darkcomet | 82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec

General

Target

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Size

764KB
MD5

72424af22fd4bda472713106e905af9b
SHA1

f2e8e93369c973daad899265d4308fd195a3ac28
SHA256

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec
SHA512

4b3285af8793e71d58e91d2abfa76bbab4bf7e6e3d7035686f2af98d5b5950fdc551fab78654067b90c580a69f1c9fc78067e34517e47b4d20b2ebc23711bdc2
SSDEEP

12288:hYmt0E2jF7bXNbG8a31+r+4jFn3udW5yDSNrSgXmtLc8/NU:hYFE2jNb9bGgjJemRX7mN

Score

10^/10

darkcomet 829 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

829

C2

kelgr95167.crabdance.com:4390

kelgr95167.crabdance.com:4391

Mutex

DC_MUTEX-RJ23YU3

Attributes

gencode
cGAxaBVeCxjm
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IjqlzCUk\\UQNF1Xp.exe,explorer.exe"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid process

1688 82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid	process
1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Loads dropped DLL 2 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid	process
1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

description	pid	process	target process
PID 1368 set thread context of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid process

1368 82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

description	pid	process
Token: SeDebugPrivilege	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeIncreaseQuotaPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeSecurityPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeTakeOwnershipPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeLoadDriverPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeSystemProfilePrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeSystemtimePrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeProfSingleProcessPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeIncBasePriorityPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeCreatePagefilePrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeBackupPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeRestorePrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeShutdownPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeDebugPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeSystemEnvironmentPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeChangeNotifyPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeRemoteShutdownPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeUndockPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeManageVolumePrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeImpersonatePrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeCreateGlobalPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: 33	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: 34	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: 35	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid process

1688 82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid	process
1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.execmd.exe

C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
"C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IjqlzCUk\UQNF1Xp.exe,explorer.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IjqlzCUk\UQNF1Xp.exe,explorer.exe"
3⤵
- Modifies WinLogon for persistence
PID:1640

C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
"C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Filesize
764KB

MD5
72424af22fd4bda472713106e905af9b

SHA1
f2e8e93369c973daad899265d4308fd195a3ac28

SHA256
82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec

SHA512
4b3285af8793e71d58e91d2abfa76bbab4bf7e6e3d7035686f2af98d5b5950fdc551fab78654067b90c580a69f1c9fc78067e34517e47b4d20b2ebc23711bdc2

Download Submit
\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Filesize
764KB

MD5
72424af22fd4bda472713106e905af9b

SHA1
f2e8e93369c973daad899265d4308fd195a3ac28

SHA256
82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec

SHA512
4b3285af8793e71d58e91d2abfa76bbab4bf7e6e3d7035686f2af98d5b5950fdc551fab78654067b90c580a69f1c9fc78067e34517e47b4d20b2ebc23711bdc2

Download Submit
\Users\Admin\AppData\Local\Temp\IjqlzCUk\UQNF1Xp.exe

Filesize
764KB

MD5
72424af22fd4bda472713106e905af9b

SHA1
f2e8e93369c973daad899265d4308fd195a3ac28

SHA256
82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec

SHA512
4b3285af8793e71d58e91d2abfa76bbab4bf7e6e3d7035686f2af98d5b5950fdc551fab78654067b90c580a69f1c9fc78067e34517e47b4d20b2ebc23711bdc2

Download Submit
memory/1368-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1368-55-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-56-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-80-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-59-0x0000000000000000-mapping.dmp

Download
memory/1688-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-76-0x000000000048F888-mapping.dmp

Download
memory/1688-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1688-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1876-58-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1368 wrote to memory of 1876	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	cmd.exe
PID 1368 wrote to memory of 1876	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	cmd.exe
PID 1368 wrote to memory of 1876	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	cmd.exe
PID 1368 wrote to memory of 1876	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	cmd.exe
PID 1876 wrote to memory of 1640	1876	cmd.exe	reg.exe
PID 1876 wrote to memory of 1640	1876	cmd.exe	reg.exe
PID 1876 wrote to memory of 1640	1876	cmd.exe	reg.exe
PID 1876 wrote to memory of 1640	1876	cmd.exe	reg.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1368 wrote to memory of 1688	1368	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads