darkcomet | 54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea

General

Target

54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Size

271KB
MD5

c239c75c787b2181d8dc1a0882b4a159
SHA1

a0e573b00493677797969c52e3c30e3d145e0eae
SHA256

54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea
SHA512

ab4aede8fb02bf481336004c6ce90806852bb39de431fd4d028ee7c048390beab680debb851eec36d40c71f971d41370ed1f3b2fa3782cae7489d9b8a2a7dcc8
SSDEEP

6144:XgfVPno0A98mfqyFD2ibY6aRwqlg1NpHcCxxuTklqttnN4l:XgfBo0iqyFD2ijs2B9cbbal

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

212.7.208.94:16047

Mutex

DC_MUTEX-AUBVEGH

Attributes

gencode
YutS7R9UNRic
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1000-60-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1000-62-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1000-63-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1000-65-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1000-67-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1000-69-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1000-72-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1000-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 1000	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeIncreaseQuotaPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeSecurityPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeTakeOwnershipPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeLoadDriverPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeSystemProfilePrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeSystemtimePrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeProfSingleProcessPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeIncBasePriorityPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeCreatePagefilePrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeBackupPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeRestorePrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeShutdownPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeDebugPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeSystemEnvironmentPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeChangeNotifyPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeRemoteShutdownPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeUndockPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeManageVolumePrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeImpersonatePrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: SeCreateGlobalPrivilege	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: 33	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: 34	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
Token: 35	1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1000	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 112	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	27
PID 1720 wrote to memory of 112	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	27
PID 1720 wrote to memory of 112	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	27
PID 1720 wrote to memory of 112	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	27
PID 1720 wrote to memory of 1000	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	28
PID 1720 wrote to memory of 1000	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	28
PID 1720 wrote to memory of 1000	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	28
PID 1720 wrote to memory of 1000	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	28
PID 1720 wrote to memory of 1000	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	28
PID 1720 wrote to memory of 1000	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	28
PID 1720 wrote to memory of 1000	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	28
PID 1720 wrote to memory of 1000	1720	54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe	28
PID 1756 wrote to memory of 1736	1756	explorer.exe	30
PID 1756 wrote to memory of 1736	1756	explorer.exe	30
PID 1756 wrote to memory of 1736	1756	explorer.exe	30

C:\Users\Admin\AppData\Local\Temp\54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
"C:\Users\Admin\AppData\Local\Temp\54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\QObrNNBeF.vbs
  2⤵
  PID:112
- C:\Users\Admin\AppData\Local\Temp\54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe
  "C:\Users\Admin\AppData\Local\Temp\54cb5b421df95ed5d7f6ce8756693f467a95aadfd7b038a95d8aaf1433a419ea.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\QObrNNBeF.vbs"
  2⤵
  - Adds Run key to start application
  PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\QObrNNBeF.vbs

Filesize
601B

MD5
3f9a9f31e88eb653e15525f7568d2ce3

SHA1
7db2de7325dbd8c2574c78f661fc1c28ebc10301

SHA256
712461277fd0b416b766321612ba0346c5ae4c2e181f6fbc4d984fdb757d9159

SHA512
94810b387cbe26fca10e39f6f4f7cd605caefe69b4f23d5d1d06f764cbb53744c6048a44fd203b85e14318679ab67b2cc11aa50fe6ebc1c821ad970d0c6ea313

Download Submit
memory/112-58-0x0000000071FF1000-0x0000000071FF3000-memory.dmp

Filesize
8KB

Download
memory/1000-67-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1000-60-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1000-62-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1000-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1000-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1000-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1000-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1000-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1000-69-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1720-55-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-73-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1756-68-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing