darkcomet | bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
Size

862KB
MD5

8dedabbc588d3040aa709afbc58e8a52
SHA1

061c10df4f1dbe57e69ff2e99a0ebab4150e9449
SHA256

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f
SHA512

137bd1febee353872c89ddf2ffc39d9326ab3f604ca73a5b9a64de2705d50494b9ec27326cd7bee24c66bcdcff04bb431b1b72b50dc3a6357585303b3bce37f1
SSDEEP

24576:X260/omfb7AGpUIiyLHw+tbt1Ihjqplwqf3w1Mk:Wdp6ycYbtWol7q

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

1716 explorer.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

iexplore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate iexplore.exe

pid	process
1716	explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	iexplore.exe

Drops startup file 1 IoCs

Processes:

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).lnk	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe

Loads dropped DLL 6 IoCs

Processes:

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe

pid	process
1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 1716 set thread context of 1688 1716 explorer.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1716 set thread context of 1688	1716	explorer.exe	iexplore.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iexplore.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	iexplore.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

iexplore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier iexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	iexplore.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

iexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1688	iexplore.exe
Token: SeSecurityPrivilege	1688	iexplore.exe
Token: SeTakeOwnershipPrivilege	1688	iexplore.exe
Token: SeLoadDriverPrivilege	1688	iexplore.exe
Token: SeSystemProfilePrivilege	1688	iexplore.exe
Token: SeSystemtimePrivilege	1688	iexplore.exe
Token: SeProfSingleProcessPrivilege	1688	iexplore.exe
Token: SeIncBasePriorityPrivilege	1688	iexplore.exe
Token: SeCreatePagefilePrivilege	1688	iexplore.exe
Token: SeBackupPrivilege	1688	iexplore.exe
Token: SeRestorePrivilege	1688	iexplore.exe
Token: SeShutdownPrivilege	1688	iexplore.exe
Token: SeDebugPrivilege	1688	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1688	iexplore.exe
Token: SeChangeNotifyPrivilege	1688	iexplore.exe
Token: SeRemoteShutdownPrivilege	1688	iexplore.exe
Token: SeUndockPrivilege	1688	iexplore.exe
Token: SeManageVolumePrivilege	1688	iexplore.exe
Token: SeImpersonatePrivilege	1688	iexplore.exe
Token: SeCreateGlobalPrivilege	1688	iexplore.exe
Token: 33	1688	iexplore.exe
Token: 34	1688	iexplore.exe
Token: 35	1688	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2012 DllHost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exeiexplore.exe

pid process

1716 explorer.exe
1688 iexplore.exe

pid	process
2012	DllHost.exe

pid	process
1716	explorer.exe
1688	iexplore.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exeexplorer.exe

description	pid	process	target process
PID 1500 wrote to memory of 1716	1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 1500 wrote to memory of 1716	1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 1500 wrote to memory of 1716	1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 1500 wrote to memory of 1716	1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 1500 wrote to memory of 1716	1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 1500 wrote to memory of 1716	1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 1500 wrote to memory of 1716	1500	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe
PID 1716 wrote to memory of 1688	1716	explorer.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
"C:\Users\Admin\AppData\Local\Temp\bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Firefox.dll
Filesize
241KB

MD5
fc6f62ca501a1f48316442782fe45a46

SHA1
586c250091ed5d3d892c7c73e500c934851341c2

SHA256
611a326fc36a84aea51999f13e4db99c99ac7f0c2eaa917f403561f9183d99f0

SHA512
587a359d7a84893b70f317b446451c9348986f1df76c0411520d44ae0009384576591bddb3fc6b789fd7ffe1fa592cd09387607f4b145972028ebc7dbe7c9f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
56KB

MD5
ec99a9ba6fd95b806fce0fe51538910e

SHA1
49e4184216a22bcf78c3471642233a9224a74f20

SHA256
bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd

SHA512
bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\صورتي الشخصية.jpg
Filesize
39KB

MD5
9a86fd40dfc0da67f664ed3ab5292cf8

SHA1
fc3ed6efbbfe567cd2c6d006195cfea0dc3e33ab

SHA256
c65d842658220cdba51ed223ee27a742d03e2c39e182e6fdc39178e38f7bee69

SHA512
445e8114fd88468dbcbd24155874404a45d051179920ec101a7e686e039d0bbc4e15f09b3bdbd01309d93b6a857c2dd7f7154257d212c7a7b0b5fb7beafbe788

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
56KB

MD5
ec99a9ba6fd95b806fce0fe51538910e

SHA1
49e4184216a22bcf78c3471642233a9224a74f20

SHA256
bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd

SHA512
bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
56KB

MD5
ec99a9ba6fd95b806fce0fe51538910e

SHA1
49e4184216a22bcf78c3471642233a9224a74f20

SHA256
bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd

SHA512
bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
56KB

MD5
ec99a9ba6fd95b806fce0fe51538910e

SHA1
49e4184216a22bcf78c3471642233a9224a74f20

SHA256
bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd

SHA512
bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
56KB

MD5
ec99a9ba6fd95b806fce0fe51538910e

SHA1
49e4184216a22bcf78c3471642233a9224a74f20

SHA256
bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd

SHA512
bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
56KB

MD5
ec99a9ba6fd95b806fce0fe51538910e

SHA1
49e4184216a22bcf78c3471642233a9224a74f20

SHA256
bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd

SHA512
bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
56KB

MD5
ec99a9ba6fd95b806fce0fe51538910e

SHA1
49e4184216a22bcf78c3471642233a9224a74f20

SHA256
bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd

SHA512
bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda

Download Submit
memory/1500-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1716-61-0x0000000000000000-mapping.dmp

Download