darkcomet | 9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915

General

Target

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Size

787KB
MD5

1f037a54c638eb27d5c098326215c750
SHA1

af53cbbdbff190aa5e99e381520758f637d27c7f
SHA256

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915
SHA512

14de32e1db8976e2e76b01ed54155ad4af5903cb6ffee09fc72eb4ea0bc75cc57c81a89df6a739b308268f98bbb74a54bf74a06909dffe58d7c4794fc74f3d5a
SSDEEP

12288:PGopSuXh1gdooZuPLxHldHlY4ub6n+L+egT3/GT6rjo+ncq4ACE:P6MtuT6n+Hgr/GTAjJaACE

Score

10^/10

darkcomet testing persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Testing

C2

izcrackz.ddns.net:1604

Mutex

DCMIN_MUTEX-8LL9FA3

Attributes

gencode
xrXebsuQ91rd
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Loads dropped DLL 1 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

pid process

864 9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

pid	process
864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\pWWDxxJJmL = "C:\\Users\\Admin\\AppData\\Roaming\\eTTkXyKgim\\SrJnVliUhv.exe.lnk"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

description	pid	process	target process
PID 864 set thread context of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

pid process

864 9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

pid	process
864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

description	pid	process
Token: SeDebugPrivilege	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeIncreaseQuotaPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeSecurityPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeTakeOwnershipPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeLoadDriverPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeSystemProfilePrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeSystemtimePrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeProfSingleProcessPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeIncBasePriorityPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeCreatePagefilePrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeBackupPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeRestorePrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeShutdownPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeDebugPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeSystemEnvironmentPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeChangeNotifyPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeRemoteShutdownPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeUndockPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeManageVolumePrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeImpersonatePrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeCreateGlobalPrivilege	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: 33	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: 34	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: 35	1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

pid process

1868 9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

pid	process
1868	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.execmd.exe

C:\Users\Admin\AppData\Local\Temp\9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
"C:\Users\Admin\AppData\Local\Temp\9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "pWWDxxJJmL" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eTTkXyKgim\SrJnVliUhv.exe.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "pWWDxxJJmL" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eTTkXyKgim\SrJnVliUhv.exe.lnk"
3⤵
- Adds Run key to start application
PID:892

C:\Users\Admin\AppData\Local\Temp\9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
"C:\Users\Admin\AppData\Local\Temp\9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\eTTkXyKgim\SrJnVliUhv.exe
Filesize
787KB

MD5
1f037a54c638eb27d5c098326215c750

SHA1
af53cbbdbff190aa5e99e381520758f637d27c7f

SHA256
9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915

SHA512
14de32e1db8976e2e76b01ed54155ad4af5903cb6ffee09fc72eb4ea0bc75cc57c81a89df6a739b308268f98bbb74a54bf74a06909dffe58d7c4794fc74f3d5a

Download Submit
memory/864-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/864-55-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/864-56-0x0000000000505000-0x0000000000516000-memory.dmp

Filesize
68KB

Download
memory/864-57-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/864-79-0x0000000000505000-0x0000000000516000-memory.dmp

Filesize
68KB

Download
memory/864-78-0x0000000074800000-0x0000000074DAB000-memory.dmp

Filesize
5.7MB

Download
memory/892-60-0x0000000000000000-mapping.dmp

Download
memory/1868-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-76-0x000000000048F888-mapping.dmp

Download
memory/1868-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1868-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 864 wrote to memory of 2028	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	cmd.exe
PID 864 wrote to memory of 2028	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	cmd.exe
PID 864 wrote to memory of 2028	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	cmd.exe
PID 864 wrote to memory of 2028	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	cmd.exe
PID 2028 wrote to memory of 892	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 892	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 892	2028	cmd.exe	reg.exe
PID 2028 wrote to memory of 892	2028	cmd.exe	reg.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 864 wrote to memory of 1868	864	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads