darkcomet | 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e

General

Target

186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe
Size

851KB
MD5

11809afb3c3e1777e6efbb5a426641b0
SHA1

ef713e6840fa0a049af9816bbdbec262ac5af08e
SHA256

186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e
SHA512

31d67debfad7af652d494a02fba26bd6fe66900b7ef51769f3aed6b9329028d63a1ac55704ad3221f894e5d637ecbfab6a68b261ed232c30657247d3759ca8c3
SSDEEP

24576:A////c5a2YepX2JNU4G55l1FbHcoluFLhA:/HYepVj1Fb8o8

Score

10^/10

darkcomet new452012 evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

New452012

C2

airjosh977.no-ip.biz:100

Mutex

DC_MUTEX-T577G6G

Attributes

gencode
WrgUMHjTbCs4
install
false
offline_keylogger
true
password
0123456789
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

820 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe

pid process

1300 186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe

pid	process
820	svchost.exe

pid	process
1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe

description	pid	process	target process
PID 1300 set thread context of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe
Token: SeIncreaseQuotaPrivilege	820	svchost.exe
Token: SeSecurityPrivilege	820	svchost.exe
Token: SeTakeOwnershipPrivilege	820	svchost.exe
Token: SeLoadDriverPrivilege	820	svchost.exe
Token: SeSystemProfilePrivilege	820	svchost.exe
Token: SeSystemtimePrivilege	820	svchost.exe
Token: SeProfSingleProcessPrivilege	820	svchost.exe
Token: SeIncBasePriorityPrivilege	820	svchost.exe
Token: SeCreatePagefilePrivilege	820	svchost.exe
Token: SeBackupPrivilege	820	svchost.exe
Token: SeRestorePrivilege	820	svchost.exe
Token: SeShutdownPrivilege	820	svchost.exe
Token: SeDebugPrivilege	820	svchost.exe
Token: SeSystemEnvironmentPrivilege	820	svchost.exe
Token: SeChangeNotifyPrivilege	820	svchost.exe
Token: SeRemoteShutdownPrivilege	820	svchost.exe
Token: SeUndockPrivilege	820	svchost.exe
Token: SeManageVolumePrivilege	820	svchost.exe
Token: SeImpersonatePrivilege	820	svchost.exe
Token: SeCreateGlobalPrivilege	820	svchost.exe
Token: 33	820	svchost.exe
Token: 34	820	svchost.exe
Token: 35	820	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

820 svchost.exe

pid	process
820	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe

description	pid	process	target process
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe
PID 1300 wrote to memory of 820	1300	186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe	svchost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe
"C:\Users\Admin\AppData\Local\Temp\186a7cfa0dd16e0d931c32b5617766416b8a09d00fda23b49f6e5aa60bd4a47e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/820-66-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-71-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-58-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-60-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-62-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-64-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-79-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-67-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-57-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-72-0x0000000000490888-mapping.dmp

Download
memory/820-74-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-78-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/820-77-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1300-76-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-55-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads