darkcomet | 999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605

Analysis

max time kernel
179s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe
Size

1.3MB
MD5

0ca617961ceb2d4af6d3236678929fa3
SHA1

cd4f3061fe03338d12020d57ad30f916e410abc5
SHA256

999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605
SHA512

bc22301ab9c50a0bc4fbb6777813d990d5d703b9baac6ecf1badfab82a81021e03af10bdb7955589f3c3b72ff0b6adc2dcf670cd9881e73fb254e92ed0d82f41
SSDEEP

24576:f2O/GluCNRbvqYRYIdpbweMK5bBWQtMXC6kK7g6zwm4m53Sb2M:HwRbSYmIXMeMuMuMX7kK5kFm53SyM

Score

10^/10

darkcomet steve evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Steve

slowburn.linkpc.net:6831

Mutex

DC_MUTEX-A54SB6Z

Attributes

gencode
VPCWgaglFLx7
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
528	ssabn.exe

Loads dropped DLL 4 IoCs

pid	Process
1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe
1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe
1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe
1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\79U5N7~1 = "C:\\Users\\Admin\\79U5N7~1\\pxu.vbs"	ssabn.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RUN	ssabn.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ssabn.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN	ssabn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ssabn.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	ssabn.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ssabn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 528 set thread context of 1348	528	ssabn.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe
528	ssabn.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1348	RegSvcs.exe
Token: SeSecurityPrivilege	1348	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	1348	RegSvcs.exe
Token: SeLoadDriverPrivilege	1348	RegSvcs.exe
Token: SeSystemProfilePrivilege	1348	RegSvcs.exe
Token: SeSystemtimePrivilege	1348	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	1348	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1348	RegSvcs.exe
Token: SeCreatePagefilePrivilege	1348	RegSvcs.exe
Token: SeBackupPrivilege	1348	RegSvcs.exe
Token: SeRestorePrivilege	1348	RegSvcs.exe
Token: SeShutdownPrivilege	1348	RegSvcs.exe
Token: SeDebugPrivilege	1348	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	1348	RegSvcs.exe
Token: SeChangeNotifyPrivilege	1348	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	1348	RegSvcs.exe
Token: SeUndockPrivilege	1348	RegSvcs.exe
Token: SeManageVolumePrivilege	1348	RegSvcs.exe
Token: SeImpersonatePrivilege	1348	RegSvcs.exe
Token: SeCreateGlobalPrivilege	1348	RegSvcs.exe
Token: 33	1348	RegSvcs.exe
Token: 34	1348	RegSvcs.exe
Token: 35	1348	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1348	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 528	1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe	28
PID 1252 wrote to memory of 528	1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe	28
PID 1252 wrote to memory of 528	1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe	28
PID 1252 wrote to memory of 528	1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe	28
PID 1252 wrote to memory of 528	1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe	28
PID 1252 wrote to memory of 528	1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe	28
PID 1252 wrote to memory of 528	1252	999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe	28
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29
PID 528 wrote to memory of 1348	528	ssabn.exe	29

C:\Users\Admin\AppData\Local\Temp\999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe
"C:\Users\Admin\AppData\Local\Temp\999edb0663eadfc252ed4223956c0ff20d976165e9c722eb6d4ff4e27f5eb605.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\79u5n7w6jl482w9\ssabn.exe
  "C:\Users\Admin\79u5n7w6jl482w9\ssabn.exe" cukgecuoogya
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\79U5N7~1\dbxe.VCH

Filesize
658KB

MD5
e8afaca70cc46888b54ea4bd9ebc6705

SHA1
b866de19be3f2fb570b5e9d569258c2fe39749e2

SHA256
69fe0b3f9d856ec215d89c1340ba7dca7df1974a6b9b68a4f7d60faaf2cebed0

SHA512
7bf904ff860ef64ec06d4d85f9749aecc7d893b3fd96061df4cb18cf36756bf5ff3d08a0bb3d25dd97a9d7aefe5caee62b4cd481615ef33492a326527376ea85

Download Submit
C:\Users\Admin\79U5N7~1\ovxzodbwz.KEB

Filesize
148B

MD5
57507d84a3efe067809bfab7379e03b1

SHA1
898e336c68da98d64789079e6624278601126864

SHA256
b1cead5f1dea2ac047a1053c0bf4e281ae8d5021f2d11db1c656e650738a7b64

SHA512
9875993fd4612edbc8000787fcf626dbb58eeb7ce5baadf2767d79dddbad258a97ca6cf58861d22ea15e587d49912d91e77f4f6f7d821988fb70968a706073ae

Download Submit
C:\Users\Admin\79u5n7w6jl482w9\cukgecuoogya

Filesize
219.0MB

MD5
62cc4a0b35a48f3cdfb2ce344e02e632

SHA1
8d100346d9a9367bd5a6b04d3f1e007ab04fd9ff

SHA256
3355634c767eeb863d83e51a19e98bcadf62e86170c946e234358b9966be4e55

SHA512
5de7df470eb6d5e6fde5dd4b9d3ec1022c13d9c394155fbe74492ab755de81937335e14a22a179bb999efb2ff0bd1d5f76143456aec1e5beac94b9b403e65e08

Download Submit
C:\Users\Admin\79u5n7w6jl482w9\ssabn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\79u5n7w6jl482w9\ssabn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\79u5n7w6jl482w9\ssabn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\79u5n7w6jl482w9\ssabn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\79u5n7w6jl482w9\ssabn.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/1252-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1348-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-85-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-86-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1348-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download