darkcomet | bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f

General

Target

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
Size

862KB
MD5

8dedabbc588d3040aa709afbc58e8a52
SHA1

061c10df4f1dbe57e69ff2e99a0ebab4150e9449
SHA256

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f
SHA512

137bd1febee353872c89ddf2ffc39d9326ab3f604ca73a5b9a64de2705d50494b9ec27326cd7bee24c66bcdcff04bb431b1b72b50dc3a6357585303b3bce37f1
SSDEEP

24576:X260/omfb7AGpUIiyLHw+tbt1Ihjqplwqf3w1Mk:Wdp6ycYbtWol7q

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

4852 explorer.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

iexplore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate iexplore.exe

pid	process
4852	explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	iexplore.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe

Drops startup file 1 IoCs

Processes:

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).lnk	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

explorer.exe

description pid process target process

PID 4852 set thread context of 1492 4852 explorer.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4852 set thread context of 1492	4852	explorer.exe	iexplore.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	iexplore.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iexplore.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	iexplore.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

iexplore.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier iexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	iexplore.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

iexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1492	iexplore.exe
Token: SeSecurityPrivilege	1492	iexplore.exe
Token: SeTakeOwnershipPrivilege	1492	iexplore.exe
Token: SeLoadDriverPrivilege	1492	iexplore.exe
Token: SeSystemProfilePrivilege	1492	iexplore.exe
Token: SeSystemtimePrivilege	1492	iexplore.exe
Token: SeProfSingleProcessPrivilege	1492	iexplore.exe
Token: SeIncBasePriorityPrivilege	1492	iexplore.exe
Token: SeCreatePagefilePrivilege	1492	iexplore.exe
Token: SeBackupPrivilege	1492	iexplore.exe
Token: SeRestorePrivilege	1492	iexplore.exe
Token: SeShutdownPrivilege	1492	iexplore.exe
Token: SeDebugPrivilege	1492	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1492	iexplore.exe
Token: SeChangeNotifyPrivilege	1492	iexplore.exe
Token: SeRemoteShutdownPrivilege	1492	iexplore.exe
Token: SeUndockPrivilege	1492	iexplore.exe
Token: SeManageVolumePrivilege	1492	iexplore.exe
Token: SeImpersonatePrivilege	1492	iexplore.exe
Token: SeCreateGlobalPrivilege	1492	iexplore.exe
Token: 33	1492	iexplore.exe
Token: 34	1492	iexplore.exe
Token: 35	1492	iexplore.exe
Token: 36	1492	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exeiexplore.exe

pid process

4852 explorer.exe
1492 iexplore.exe

pid	process
4852	explorer.exe
1492	iexplore.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exeexplorer.exe

description	pid	process	target process
PID 1608 wrote to memory of 4852	1608	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 1608 wrote to memory of 4852	1608	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 1608 wrote to memory of 4852	1608	bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe	explorer.exe
PID 4852 wrote to memory of 1492	4852	explorer.exe	iexplore.exe
PID 4852 wrote to memory of 1492	4852	explorer.exe	iexplore.exe
PID 4852 wrote to memory of 1492	4852	explorer.exe	iexplore.exe
PID 4852 wrote to memory of 1492	4852	explorer.exe	iexplore.exe
PID 4852 wrote to memory of 1492	4852	explorer.exe	iexplore.exe
PID 4852 wrote to memory of 1492	4852	explorer.exe	iexplore.exe
PID 4852 wrote to memory of 1492	4852	explorer.exe	iexplore.exe
PID 4852 wrote to memory of 1492	4852	explorer.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe
"C:\Users\Admin\AppData\Local\Temp\bf26780603ac0b0d83011772fbc3081537e8175439625c498cb02aae6e9b482f.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Firefox.dll
Filesize
241KB

MD5
fc6f62ca501a1f48316442782fe45a46

SHA1
586c250091ed5d3d892c7c73e500c934851341c2

SHA256
611a326fc36a84aea51999f13e4db99c99ac7f0c2eaa917f403561f9183d99f0

SHA512
587a359d7a84893b70f317b446451c9348986f1df76c0411520d44ae0009384576591bddb3fc6b789fd7ffe1fa592cd09387607f4b145972028ebc7dbe7c9f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
56KB

MD5
ec99a9ba6fd95b806fce0fe51538910e

SHA1
49e4184216a22bcf78c3471642233a9224a74f20

SHA256
bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd

SHA512
bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
56KB

MD5
ec99a9ba6fd95b806fce0fe51538910e

SHA1
49e4184216a22bcf78c3471642233a9224a74f20

SHA256
bd1153023713187f48da2fc472045c2294dd625fe11ebc8b3e7e67a80f1428dd

SHA512
bf673fba103da568c5eccce9beb48d9c2a221a4769f5c5fbd703dba3e6bc8ba8388b420606f58319ca3a8a1c93619d23bae446d496f8668bb760b465e1d41fda

Download Submit
memory/4852-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads