darkcomet | e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21

General

Target

e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe
Size

555KB
MD5

0eb34141a4641bfed8aad9ff39e769c0
SHA1

1db95c652b573a812c54f0d43fee28817d001652
SHA256

e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21
SHA512

561aa2635ff79bb88724b38a195faaadb346c5ee4e6bee5f46d7e1bccc511b03edf58885478fd4aa7d8ca0c1f16db15d081440e14cdc70f209d4f1093cc2ad60
SSDEEP

12288:cgztz6C2jce9DKy4bi1De6wW2gIbJl0ekRzO0FzJAdq:F96zRl+d7luVKmUq

Score

10^/10

darkcomet victime evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victime

C2

taraji19.no-ip.org:81

Mutex

DC_MUTEX-PJKYUUB

Attributes

gencode
7uBzBgo1DC3L
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

cvtres.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	cvtres.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	cvtres.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	cvtres.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

cvtres.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" cvtres.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	cvtres.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cvtres.exe

Executes dropped EXE 1 IoCs

Processes:

Tempbackup.exe

pid process

2024 Tempbackup.exe

Loads dropped DLL 2 IoCs

Processes:

e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe

pid	process
1200	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe
1200	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Tempbackup.exe

description pid process target process

PID 2024 set thread context of 1112 2024 Tempbackup.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2024 set thread context of 1112	2024	Tempbackup.exe	cvtres.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Tempbackup.exe

pid	process
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe
2024	Tempbackup.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Tempbackup.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	2024	Tempbackup.exe
Token: SeIncreaseQuotaPrivilege	1112	cvtres.exe
Token: SeSecurityPrivilege	1112	cvtres.exe
Token: SeTakeOwnershipPrivilege	1112	cvtres.exe
Token: SeLoadDriverPrivilege	1112	cvtres.exe
Token: SeSystemProfilePrivilege	1112	cvtres.exe
Token: SeSystemtimePrivilege	1112	cvtres.exe
Token: SeProfSingleProcessPrivilege	1112	cvtres.exe
Token: SeIncBasePriorityPrivilege	1112	cvtres.exe
Token: SeCreatePagefilePrivilege	1112	cvtres.exe
Token: SeBackupPrivilege	1112	cvtres.exe
Token: SeRestorePrivilege	1112	cvtres.exe
Token: SeShutdownPrivilege	1112	cvtres.exe
Token: SeDebugPrivilege	1112	cvtres.exe
Token: SeSystemEnvironmentPrivilege	1112	cvtres.exe
Token: SeChangeNotifyPrivilege	1112	cvtres.exe
Token: SeRemoteShutdownPrivilege	1112	cvtres.exe
Token: SeUndockPrivilege	1112	cvtres.exe
Token: SeManageVolumePrivilege	1112	cvtres.exe
Token: SeImpersonatePrivilege	1112	cvtres.exe
Token: SeCreateGlobalPrivilege	1112	cvtres.exe
Token: 33	1112	cvtres.exe
Token: 34	1112	cvtres.exe
Token: 35	1112	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvtres.exe

pid process

1112 cvtres.exe

pid	process
1112	cvtres.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exeTempbackup.exe

description	pid	process	target process
PID 1200 wrote to memory of 2024	1200	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe	Tempbackup.exe
PID 1200 wrote to memory of 2024	1200	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe	Tempbackup.exe
PID 1200 wrote to memory of 2024	1200	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe	Tempbackup.exe
PID 1200 wrote to memory of 2024	1200	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe	Tempbackup.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe
PID 2024 wrote to memory of 1112	2024	Tempbackup.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe
"C:\Users\Admin\AppData\Local\Temp\e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Tempbackup.exe
"C:\Users\Admin\AppData\Local\Tempbackup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempbackup.exe
Filesize
712KB

MD5
01fbb6e64191fa99010e6b9bd11e5897

SHA1
2c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef

SHA256
cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021

SHA512
bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083

Download Submit
C:\Users\Admin\AppData\Local\Tempbackup.exe
Filesize
712KB

MD5
01fbb6e64191fa99010e6b9bd11e5897

SHA1
2c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef

SHA256
cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021

SHA512
bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083

Download Submit
\Users\Admin\AppData\Local\Tempbackup.exe
Filesize
712KB

MD5
01fbb6e64191fa99010e6b9bd11e5897

SHA1
2c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef

SHA256
cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021

SHA512
bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083

Download Submit
\Users\Admin\AppData\Local\Tempbackup.exe
Filesize
712KB

MD5
01fbb6e64191fa99010e6b9bd11e5897

SHA1
2c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef

SHA256
cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021

SHA512
bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083

Download Submit
memory/1112-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-78-0x000000000048F888-mapping.dmp

Download
memory/1112-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1200-54-0x0000000000100000-0x0000000000190000-memory.dmp

Filesize
576KB

Download
memory/1200-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1200-56-0x0000000004ED0000-0x0000000004F86000-memory.dmp

Filesize
728KB

Download
memory/2024-80-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads