darkcomet | bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
Size

759KB
MD5

5a8b8f6969ad1562fa7429de7da84ac0
SHA1

b7fd78d674bd0c72a685fb3c8957118c6bc9d5e3
SHA256

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0
SHA512

a8aa1ea5a7b6ec10d75d9179f8e51b3c2be6a4acf86524e326ea1c6207a99f4ed5ce05a2ea7b1f405d4ce88db6fc27c2ce1d86fbfe482d0cdbe1416dc353364e
SSDEEP

12288:awoEPOA85/98nxvUy96snJFHyVKMsYghTsKi1033G6366G7pkz8fdjzfJpFSa2jf:/S5OnjAuSVKvPhTsKiIi6p81PEjf

Score

10^/10

darkcomet infected persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Infected

saerchap.no-ip.biz:1604

Mutex

DC_MUTEX-TBLTDNE

Attributes

gencode
0y0oASJgFJ6Q
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

msconfig.exe

pid process

2380 msconfig.exe

pid	process
2380	msconfig.exe

Loads dropped DLL 6 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

pid	process
4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FacbookUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\FacbookUpdate.exe"	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

description	pid	process	target process
PID 4744 set thread context of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

pid	process
4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exemsconfig.exe

description	pid	process
Token: SeDebugPrivilege	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
Token: SeIncreaseQuotaPrivilege	2380	msconfig.exe
Token: SeSecurityPrivilege	2380	msconfig.exe
Token: SeTakeOwnershipPrivilege	2380	msconfig.exe
Token: SeLoadDriverPrivilege	2380	msconfig.exe
Token: SeSystemProfilePrivilege	2380	msconfig.exe
Token: SeSystemtimePrivilege	2380	msconfig.exe
Token: SeProfSingleProcessPrivilege	2380	msconfig.exe
Token: SeIncBasePriorityPrivilege	2380	msconfig.exe
Token: SeCreatePagefilePrivilege	2380	msconfig.exe
Token: SeBackupPrivilege	2380	msconfig.exe
Token: SeRestorePrivilege	2380	msconfig.exe
Token: SeShutdownPrivilege	2380	msconfig.exe
Token: SeDebugPrivilege	2380	msconfig.exe
Token: SeSystemEnvironmentPrivilege	2380	msconfig.exe
Token: SeChangeNotifyPrivilege	2380	msconfig.exe
Token: SeRemoteShutdownPrivilege	2380	msconfig.exe
Token: SeUndockPrivilege	2380	msconfig.exe
Token: SeManageVolumePrivilege	2380	msconfig.exe
Token: SeImpersonatePrivilege	2380	msconfig.exe
Token: SeCreateGlobalPrivilege	2380	msconfig.exe
Token: 33	2380	msconfig.exe
Token: 34	2380	msconfig.exe
Token: 35	2380	msconfig.exe
Token: 36	2380	msconfig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msconfig.exe

pid process

2380 msconfig.exe

pid	process
2380	msconfig.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.execsc.exe

description	pid	process	target process
PID 4744 wrote to memory of 1928	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	csc.exe
PID 4744 wrote to memory of 1928	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	csc.exe
PID 4744 wrote to memory of 1928	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	csc.exe
PID 1928 wrote to memory of 5072	1928	csc.exe	cvtres.exe
PID 1928 wrote to memory of 5072	1928	csc.exe	cvtres.exe
PID 1928 wrote to memory of 5072	1928	csc.exe	cvtres.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe
PID 4744 wrote to memory of 2380	4744	bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe	msconfig.exe

C:\Users\Admin\AppData\Local\Temp\bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe
"C:\Users\Admin\AppData\Local\Temp\bb91821b2eb572a4daafeaae2dedf518abe9c07104fe96f2c6281f123ad161d0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3pnupqpt.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBBD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEBBC.tmp"
3⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exe
C:\Users\Admin\AppData\Local\Temp\\AppLaunch\msconfig.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dll
Filesize
4KB

MD5
c7e9220490774c0306663af97056a4e0

SHA1
e48d706bc182478d986ce46b143e63b0dfab2b41

SHA256
404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50

SHA512
ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dll
Filesize
4KB

MD5
c7e9220490774c0306663af97056a4e0

SHA1
e48d706bc182478d986ce46b143e63b0dfab2b41

SHA256
404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50

SHA512
ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dll
Filesize
4KB

MD5
c7e9220490774c0306663af97056a4e0

SHA1
e48d706bc182478d986ce46b143e63b0dfab2b41

SHA256
404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50

SHA512
ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dll
Filesize
4KB

MD5
c7e9220490774c0306663af97056a4e0

SHA1
e48d706bc182478d986ce46b143e63b0dfab2b41

SHA256
404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50

SHA512
ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dll
Filesize
4KB

MD5
c7e9220490774c0306663af97056a4e0

SHA1
e48d706bc182478d986ce46b143e63b0dfab2b41

SHA256
404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50

SHA512
ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dll
Filesize
4KB

MD5
c7e9220490774c0306663af97056a4e0

SHA1
e48d706bc182478d986ce46b143e63b0dfab2b41

SHA256
404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50

SHA512
ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3pnupqpt.dll
Filesize
4KB

MD5
c7e9220490774c0306663af97056a4e0

SHA1
e48d706bc182478d986ce46b143e63b0dfab2b41

SHA256
404defe062e339faa44499d0ef24c3dbac525a1844959e867424bc3f6ddb8c50

SHA512
ddf710ba387a2d005f8be782256784d850c479d4aade8804790dfeb57104c60bee23b892e832f07eada71f0b9e744105b03ddcb2d07297ffe06cbbb4dea7995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\AppLaunch\msconfig.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEBBD.tmp
Filesize
1KB

MD5
99e6b78a599e446659cbd8eca7329628

SHA1
722bc06daa5eb3d6cae9e5bf8161cde445facb05

SHA256
64f32e31598ae47a0b665f4a0189c2211d9bc0c29001efb4fbbde16740a54d6f

SHA512
21d757737900398b2e39e96df1d4652b24e1400cc05a7368d3314977692ac97e844110b2cb7f6a6ea869d7a8101249c3b30ffa3a045fdae5839652fc24583be5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3pnupqpt.0.cs
Filesize
1KB

MD5
726a6cdc1c8c93a4187bde307bdcce62

SHA1
7be83ba9aa298ee36171b41c2696091eb9096230

SHA256
f80bab86984f7b0a86e23622bc49bd78c54acbf179e9fb4be1ee14fa0a6616d0

SHA512
0ba2ca78052eb3f0bbcb533f2a511d4d2fa459893c0e7f795d255124f079f7b7b6532631ebf72516ec6b67cce132d0b955e87f7369b5fd08c26afb4160e86cdd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3pnupqpt.cmdline
Filesize
195B

MD5
d90bcd94b4b896a143b85fc8e6964b35

SHA1
dfd8efb7346a753b9ec63ffb074c49c6d095712c

SHA256
10272865f8019f44378efc466786e5508866ac96ffc8bb56e7e282d5e0ba45ca

SHA512
2d0c191d57e1f52ebdeff13e34726998e4b72a8c3c5cab27d63acc474a88378cac9032e679ee899a879f9e5d6e275fad89f5360fc9ec26f51001849406ac611c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEBBC.tmp
Filesize
652B

MD5
e90a7bb55462575b93bf24abb4b24427

SHA1
cc6231de5324e935a077d97de55597de86abd833

SHA256
2c2d5dc7fc49adae0abbf8afbd6fcd5049d3ec17cc84b7fb7499741fd10baa14

SHA512
6c388488ae80abf8e5823749c2452e63cc42ae87fb24da44773b4d5d8e8f4aa67dee590e417748b77c28ea04dad9c281be36de27cd814df570fcedc08f165a69

Download Submit
memory/1928-133-0x0000000000000000-mapping.dmp

Download
memory/2380-147-0x0000000000000000-mapping.dmp

Download
memory/2380-148-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2380-151-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2380-152-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2380-154-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2380-155-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2380-156-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4744-146-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-132-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/5072-136-0x0000000000000000-mapping.dmp

Download