darkcomet | a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6

General

Target

a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe
Size

736KB
MD5

1ddccfd964ded511cb8538e9616b13cb
SHA1

9aa5920603995edadf6d4af3a8d35ef28ca7852e
SHA256

a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6
SHA512

256df6192c85963e107f755f6ecd799249f4b7f4a741b2c14850f3b52c44afda4371bcc8118d62fa86869f87227d5f1b6569b404825ed6f73b7732fd0bb26905
SSDEEP

12288:ORTCaO9QMhF5I0Qa+nu4l5JjIsg/hOjwYtPqMtrN97CO1awJTSX/0c+6D68w:ORcQiCaHoJjIthOj7gMlN97L172XU

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

poison007.no-ip.org:100

Mutex

DC_MUTEX-XEJG8MK

Attributes

gencode
QrcF4RRkTDK0
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
1584	winlogon.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\system32\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubFolder\SubFolder\winlogon.exe	a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe
File opened for modification	C:\Windows\system32\SubFolder\SubFolder\winlogon.exe	a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe
File created	C:\Windows\System32\SubFolder\SubFolder\winlogon.exe\:ZONE.identifier:$DATA	a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe
File opened for modification	C:\Windows\system32\SubFolder\SubFolder\winlogon.exe:ZONE.identifier	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 1516	1584	winlogon.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1516	vbc.exe
Token: SeSecurityPrivilege	1516	vbc.exe
Token: SeTakeOwnershipPrivilege	1516	vbc.exe
Token: SeLoadDriverPrivilege	1516	vbc.exe
Token: SeSystemProfilePrivilege	1516	vbc.exe
Token: SeSystemtimePrivilege	1516	vbc.exe
Token: SeProfSingleProcessPrivilege	1516	vbc.exe
Token: SeIncBasePriorityPrivilege	1516	vbc.exe
Token: SeCreatePagefilePrivilege	1516	vbc.exe
Token: SeBackupPrivilege	1516	vbc.exe
Token: SeRestorePrivilege	1516	vbc.exe
Token: SeShutdownPrivilege	1516	vbc.exe
Token: SeDebugPrivilege	1516	vbc.exe
Token: SeSystemEnvironmentPrivilege	1516	vbc.exe
Token: SeChangeNotifyPrivilege	1516	vbc.exe
Token: SeRemoteShutdownPrivilege	1516	vbc.exe
Token: SeUndockPrivilege	1516	vbc.exe
Token: SeManageVolumePrivilege	1516	vbc.exe
Token: SeImpersonatePrivilege	1516	vbc.exe
Token: SeCreateGlobalPrivilege	1516	vbc.exe
Token: 33	1516	vbc.exe
Token: 34	1516	vbc.exe
Token: 35	1516	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1516	vbc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1660	1404	a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe	28
PID 1404 wrote to memory of 1660	1404	a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe	28
PID 1404 wrote to memory of 1660	1404	a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe	28
PID 1404 wrote to memory of 1584	1404	a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe	30
PID 1404 wrote to memory of 1584	1404	a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe	30
PID 1404 wrote to memory of 1584	1404	a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe	30
PID 1584 wrote to memory of 328	1584	winlogon.exe	31
PID 1584 wrote to memory of 328	1584	winlogon.exe	31
PID 1584 wrote to memory of 328	1584	winlogon.exe	31
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33
PID 1584 wrote to memory of 1516	1584	winlogon.exe	33

C:\Users\Admin\AppData\Local\Temp\a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe
"C:\Users\Admin\AppData\Local\Temp\a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe":ZONE.identifier & exit
  2⤵
  - NTFS ADS
  PID:1660
- C:\Windows\system32\SubFolder\SubFolder\winlogon.exe
  "C:\Windows\system32\SubFolder\SubFolder\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Windows\system32\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit
    3⤵
    - Drops file in System32 directory
    PID:328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6.exe

Filesize
736KB

MD5
1ddccfd964ded511cb8538e9616b13cb

SHA1
9aa5920603995edadf6d4af3a8d35ef28ca7852e

SHA256
a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6

SHA512
256df6192c85963e107f755f6ecd799249f4b7f4a741b2c14850f3b52c44afda4371bcc8118d62fa86869f87227d5f1b6569b404825ed6f73b7732fd0bb26905

Download Submit
C:\Windows\System32\SubFolder\SubFolder\winlogon.exe

Filesize
736KB

MD5
1ddccfd964ded511cb8538e9616b13cb

SHA1
9aa5920603995edadf6d4af3a8d35ef28ca7852e

SHA256
a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6

SHA512
256df6192c85963e107f755f6ecd799249f4b7f4a741b2c14850f3b52c44afda4371bcc8118d62fa86869f87227d5f1b6569b404825ed6f73b7732fd0bb26905

Download Submit
C:\Windows\system32\SubFolder\SubFolder\winlogon.exe

Filesize
736KB

MD5
1ddccfd964ded511cb8538e9616b13cb

SHA1
9aa5920603995edadf6d4af3a8d35ef28ca7852e

SHA256
a4083c15681ab40fd583fc69651efacae78d0d900550f4e2dab753344a4dd0f6

SHA512
256df6192c85963e107f755f6ecd799249f4b7f4a741b2c14850f3b52c44afda4371bcc8118d62fa86869f87227d5f1b6569b404825ed6f73b7732fd0bb26905

Download Submit
memory/1404-55-0x000007FEF1DF0000-0x000007FEF2E86000-memory.dmp

Filesize
16.6MB

Download
memory/1404-56-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1404-54-0x000007FEF34D0000-0x000007FEF3EF3000-memory.dmp

Filesize
10.1MB

Download
memory/1516-85-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-95-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-94-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-93-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-92-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1516-88-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1516-91-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1584-62-0x000007FEF2460000-0x000007FEF2E83000-memory.dmp

Filesize
10.1MB

Download
memory/1584-63-0x000007FEED800000-0x000007FEEE896000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing