darkcomet | a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8

General

Target

a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe
Size

1.4MB
MD5

dc07030af6c807db6ffcb1eea9805846
SHA1

03a4f4daad133a8c3b1fd8297317df194a4d9184
SHA256

a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8
SHA512

91127b471c7620028dbbd220c6f7706a856827097158656b609a6cab5b10e553b9afff4f1bc3754e88bf4fc857e139e673e71d0a9fb2ba9a0c5216a69a2d2d15
SSDEEP

24576:x3Oqr/iK/TH5yHTtqaw/Kf9hoWSXBMo0xZUEKLolSuWDyDf02g+I7LEn/XD:9trKK/TH5yHTtqaOKfjVdo0tlRWDAk3Q

Score

10^/10

darkcomet bot persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Bot

C2

sallad.chickenkiller.com:9331

Mutex

DC_MUTEX-NTQ979W

Attributes

gencode
3ngHr6j4cxcy
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\java.exe"	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe

Executes dropped EXE 1 IoCs

Processes:

notepad .exe

pid process

468 notepad .exe
Loads dropped DLL 1 IoCs

Processes:

a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe

pid process

1748 a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe

pid	process
468	notepad .exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe

description	pid	process	target process
PID 1748 set thread context of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe

pid	process
1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe
1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe
1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exenotepad .exe

description	pid	process
Token: SeDebugPrivilege	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe
Token: SeIncreaseQuotaPrivilege	468	notepad .exe
Token: SeSecurityPrivilege	468	notepad .exe
Token: SeTakeOwnershipPrivilege	468	notepad .exe
Token: SeLoadDriverPrivilege	468	notepad .exe
Token: SeSystemProfilePrivilege	468	notepad .exe
Token: SeSystemtimePrivilege	468	notepad .exe
Token: SeProfSingleProcessPrivilege	468	notepad .exe
Token: SeIncBasePriorityPrivilege	468	notepad .exe
Token: SeCreatePagefilePrivilege	468	notepad .exe
Token: SeBackupPrivilege	468	notepad .exe
Token: SeRestorePrivilege	468	notepad .exe
Token: SeShutdownPrivilege	468	notepad .exe
Token: SeDebugPrivilege	468	notepad .exe
Token: SeSystemEnvironmentPrivilege	468	notepad .exe
Token: SeChangeNotifyPrivilege	468	notepad .exe
Token: SeRemoteShutdownPrivilege	468	notepad .exe
Token: SeUndockPrivilege	468	notepad .exe
Token: SeManageVolumePrivilege	468	notepad .exe
Token: SeImpersonatePrivilege	468	notepad .exe
Token: SeCreateGlobalPrivilege	468	notepad .exe
Token: 33	468	notepad .exe
Token: 34	468	notepad .exe
Token: 35	468	notepad .exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

notepad .exe

pid process

468 notepad .exe

pid	process
468	notepad .exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.execmd.exewscript.exe

description	pid	process	target process
PID 1748 wrote to memory of 1316	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	cmd.exe
PID 1748 wrote to memory of 1316	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	cmd.exe
PID 1748 wrote to memory of 1316	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	cmd.exe
PID 1748 wrote to memory of 1316	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	cmd.exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1316 wrote to memory of 836	1316	cmd.exe	wscript.exe
PID 1316 wrote to memory of 836	1316	cmd.exe	wscript.exe
PID 1316 wrote to memory of 836	1316	cmd.exe	wscript.exe
PID 1316 wrote to memory of 836	1316	cmd.exe	wscript.exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 1748 wrote to memory of 468	1748	a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe	notepad .exe
PID 836 wrote to memory of 1412	836	wscript.exe	cmd.exe
PID 836 wrote to memory of 1412	836	wscript.exe	cmd.exe
PID 836 wrote to memory of 1412	836	wscript.exe	cmd.exe
PID 836 wrote to memory of 1412	836	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe
"C:\Users\Admin\AppData\Local\Temp\a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\mata2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\mata2.bat" "
4⤵
PID:1412

C:\Users\Admin\AppData\Roaming\notepad .exe
"C:\Users\Admin\AppData\Roaming\notepad .exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe
Filesize
1.4MB

MD5
dc07030af6c807db6ffcb1eea9805846

SHA1
03a4f4daad133a8c3b1fd8297317df194a4d9184

SHA256
a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8

SHA512
91127b471c7620028dbbd220c6f7706a856827097158656b609a6cab5b10e553b9afff4f1bc3754e88bf4fc857e139e673e71d0a9fb2ba9a0c5216a69a2d2d15

Download Submit
C:\Users\Admin\AppData\Roaming\mata.bat
Filesize
53B

MD5
f417bac860bfd32fbcceefb244bcbb87

SHA1
31a711807edad75399620a8b6f5da449c64723ef

SHA256
7e80f3cbb012881bf931f99903be9dc541ea00f1173944390f35c17e83fc6068

SHA512
9d904c40c37a136a6f658626abc068132f415edf4121d46c928e8d619981e5d0bdd7be2eddb5e27bffc311a1c0545ab10eb25af5477b423884b9ff2a612e10e3

Download Submit
C:\Users\Admin\AppData\Roaming\mata2.bat
Filesize
53B

MD5
031605858c66d2561d6919500e5b4967

SHA1
9bcaba936b24fbc0b41fc1554a2a3f06bf10bd86

SHA256
e30913fc4efecaa0864524b2b976bd920735babf6201bb719bf22235fa190e45

SHA512
1f8538c572d7c83b99f4cbbcae6d56e752149b1f97014ae22d06d805e93a9fc338a94af1698731b2c193009fe012dd60531aa0cff869317fa4bcf9567cc5e362

Download Submit
C:\Users\Admin\AppData\Roaming\notepad .exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
C:\Users\Admin\AppData\Roaming\notepad .exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
C:\Users\Admin\AppData\Roaming\rundll11-.txt
Filesize
1.4MB

MD5
dc07030af6c807db6ffcb1eea9805846

SHA1
03a4f4daad133a8c3b1fd8297317df194a4d9184

SHA256
a3c96604b01d189879f5076b3c94d0b10a19cd1a8e3e7935349c7036363b47b8

SHA512
91127b471c7620028dbbd220c6f7706a856827097158656b609a6cab5b10e553b9afff4f1bc3754e88bf4fc857e139e673e71d0a9fb2ba9a0c5216a69a2d2d15

Download Submit
\Users\Admin\AppData\Roaming\notepad .exe
Filesize
54KB

MD5
0f01571a3e4c71eb4313175aae86488e

SHA1
2ba648afe2cd52edf5f25e304f77d457abf7ac0e

SHA256
8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022

SHA512
159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794

Download Submit
memory/468-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-85-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/468-88-0x0000000000401000-0x000000000048F000-memory.dmp

Filesize
568KB

Download
memory/468-81-0x000000000048F888-mapping.dmp

Download
memory/468-87-0x000000000048F000-0x0000000000491000-memory.dmp

Filesize
8KB

Download
memory/836-59-0x0000000000000000-mapping.dmp

Download
memory/1316-55-0x0000000000000000-mapping.dmp

Download
memory/1412-77-0x0000000000000000-mapping.dmp

Download
memory/1748-75-0x0000000074C90000-0x000000007523B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-80-0x0000000074C90000-0x000000007523B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1748-90-0x0000000074C90000-0x000000007523B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads