darkcomet | 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6

General

Target

1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe
Size

343KB
MD5

69661f894bc24159f7796f022db64c67
SHA1

733c507e16327c2db7715c2704db3b4bff01e026
SHA256

1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6
SHA512

3b918d4faff57c5d6da75c0b94d84f69220555c9a4522d780a1764b5612261971a0b162546d5b3404198e1920c475194dc07c6019dff6d3bb778e14dfbf2fe3c
SSDEEP

6144:xMaed6qRf1VYOnThmxoTfqlac/lTcspV+qrjQKcW:xMnvRfblF5tyxfkqrcK

Score

10^/10

darkcomet news persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

NEWS

C2

informer.ddns.net:1605

informer.ddns.net:1606

Mutex

DC_MUTEX-L6AVTYM

Attributes

gencode
kNGa0laUgQF5
install
false
offline_keylogger
true
password
chinelo4545
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1188-63-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1188-65-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1188-66-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1188-68-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1188-70-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1188-71-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1188-72-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1188-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe

pid process

900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\DuQJPLSJGc = "C:\\Users\\Admin\\AppData\\Roaming\\AyKBCyAXeK\\HLAxvijPIM.exe.lnk"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe

description pid process target process

PID 900 set thread context of 1188 900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe

pid process

900 1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe

description	pid	process	target process
PID 900 set thread context of 1188	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	vbc.exe

pid	process
900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe
Token: SeIncreaseQuotaPrivilege	1188	vbc.exe
Token: SeSecurityPrivilege	1188	vbc.exe
Token: SeTakeOwnershipPrivilege	1188	vbc.exe
Token: SeLoadDriverPrivilege	1188	vbc.exe
Token: SeSystemProfilePrivilege	1188	vbc.exe
Token: SeSystemtimePrivilege	1188	vbc.exe
Token: SeProfSingleProcessPrivilege	1188	vbc.exe
Token: SeIncBasePriorityPrivilege	1188	vbc.exe
Token: SeCreatePagefilePrivilege	1188	vbc.exe
Token: SeBackupPrivilege	1188	vbc.exe
Token: SeRestorePrivilege	1188	vbc.exe
Token: SeShutdownPrivilege	1188	vbc.exe
Token: SeDebugPrivilege	1188	vbc.exe
Token: SeSystemEnvironmentPrivilege	1188	vbc.exe
Token: SeChangeNotifyPrivilege	1188	vbc.exe
Token: SeRemoteShutdownPrivilege	1188	vbc.exe
Token: SeUndockPrivilege	1188	vbc.exe
Token: SeManageVolumePrivilege	1188	vbc.exe
Token: SeImpersonatePrivilege	1188	vbc.exe
Token: SeCreateGlobalPrivilege	1188	vbc.exe
Token: 33	1188	vbc.exe
Token: 34	1188	vbc.exe
Token: 35	1188	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

1188 vbc.exe

pid	process
1188	vbc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.execmd.exe

description	pid	process	target process
PID 900 wrote to memory of 612	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	cmd.exe
PID 900 wrote to memory of 612	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	cmd.exe
PID 900 wrote to memory of 612	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	cmd.exe
PID 900 wrote to memory of 612	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	cmd.exe
PID 612 wrote to memory of 1260	612	cmd.exe	reg.exe
PID 612 wrote to memory of 1260	612	cmd.exe	reg.exe
PID 612 wrote to memory of 1260	612	cmd.exe	reg.exe
PID 612 wrote to memory of 1260	612	cmd.exe	reg.exe
PID 900 wrote to memory of 1188	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	vbc.exe
PID 900 wrote to memory of 1188	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	vbc.exe
PID 900 wrote to memory of 1188	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	vbc.exe
PID 900 wrote to memory of 1188	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	vbc.exe
PID 900 wrote to memory of 1188	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	vbc.exe
PID 900 wrote to memory of 1188	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	vbc.exe
PID 900 wrote to memory of 1188	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	vbc.exe
PID 900 wrote to memory of 1188	900	1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe
"C:\Users\Admin\AppData\Local\Temp\1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "DuQJPLSJGc" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AyKBCyAXeK\HLAxvijPIM.exe.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "DuQJPLSJGc" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AyKBCyAXeK\HLAxvijPIM.exe.lnk"
3⤵
- Adds Run key to start application
PID:1260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\AyKBCyAXeK\HLAxvijPIM.exe
Filesize
343KB

MD5
69661f894bc24159f7796f022db64c67

SHA1
733c507e16327c2db7715c2704db3b4bff01e026

SHA256
1487b91fe287ef043d6ba20e4e37128830770d12ed43e6228ff2bd8fd51eb4b6

SHA512
3b918d4faff57c5d6da75c0b94d84f69220555c9a4522d780a1764b5612261971a0b162546d5b3404198e1920c475194dc07c6019dff6d3bb778e14dfbf2fe3c

Download Submit
memory/612-60-0x0000000000000000-mapping.dmp

Download
memory/900-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/900-55-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/900-56-0x00000000004B6000-0x00000000004C7000-memory.dmp

Filesize
68KB

Download
memory/900-57-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/900-58-0x00000000004B6000-0x00000000004C7000-memory.dmp

Filesize
68KB

Download
memory/1188-62-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1188-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1188-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1188-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1188-67-0x00000000004B56A0-mapping.dmp

Download
memory/1188-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1188-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1188-71-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1188-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1188-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1260-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads