98c3bfbf8

Download Submit
\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/616-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-94-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-91-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-89-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/616-85-0x000000000048F888-mapping.dmp

Download
memory/616-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/832-56-0x0000000000000000-mapping.dmp

Download
memory/1324-55-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1324-92-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-93-0x0000000002045000-0x0000000002056000-memory.dmp

Filesize
68KB

Download
memory/1324-58-0x0000000002045000-0x0000000002056000-memory.dmp

Filesize
68KB

Download
memory/1476-60-0x0000000000000000-mapping.dmp

Download