darkcomet | f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe
Size

1.6MB
MD5

89418ac99b68915cc75f40017b9200f4
SHA1

b553cdd0b5fd5d7f876af6c9bd5d2f290ccce8cb
SHA256

f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864
SHA512

7139dae64f3b7e9597a3037be41091a14bc45ff02d3b2727fcc771f5a76107ba428336ccd2e65bc3eecd86c3dfed4c5881fe2a0203b6bfa13ec31e154b4a320f
SSDEEP

49152:akwkn9IMHeatoJ780x4LQ9yGsyGnaPCS:JdnVCyc4L0UXaPC

Score

10^/10

darkcomet slave evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

blackblaz3.ddns.net:1604

Mutex

DC_MUTEX-XJGX3JT

Attributes

gencode
NP987AHgXmFk
install
false
offline_keylogger
false
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system32conf.exe

Executes dropped EXE 2 IoCs

pid	Process
1536	system32conf.exe
1912	system32conf.exe

Loads dropped DLL 2 IoCs

pid	Process
2000	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe
1536	system32conf.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system32conf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	system32conf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\system32conf.exe"	system32conf.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00090000000122ef-56.dat	autoit_exe
behavioral1/files/0x00090000000122ef-58.dat	autoit_exe
behavioral1/files/0x00090000000122ef-61.dat	autoit_exe
behavioral1/files/0x00090000000122ef-66.dat	autoit_exe
behavioral1/files/0x00090000000122ef-71.dat	autoit_exe
behavioral1/files/0x00090000000122ef-75.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 1912	1536	system32conf.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe:Zone.Identifier:$DATA	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe
File created	C:\Users\Admin\AppData\Roaming\system32conf.exe\:Zone.Identifier:$DATA	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\system32conf.exe:Zone.Identifier:$DATA	system32conf.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
864	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe
1536	system32conf.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1912	system32conf.exe
Token: SeSecurityPrivilege	1912	system32conf.exe
Token: SeTakeOwnershipPrivilege	1912	system32conf.exe
Token: SeLoadDriverPrivilege	1912	system32conf.exe
Token: SeSystemProfilePrivilege	1912	system32conf.exe
Token: SeSystemtimePrivilege	1912	system32conf.exe
Token: SeProfSingleProcessPrivilege	1912	system32conf.exe
Token: SeIncBasePriorityPrivilege	1912	system32conf.exe
Token: SeCreatePagefilePrivilege	1912	system32conf.exe
Token: SeBackupPrivilege	1912	system32conf.exe
Token: SeRestorePrivilege	1912	system32conf.exe
Token: SeShutdownPrivilege	1912	system32conf.exe
Token: SeDebugPrivilege	1912	system32conf.exe
Token: SeSystemEnvironmentPrivilege	1912	system32conf.exe
Token: SeChangeNotifyPrivilege	1912	system32conf.exe
Token: SeRemoteShutdownPrivilege	1912	system32conf.exe
Token: SeUndockPrivilege	1912	system32conf.exe
Token: SeManageVolumePrivilege	1912	system32conf.exe
Token: SeImpersonatePrivilege	1912	system32conf.exe
Token: SeCreateGlobalPrivilege	1912	system32conf.exe
Token: 33	1912	system32conf.exe
Token: 34	1912	system32conf.exe
Token: 35	1912	system32conf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1624	DllHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1536	2000	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe	29
PID 2000 wrote to memory of 1536	2000	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe	29
PID 2000 wrote to memory of 1536	2000	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe	29
PID 2000 wrote to memory of 1536	2000	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe	29
PID 2000 wrote to memory of 1404	2000	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe	30
PID 2000 wrote to memory of 1404	2000	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe	30
PID 2000 wrote to memory of 1404	2000	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe	30
PID 2000 wrote to memory of 1404	2000	f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe	30
PID 1404 wrote to memory of 864	1404	cmd.exe	33
PID 1404 wrote to memory of 864	1404	cmd.exe	33
PID 1404 wrote to memory of 864	1404	cmd.exe	33
PID 1404 wrote to memory of 864	1404	cmd.exe	33
PID 1536 wrote to memory of 1912	1536	system32conf.exe	34
PID 1536 wrote to memory of 1912	1536	system32conf.exe	34
PID 1536 wrote to memory of 1912	1536	system32conf.exe	34
PID 1536 wrote to memory of 1912	1536	system32conf.exe	34
PID 1536 wrote to memory of 1912	1536	system32conf.exe	34
PID 1536 wrote to memory of 1912	1536	system32conf.exe	34

C:\Users\Admin\AppData\Local\Temp\f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe
"C:\Users\Admin\AppData\Local\Temp\f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Roaming\system32conf.exe
  C:\Users\Admin\AppData\Roaming\system32conf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Roaming\system32conf.exe
    "C:\Users\Admin\AppData\Roaming\system32conf.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Tempscratch.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 0127.0.0.1
    3⤵
    - Runs ping.exe
    PID:864

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempindex.jpg

Filesize
3KB

MD5
aad4816d853e7d4d0334ea14314c8900

SHA1
e5f442fd282b5d6b2efad041ba9de1bf170cd139

SHA256
e1433fc165426f80b7c54bcc51f8ce313309a89c0b8af4c4ebfffec04884d7d5

SHA512
b899938a2298ce3b9b4056d234295e6a46e7a3175788720a00cf7be22290c6ff3335ef56d6dddee46962e71bdf46ed23c008ffa9b00504c1ba1efde9fa14c1e8

Download Submit
C:\Users\Admin\AppData\Local\Tempindex.jpg

Filesize
3KB

MD5
aad4816d853e7d4d0334ea14314c8900

SHA1
e5f442fd282b5d6b2efad041ba9de1bf170cd139

SHA256
e1433fc165426f80b7c54bcc51f8ce313309a89c0b8af4c4ebfffec04884d7d5

SHA512
b899938a2298ce3b9b4056d234295e6a46e7a3175788720a00cf7be22290c6ff3335ef56d6dddee46962e71bdf46ed23c008ffa9b00504c1ba1efde9fa14c1e8

Download Submit
C:\Users\Admin\AppData\Local\Tempscratch.bat

Filesize
322B

MD5
e95f64f7c1597f8280152c90e2f3610e

SHA1
ca99a232989a2775fbad3b689e652c20f26795dc

SHA256
0d65eaf5cd8029b08f1c0a81e00d2717bb765e65f0dee1530f90934915a297d7

SHA512
4f5240e1c3d3ef49f3aefa583385197fea1e146cd938f8c7c7cc804ae12a01cab5333ef774402494cb36fc2124fedb5a4ff2a2b4f6365a6f42ff5dc817049bbb

Download Submit
C:\Users\Admin\AppData\Roaming\system32conf.exe

Filesize
1.6MB

MD5
89418ac99b68915cc75f40017b9200f4

SHA1
b553cdd0b5fd5d7f876af6c9bd5d2f290ccce8cb

SHA256
f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864

SHA512
7139dae64f3b7e9597a3037be41091a14bc45ff02d3b2727fcc771f5a76107ba428336ccd2e65bc3eecd86c3dfed4c5881fe2a0203b6bfa13ec31e154b4a320f

Download Submit
C:\Users\Admin\AppData\Roaming\system32conf.exe

Filesize
1.6MB

MD5
89418ac99b68915cc75f40017b9200f4

SHA1
b553cdd0b5fd5d7f876af6c9bd5d2f290ccce8cb

SHA256
f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864

SHA512
7139dae64f3b7e9597a3037be41091a14bc45ff02d3b2727fcc771f5a76107ba428336ccd2e65bc3eecd86c3dfed4c5881fe2a0203b6bfa13ec31e154b4a320f

Download Submit
C:\Users\Admin\AppData\Roaming\system32conf.exe

Filesize
1.6MB

MD5
89418ac99b68915cc75f40017b9200f4

SHA1
b553cdd0b5fd5d7f876af6c9bd5d2f290ccce8cb

SHA256
f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864

SHA512
7139dae64f3b7e9597a3037be41091a14bc45ff02d3b2727fcc771f5a76107ba428336ccd2e65bc3eecd86c3dfed4c5881fe2a0203b6bfa13ec31e154b4a320f

Download Submit
C:\Users\Admin\AppData\Roaming\system32conf.exe

Filesize
1.6MB

MD5
89418ac99b68915cc75f40017b9200f4

SHA1
b553cdd0b5fd5d7f876af6c9bd5d2f290ccce8cb

SHA256
f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864

SHA512
7139dae64f3b7e9597a3037be41091a14bc45ff02d3b2727fcc771f5a76107ba428336ccd2e65bc3eecd86c3dfed4c5881fe2a0203b6bfa13ec31e154b4a320f

Download Submit
\Users\Admin\AppData\Roaming\system32conf.exe

Filesize
1.6MB

MD5
89418ac99b68915cc75f40017b9200f4

SHA1
b553cdd0b5fd5d7f876af6c9bd5d2f290ccce8cb

SHA256
f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864

SHA512
7139dae64f3b7e9597a3037be41091a14bc45ff02d3b2727fcc771f5a76107ba428336ccd2e65bc3eecd86c3dfed4c5881fe2a0203b6bfa13ec31e154b4a320f

Download Submit
\Users\Admin\AppData\Roaming\system32conf.exe

Filesize
1.6MB

MD5
89418ac99b68915cc75f40017b9200f4

SHA1
b553cdd0b5fd5d7f876af6c9bd5d2f290ccce8cb

SHA256
f4e30f8584793bb3b1af448cc3dc3f2358568ccf39855ea14266aea4827c8864

SHA512
7139dae64f3b7e9597a3037be41091a14bc45ff02d3b2727fcc771f5a76107ba428336ccd2e65bc3eecd86c3dfed4c5881fe2a0203b6bfa13ec31e154b4a320f

Download Submit
memory/1912-72-0x0000000000140000-0x00000000001F2000-memory.dmp

Filesize
712KB

Download
memory/1912-74-0x0000000000140000-0x00000000001F2000-memory.dmp

Filesize
712KB

Download
memory/1912-69-0x0000000000140000-0x00000000001F2000-memory.dmp

Filesize
712KB

Download
memory/1912-76-0x0000000000140000-0x00000000001F2000-memory.dmp

Filesize
712KB

Download
memory/1912-67-0x0000000000140000-0x00000000001F2000-memory.dmp

Filesize
712KB

Download
memory/1912-78-0x0000000000140000-0x00000000001F2000-memory.dmp

Filesize
712KB

Download
memory/2000-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download