darkcomet | 06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66

General

Target

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Size

967KB
MD5

245d2cec5bb0f3cb375028c72ef684f0
SHA1

e4030d976f994697dd482fdae62258b55b0c3eed
SHA256

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66
SHA512

59658b4db272d15b4680f6546168f72ea34c7125e45fa91b0694443cb020f1fe2fb92e88e01ca545cc2ccb1420aa208fee4019436a3c9c0947a04a8465e04a59
SSDEEP

24576:gRmJkcoQricOIQxiZY1iavReA7pZk0/arYy:VJZoQrbTFZY1iavRtpTcYy

Score

10^/10

darkcomet guest16 rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:321

Mutex

DC_MUTEX-R0X7EMW

Attributes

gencode
8wq0x7iUlHMN
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1504-64-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1504-66-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1504-67-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1504-70-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1504-72-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1504-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1504-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1504-75-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

description	pid	process	target process
PID 2040 set thread context of 948	2040	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 948 set thread context of 1504	948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeSecurityPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeTakeOwnershipPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeLoadDriverPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeSystemProfilePrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeSystemtimePrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeProfSingleProcessPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeIncBasePriorityPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeCreatePagefilePrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeBackupPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeRestorePrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeShutdownPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeDebugPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeSystemEnvironmentPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeChangeNotifyPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeRemoteShutdownPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeUndockPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeManageVolumePrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeImpersonatePrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: SeCreateGlobalPrivilege	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: 33	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: 34	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
Token: 35	1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

pid	process
948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
1504	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

description	pid	process	target process
PID 2040 wrote to memory of 948	2040	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 2040 wrote to memory of 948	2040	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 2040 wrote to memory of 948	2040	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 2040 wrote to memory of 948	2040	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 2040 wrote to memory of 948	2040	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 2040 wrote to memory of 948	2040	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 948 wrote to memory of 1504	948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 948 wrote to memory of 1504	948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 948 wrote to memory of 1504	948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 948 wrote to memory of 1504	948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 948 wrote to memory of 1504	948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 948 wrote to memory of 1504	948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 948 wrote to memory of 1504	948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
PID 948 wrote to memory of 1504	948	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe	06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe

C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
"C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
"C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\06525df1ba0a8ef25cedd5e010b062eea40a40c3c9862f51afdbc3b2b23f5a66.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-69-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/948-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/948-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/948-58-0x0000000000401094-mapping.dmp

Download
memory/948-62-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1504-67-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1504-64-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1504-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1504-68-0x00000000004B5650-mapping.dmp

Download
memory/1504-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1504-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1504-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1504-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1504-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1504-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2040-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads