darkcomet | 9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915

General

Target

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Size

787KB
MD5

1f037a54c638eb27d5c098326215c750
SHA1

af53cbbdbff190aa5e99e381520758f637d27c7f
SHA256

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915
SHA512

14de32e1db8976e2e76b01ed54155ad4af5903cb6ffee09fc72eb4ea0bc75cc57c81a89df6a739b308268f98bbb74a54bf74a06909dffe58d7c4794fc74f3d5a
SSDEEP

12288:PGopSuXh1gdooZuPLxHldHlY4ub6n+L+egT3/GT6rjo+ncq4ACE:P6MtuT6n+Hgr/GTAjJaACE

Score

10^/10

darkcomet testing persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Testing

C2

izcrackz.ddns.net:1604

Mutex

DCMIN_MUTEX-8LL9FA3

Attributes

gencode
xrXebsuQ91rd
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pWWDxxJJmL = "C:\\Users\\Admin\\AppData\\Roaming\\eTTkXyKgim\\SrJnVliUhv.exe.lnk"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

description	pid	process	target process
PID 5108 set thread context of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

pid	process
5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

description	pid	process
Token: SeDebugPrivilege	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeIncreaseQuotaPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeSecurityPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeTakeOwnershipPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeLoadDriverPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeSystemProfilePrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeSystemtimePrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeProfSingleProcessPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeIncBasePriorityPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeCreatePagefilePrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeBackupPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeRestorePrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeShutdownPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeDebugPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeSystemEnvironmentPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeChangeNotifyPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeRemoteShutdownPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeUndockPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeManageVolumePrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeImpersonatePrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: SeCreateGlobalPrivilege	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: 33	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: 34	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: 35	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
Token: 36	3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

pid process

3048 9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

pid	process
3048	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.execmd.exe

C:\Users\Admin\AppData\Local\Temp\9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
"C:\Users\Admin\AppData\Local\Temp\9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "pWWDxxJJmL" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eTTkXyKgim\SrJnVliUhv.exe.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "pWWDxxJJmL" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\eTTkXyKgim\SrJnVliUhv.exe.lnk"
3⤵
- Adds Run key to start application
PID:4396

C:\Users\Admin\AppData\Local\Temp\9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
"C:\Users\Admin\AppData\Local\Temp\9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3048-136-0x0000000000000000-mapping.dmp

Download
memory/3048-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3048-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3048-139-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3048-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3048-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4396-135-0x0000000000000000-mapping.dmp

Download
memory/4636-134-0x0000000000000000-mapping.dmp

Download
memory/5108-132-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/5108-133-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/5108-140-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 5108 wrote to memory of 4636	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	cmd.exe
PID 5108 wrote to memory of 4636	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	cmd.exe
PID 5108 wrote to memory of 4636	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	cmd.exe
PID 4636 wrote to memory of 4396	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 4396	4636	cmd.exe	reg.exe
PID 4636 wrote to memory of 4396	4636	cmd.exe	reg.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe
PID 5108 wrote to memory of 3048	5108	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe	9b6c3d60139b681dfdd5d717b24bf1c66ed5b1f5ec0a98468f86b84be6941915.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads