darkcomet | cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237

General

Target

cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Size

756KB
MD5

7492e20402c6b8b0a59e276bda7319b8
SHA1

fbaa2a0b58d6728b0e1dc08d13f9a9132277016e
SHA256

cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237
SHA512

02dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f
SSDEEP

12288:09HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hfU:4Z1xuVVjfFoynPaVBUR8f+kN10EBu

Score

10^/10

darkcomet kurban persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Kurban

C2

emincan.no-ip.org:1604

127.0.0.1:1604

Mutex

DC_MUTEX-YSZXZA3

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
EXR6B1nK6pfE
install
true
offline_keylogger
true
persistence
false
reg_key
Winupdater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Windupdt\\winupdate.exe"	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe

Executes dropped EXE 1 IoCs

Processes:

winupdate.exe

pid process

828 winupdate.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1488 notepad.exe
Loads dropped DLL 4 IoCs

Processes:

cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exewinupdate.exe

pid process

520 cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
828 winupdate.exe
828 winupdate.exe
828 winupdate.exe

pid	process
828	winupdate.exe

pid	process
1488	notepad.exe

pid	process
520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
828	winupdate.exe
828	winupdate.exe
828	winupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winupdater = "C:\\Windows\\Windupdt\\winupdate.exe"	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe

Drops file in Windows directory 3 IoCs

Processes:

cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe

description	ioc	process
File created	C:\Windows\Windupdt\winupdate.exe	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
File opened for modification	C:\Windows\Windupdt\winupdate.exe	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
File opened for modification	C:\Windows\Windupdt\	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exewinupdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeSecurityPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeTakeOwnershipPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeLoadDriverPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeSystemProfilePrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeSystemtimePrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeProfSingleProcessPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeIncBasePriorityPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeCreatePagefilePrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeBackupPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeRestorePrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeShutdownPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeDebugPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeSystemEnvironmentPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeChangeNotifyPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeRemoteShutdownPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeUndockPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeManageVolumePrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeImpersonatePrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeCreateGlobalPrivilege	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: 33	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: 34	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: 35	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
Token: SeIncreaseQuotaPrivilege	828	winupdate.exe
Token: SeSecurityPrivilege	828	winupdate.exe
Token: SeTakeOwnershipPrivilege	828	winupdate.exe
Token: SeLoadDriverPrivilege	828	winupdate.exe
Token: SeSystemProfilePrivilege	828	winupdate.exe
Token: SeSystemtimePrivilege	828	winupdate.exe
Token: SeProfSingleProcessPrivilege	828	winupdate.exe
Token: SeIncBasePriorityPrivilege	828	winupdate.exe
Token: SeCreatePagefilePrivilege	828	winupdate.exe
Token: SeBackupPrivilege	828	winupdate.exe
Token: SeRestorePrivilege	828	winupdate.exe
Token: SeShutdownPrivilege	828	winupdate.exe
Token: SeDebugPrivilege	828	winupdate.exe
Token: SeSystemEnvironmentPrivilege	828	winupdate.exe
Token: SeChangeNotifyPrivilege	828	winupdate.exe
Token: SeRemoteShutdownPrivilege	828	winupdate.exe
Token: SeUndockPrivilege	828	winupdate.exe
Token: SeManageVolumePrivilege	828	winupdate.exe
Token: SeImpersonatePrivilege	828	winupdate.exe
Token: SeCreateGlobalPrivilege	828	winupdate.exe
Token: 33	828	winupdate.exe
Token: 34	828	winupdate.exe
Token: 35	828	winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winupdate.exe

pid process

828 winupdate.exe

pid	process
828	winupdate.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe

description	pid	process	target process
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 1488	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	notepad.exe
PID 520 wrote to memory of 828	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	winupdate.exe
PID 520 wrote to memory of 828	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	winupdate.exe
PID 520 wrote to memory of 828	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	winupdate.exe
PID 520 wrote to memory of 828	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	winupdate.exe
PID 520 wrote to memory of 828	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	winupdate.exe
PID 520 wrote to memory of 828	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	winupdate.exe
PID 520 wrote to memory of 828	520	cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe	winupdate.exe

C:\Users\Admin\AppData\Local\Temp\cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe
"C:\Users\Admin\AppData\Local\Temp\cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:1488

C:\Windows\Windupdt\winupdate.exe
"C:\Windows\Windupdt\winupdate.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Windupdt\winupdate.exe
Filesize
756KB

MD5
7492e20402c6b8b0a59e276bda7319b8

SHA1
fbaa2a0b58d6728b0e1dc08d13f9a9132277016e

SHA256
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237

SHA512
02dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f

Download Submit
C:\Windows\Windupdt\winupdate.exe
Filesize
756KB

MD5
7492e20402c6b8b0a59e276bda7319b8

SHA1
fbaa2a0b58d6728b0e1dc08d13f9a9132277016e

SHA256
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237

SHA512
02dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f

Download Submit
\Windows\Windupdt\winupdate.exe
Filesize
756KB

MD5
7492e20402c6b8b0a59e276bda7319b8

SHA1
fbaa2a0b58d6728b0e1dc08d13f9a9132277016e

SHA256
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237

SHA512
02dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f

Download Submit
\Windows\Windupdt\winupdate.exe
Filesize
756KB

MD5
7492e20402c6b8b0a59e276bda7319b8

SHA1
fbaa2a0b58d6728b0e1dc08d13f9a9132277016e

SHA256
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237

SHA512
02dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f

Download Submit
\Windows\Windupdt\winupdate.exe
Filesize
756KB

MD5
7492e20402c6b8b0a59e276bda7319b8

SHA1
fbaa2a0b58d6728b0e1dc08d13f9a9132277016e

SHA256
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237

SHA512
02dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f

Download Submit
\Windows\Windupdt\winupdate.exe
Filesize
756KB

MD5
7492e20402c6b8b0a59e276bda7319b8

SHA1
fbaa2a0b58d6728b0e1dc08d13f9a9132277016e

SHA256
cc3f7855682a8b1c89973a2ba57c21af884f5f9487149e1bee8b258161bc7237

SHA512
02dfff656da997e75ca0ab99f6f8b51d5cf4d9cd709ff5779a36a8d57a386382c270a06ba31d89f9a417c24ffbb7230238f005815889844c5a38edd7814faa9f

Download Submit
memory/520-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/828-58-0x0000000000000000-mapping.dmp

Download
memory/1488-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads