darkcomet | 6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26

General

Target

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe
Size

472KB
MD5

428cb0db369019384072df4432724dde
SHA1

5ca8272d0c3946dc665f6f597b016701a2869c04
SHA256

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26
SHA512

af66566cb2ad51a3d57b528a35481daf20d0ccaad672b01a20fa1ee8ffdd4b722101b0e2f340cf8d4801d3b2b309909b249f84c7a090c1fe2d81e38339809c4f
SSDEEP

12288:EY3F7cDylczfadxLU6OoNUuyQzX16cKHD8A55:EM7cDyliSPbN1ym16cEDv55

Score

10^/10

darkcomet vikky persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

vikky

C2

vikky44.no-ip.biz:1604

Mutex

DC_MUTEX-D968R22

Attributes

gencode
nPNl4dCBT8Dq
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\bovrEIZq\\oc81okL.exe,explorer.exe"	reg.exe

Loads dropped DLL 1 IoCs

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

pid process

1052 6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

pid	process
1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

description	pid	process	target process
PID 1052 set thread context of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

pid process

1052 6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

pid	process
1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe
Token: SeIncreaseQuotaPrivilege	1424	cvtres.exe
Token: SeSecurityPrivilege	1424	cvtres.exe
Token: SeTakeOwnershipPrivilege	1424	cvtres.exe
Token: SeLoadDriverPrivilege	1424	cvtres.exe
Token: SeSystemProfilePrivilege	1424	cvtres.exe
Token: SeSystemtimePrivilege	1424	cvtres.exe
Token: SeProfSingleProcessPrivilege	1424	cvtres.exe
Token: SeIncBasePriorityPrivilege	1424	cvtres.exe
Token: SeCreatePagefilePrivilege	1424	cvtres.exe
Token: SeBackupPrivilege	1424	cvtres.exe
Token: SeRestorePrivilege	1424	cvtres.exe
Token: SeShutdownPrivilege	1424	cvtres.exe
Token: SeDebugPrivilege	1424	cvtres.exe
Token: SeSystemEnvironmentPrivilege	1424	cvtres.exe
Token: SeChangeNotifyPrivilege	1424	cvtres.exe
Token: SeRemoteShutdownPrivilege	1424	cvtres.exe
Token: SeUndockPrivilege	1424	cvtres.exe
Token: SeManageVolumePrivilege	1424	cvtres.exe
Token: SeImpersonatePrivilege	1424	cvtres.exe
Token: SeCreateGlobalPrivilege	1424	cvtres.exe
Token: 33	1424	cvtres.exe
Token: 34	1424	cvtres.exe
Token: 35	1424	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvtres.exe

pid process

1424 cvtres.exe

pid	process
1424	cvtres.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 1500	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cmd.exe
PID 1052 wrote to memory of 1500	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cmd.exe
PID 1052 wrote to memory of 1500	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cmd.exe
PID 1052 wrote to memory of 1500	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cmd.exe
PID 1500 wrote to memory of 1172	1500	cmd.exe	reg.exe
PID 1500 wrote to memory of 1172	1500	cmd.exe	reg.exe
PID 1500 wrote to memory of 1172	1500	cmd.exe	reg.exe
PID 1500 wrote to memory of 1172	1500	cmd.exe	reg.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1052 wrote to memory of 1424	1052	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe
"C:\Users\Admin\AppData\Local\Temp\6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bovrEIZq\oc81okL.exe,explorer.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bovrEIZq\oc81okL.exe,explorer.exe"
3⤵
- Modifies WinLogon for persistence
PID:1172

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\bovrEIZq\oc81okL.exe

Filesize
472KB

MD5
428cb0db369019384072df4432724dde

SHA1
5ca8272d0c3946dc665f6f597b016701a2869c04

SHA256
6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26

SHA512
af66566cb2ad51a3d57b528a35481daf20d0ccaad672b01a20fa1ee8ffdd4b722101b0e2f340cf8d4801d3b2b309909b249f84c7a090c1fe2d81e38339809c4f

Download Submit
memory/1052-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1052-55-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-56-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-77-0x0000000074770000-0x0000000074D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1172-59-0x0000000000000000-mapping.dmp

Download
memory/1424-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-75-0x000000000048F888-mapping.dmp

Download
memory/1424-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1424-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1500-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads