darkcomet | f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18

General

Target

f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Size

658KB
MD5

3127bfcb04c1efdf78534610c0f6e46b
SHA1

fd0e2e9ea3b1563706145362f9fccb610653d6f9
SHA256

f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18
SHA512

36119a3e441efc57b2e96e7a7bcb8c3902eec6bb5faf418fc9859ae351e667a0ced45a765ce634dc01e3a1662bddb7a15ea40ac979bd5496935f006e7a0880f1
SSDEEP

12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h6:eZ1xuVVjfFoynPaVBUR8f+kN10EB8

Score

10^/10

darkcomet victime persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victime

C2

23.95.52.24:1604

Mutex

MUTEX-GURB7WX

Attributes

InstallPath
Microsoft\windowsupdate.com
gencode
hkdEYJPYqYa3
install
true
offline_keylogger
true
persistence
true
reg_key
Windows

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Microsoft\\windowsupdate.com"	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe

Executes dropped EXE 1 IoCs

Processes:

windowsupdate.com

pid process

676 windowsupdate.com
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1640 notepad.exe
Loads dropped DLL 1 IoCs

Processes:

f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe

pid process

868 f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe

pid	process
676	windowsupdate.com

pid	process
1640	notepad.exe

pid	process
868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exewindowsupdate.com

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\Microsoft\\windowsupdate.com"	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\Microsoft\\windowsupdate.com"	windowsupdate.com

Drops file in System32 directory 3 IoCs

Processes:

f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Microsoft\windowsupdate.com	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\windowsupdate.com	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft\	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exewindowsupdate.com

description	pid	process
Token: SeIncreaseQuotaPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeSecurityPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeTakeOwnershipPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeLoadDriverPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeSystemProfilePrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeSystemtimePrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeProfSingleProcessPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeIncBasePriorityPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeCreatePagefilePrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeBackupPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeRestorePrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeShutdownPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeDebugPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeSystemEnvironmentPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeChangeNotifyPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeRemoteShutdownPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeUndockPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeManageVolumePrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeImpersonatePrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeCreateGlobalPrivilege	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: 33	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: 34	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: 35	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
Token: SeIncreaseQuotaPrivilege	676	windowsupdate.com
Token: SeSecurityPrivilege	676	windowsupdate.com
Token: SeTakeOwnershipPrivilege	676	windowsupdate.com
Token: SeLoadDriverPrivilege	676	windowsupdate.com
Token: SeSystemProfilePrivilege	676	windowsupdate.com
Token: SeSystemtimePrivilege	676	windowsupdate.com
Token: SeProfSingleProcessPrivilege	676	windowsupdate.com
Token: SeIncBasePriorityPrivilege	676	windowsupdate.com
Token: SeCreatePagefilePrivilege	676	windowsupdate.com
Token: SeBackupPrivilege	676	windowsupdate.com
Token: SeRestorePrivilege	676	windowsupdate.com
Token: SeShutdownPrivilege	676	windowsupdate.com
Token: SeDebugPrivilege	676	windowsupdate.com
Token: SeSystemEnvironmentPrivilege	676	windowsupdate.com
Token: SeChangeNotifyPrivilege	676	windowsupdate.com
Token: SeRemoteShutdownPrivilege	676	windowsupdate.com
Token: SeUndockPrivilege	676	windowsupdate.com
Token: SeManageVolumePrivilege	676	windowsupdate.com
Token: SeImpersonatePrivilege	676	windowsupdate.com
Token: SeCreateGlobalPrivilege	676	windowsupdate.com
Token: 33	676	windowsupdate.com
Token: 34	676	windowsupdate.com
Token: 35	676	windowsupdate.com

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windowsupdate.com

pid process

676 windowsupdate.com

pid	process
676	windowsupdate.com

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe

description	pid	process	target process
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 1640	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	notepad.exe
PID 868 wrote to memory of 676	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	windowsupdate.com
PID 868 wrote to memory of 676	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	windowsupdate.com
PID 868 wrote to memory of 676	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	windowsupdate.com
PID 868 wrote to memory of 676	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	windowsupdate.com
PID 868 wrote to memory of 676	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	windowsupdate.com
PID 868 wrote to memory of 676	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	windowsupdate.com
PID 868 wrote to memory of 676	868	f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe	windowsupdate.com

C:\Users\Admin\AppData\Local\Temp\f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe
"C:\Users\Admin\AppData\Local\Temp\f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:1640

C:\Windows\SysWOW64\Microsoft\windowsupdate.com
"C:\Windows\system32\Microsoft\windowsupdate.com"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Microsoft\windowsupdate.com
Filesize
658KB

MD5
3127bfcb04c1efdf78534610c0f6e46b

SHA1
fd0e2e9ea3b1563706145362f9fccb610653d6f9

SHA256
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18

SHA512
36119a3e441efc57b2e96e7a7bcb8c3902eec6bb5faf418fc9859ae351e667a0ced45a765ce634dc01e3a1662bddb7a15ea40ac979bd5496935f006e7a0880f1

Download Submit
C:\Windows\SysWOW64\Microsoft\windowsupdate.com
Filesize
658KB

MD5
3127bfcb04c1efdf78534610c0f6e46b

SHA1
fd0e2e9ea3b1563706145362f9fccb610653d6f9

SHA256
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18

SHA512
36119a3e441efc57b2e96e7a7bcb8c3902eec6bb5faf418fc9859ae351e667a0ced45a765ce634dc01e3a1662bddb7a15ea40ac979bd5496935f006e7a0880f1

Download Submit
\Windows\SysWOW64\Microsoft\windowsupdate.com
Filesize
658KB

MD5
3127bfcb04c1efdf78534610c0f6e46b

SHA1
fd0e2e9ea3b1563706145362f9fccb610653d6f9

SHA256
f3d6caf5d3485c17526bf4249621c74e01d90a9ab3ee4f33c17249c982bf3d18

SHA512
36119a3e441efc57b2e96e7a7bcb8c3902eec6bb5faf418fc9859ae351e667a0ced45a765ce634dc01e3a1662bddb7a15ea40ac979bd5496935f006e7a0880f1

Download Submit
memory/676-58-0x0000000000000000-mapping.dmp

Download
memory/868-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1640-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads