darkcomet | 841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05

General

Target

841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe
Size

522KB
MD5

9dfb07602ea0746b21957d2610ed52d9
SHA1

1114f93efba5d9992ad8b71363db60b24e219b6c
SHA256

841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05
SHA512

b6a646ab82e4910e818aa07525264f2548a17c42837ca3cdb871627ee4ac840501d8afa2f2c62e1ad24d06babe11cd87ab4fa8e7e373ff9590fbb9ea6f6ea464
SSDEEP

12288:V5yqq4mBet9eHsgfZpj1+F2l+5IThMHChFOI1Ar0JE/ZkVSGZpU:bmW9ZSlIgl+5ITSChNaoJER

Score

10^/10

darkcomet lalx persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Lalx

C2

vxqpok2983.ddns.net:1604

Mutex

DC_MUTEX-3HK5ZXQ

Attributes

gencode
vKh92RY4kw3H
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\hZzNRuWMon\\pmrIFVKAmG.exe,explorer.exe"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe
1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe
1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe
1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe
1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe
Token: SeIncreaseQuotaPrivilege	624	AppLaunch.exe
Token: SeSecurityPrivilege	624	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	624	AppLaunch.exe
Token: SeLoadDriverPrivilege	624	AppLaunch.exe
Token: SeSystemProfilePrivilege	624	AppLaunch.exe
Token: SeSystemtimePrivilege	624	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	624	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	624	AppLaunch.exe
Token: SeCreatePagefilePrivilege	624	AppLaunch.exe
Token: SeBackupPrivilege	624	AppLaunch.exe
Token: SeRestorePrivilege	624	AppLaunch.exe
Token: SeShutdownPrivilege	624	AppLaunch.exe
Token: SeDebugPrivilege	624	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	624	AppLaunch.exe
Token: SeChangeNotifyPrivilege	624	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	624	AppLaunch.exe
Token: SeUndockPrivilege	624	AppLaunch.exe
Token: SeManageVolumePrivilege	624	AppLaunch.exe
Token: SeImpersonatePrivilege	624	AppLaunch.exe
Token: SeCreateGlobalPrivilege	624	AppLaunch.exe
Token: 33	624	AppLaunch.exe
Token: 34	624	AppLaunch.exe
Token: 35	624	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
624	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1496	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	28
PID 1696 wrote to memory of 1496	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	28
PID 1696 wrote to memory of 1496	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	28
PID 1696 wrote to memory of 1496	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	28
PID 1496 wrote to memory of 1448	1496	cmd.exe	30
PID 1496 wrote to memory of 1448	1496	cmd.exe	30
PID 1496 wrote to memory of 1448	1496	cmd.exe	30
PID 1496 wrote to memory of 1448	1496	cmd.exe	30
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31
PID 1696 wrote to memory of 624	1696	841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe	31

C:\Users\Admin\AppData\Local\Temp\841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe
"C:\Users\Admin\AppData\Local\Temp\841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\hZzNRuWMon\pmrIFVKAmG.exe,explorer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\hZzNRuWMon\pmrIFVKAmG.exe,explorer.exe"
    3⤵
    - Modifies WinLogon for persistence
    PID:1448
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\hZzNRuWMon\pmrIFVKAmG.exe

Filesize
522KB

MD5
9dfb07602ea0746b21957d2610ed52d9

SHA1
1114f93efba5d9992ad8b71363db60b24e219b6c

SHA256
841262726e83cc2a62b2c0d523426bcb6a38829b033a6530ec3e76b6521ebe05

SHA512
b6a646ab82e4910e818aa07525264f2548a17c42837ca3cdb871627ee4ac840501d8afa2f2c62e1ad24d06babe11cd87ab4fa8e7e373ff9590fbb9ea6f6ea464

Download Submit
memory/624-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/624-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1696-57-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-56-0x0000000000A26000-0x0000000000A37000-memory.dmp

Filesize
68KB

Download
memory/1696-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-58-0x0000000000A26000-0x0000000000A37000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing