darkcomet | 6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26

General

Target

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe
Size

472KB
MD5

428cb0db369019384072df4432724dde
SHA1

5ca8272d0c3946dc665f6f597b016701a2869c04
SHA256

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26
SHA512

af66566cb2ad51a3d57b528a35481daf20d0ccaad672b01a20fa1ee8ffdd4b722101b0e2f340cf8d4801d3b2b309909b249f84c7a090c1fe2d81e38339809c4f
SSDEEP

12288:EY3F7cDylczfadxLU6OoNUuyQzX16cKHD8A55:EM7cDyliSPbN1ym16cEDv55

Score

10^/10

darkcomet vikky persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

vikky

C2

vikky44.no-ip.biz:1604

Mutex

DC_MUTEX-D968R22

Attributes

gencode
nPNl4dCBT8Dq
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\bovrEIZq\\oc81okL.exe,explorer.exe"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

description	pid	process	target process
PID 1992 set thread context of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

pid	process
1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe
1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe
Token: SeIncreaseQuotaPrivilege	4168	cvtres.exe
Token: SeSecurityPrivilege	4168	cvtres.exe
Token: SeTakeOwnershipPrivilege	4168	cvtres.exe
Token: SeLoadDriverPrivilege	4168	cvtres.exe
Token: SeSystemProfilePrivilege	4168	cvtres.exe
Token: SeSystemtimePrivilege	4168	cvtres.exe
Token: SeProfSingleProcessPrivilege	4168	cvtres.exe
Token: SeIncBasePriorityPrivilege	4168	cvtres.exe
Token: SeCreatePagefilePrivilege	4168	cvtres.exe
Token: SeBackupPrivilege	4168	cvtres.exe
Token: SeRestorePrivilege	4168	cvtres.exe
Token: SeShutdownPrivilege	4168	cvtres.exe
Token: SeDebugPrivilege	4168	cvtres.exe
Token: SeSystemEnvironmentPrivilege	4168	cvtres.exe
Token: SeChangeNotifyPrivilege	4168	cvtres.exe
Token: SeRemoteShutdownPrivilege	4168	cvtres.exe
Token: SeUndockPrivilege	4168	cvtres.exe
Token: SeManageVolumePrivilege	4168	cvtres.exe
Token: SeImpersonatePrivilege	4168	cvtres.exe
Token: SeCreateGlobalPrivilege	4168	cvtres.exe
Token: 33	4168	cvtres.exe
Token: 34	4168	cvtres.exe
Token: 35	4168	cvtres.exe
Token: 36	4168	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvtres.exe

pid process

4168 cvtres.exe

pid	process
4168	cvtres.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.execmd.exe

description	pid	process	target process
PID 1992 wrote to memory of 4268	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cmd.exe
PID 1992 wrote to memory of 4268	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cmd.exe
PID 1992 wrote to memory of 4268	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cmd.exe
PID 4268 wrote to memory of 5056	4268	cmd.exe	reg.exe
PID 4268 wrote to memory of 5056	4268	cmd.exe	reg.exe
PID 4268 wrote to memory of 5056	4268	cmd.exe	reg.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe
PID 1992 wrote to memory of 4168	1992	6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe
"C:\Users\Admin\AppData\Local\Temp\6f997cbcb6524add6f2b0354b710a367d7f7a60402aaeab53e960834ee044f26.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bovrEIZq\oc81okL.exe,explorer.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bovrEIZq\oc81okL.exe,explorer.exe"
3⤵
- Modifies WinLogon for persistence
PID:5056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-132-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1992-133-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1992-139-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4168-136-0x0000000000000000-mapping.dmp

Download
memory/4168-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4168-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4168-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4168-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4168-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4268-134-0x0000000000000000-mapping.dmp

Download
memory/5056-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads