darkcomet | c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2

General

Target

c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe
Size

605KB
MD5

68b23221d1af190c3bfadd23fc64e87d
SHA1

1e6ae48e30d17c3e2acab6f1567ec2b380391e82
SHA256

c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2
SHA512

ebe0a16676545a37d5692b75abc552f35f69a14a4d04c0b12f9021fcbc14ca3fdb1c59b59ae2f5b58bc8bdb69e15a8e2d041d738fadbf23e02ab6de7087e55be
SSDEEP

6144:g/sxRbSSN0fItQTG2BDqVMRs3HaMlFZqGT2/dSfLpkPHR39OL85GUS4rg:ggSYjOGk8AVHU85

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	vbc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

vbc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbc.exe

Disables Task Manager via registry modification
evasion

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3288-135-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/3288-136-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/3288-137-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/3288-138-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/3288-139-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/3288-143-0x0000000000400000-0x00000000004B9000-memory.dmp	upx
behavioral2/memory/3288-144-0x0000000000400000-0x00000000004B9000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hotkcmd = "C:\\Users\\Admin\\AppData\\Roaming\\hotkcmd.exe"	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe

description	pid	process	target process
PID 2064 set thread context of 3288	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

3288 vbc.exe

pid	process
3288	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3288	vbc.exe
Token: SeSecurityPrivilege	3288	vbc.exe
Token: SeTakeOwnershipPrivilege	3288	vbc.exe
Token: SeLoadDriverPrivilege	3288	vbc.exe
Token: SeSystemProfilePrivilege	3288	vbc.exe
Token: SeSystemtimePrivilege	3288	vbc.exe
Token: SeProfSingleProcessPrivilege	3288	vbc.exe
Token: SeIncBasePriorityPrivilege	3288	vbc.exe
Token: SeCreatePagefilePrivilege	3288	vbc.exe
Token: SeBackupPrivilege	3288	vbc.exe
Token: SeRestorePrivilege	3288	vbc.exe
Token: SeShutdownPrivilege	3288	vbc.exe
Token: SeDebugPrivilege	3288	vbc.exe
Token: SeSystemEnvironmentPrivilege	3288	vbc.exe
Token: SeChangeNotifyPrivilege	3288	vbc.exe
Token: SeRemoteShutdownPrivilege	3288	vbc.exe
Token: SeUndockPrivilege	3288	vbc.exe
Token: SeManageVolumePrivilege	3288	vbc.exe
Token: SeImpersonatePrivilege	3288	vbc.exe
Token: SeCreateGlobalPrivilege	3288	vbc.exe
Token: 33	3288	vbc.exe
Token: 34	3288	vbc.exe
Token: 35	3288	vbc.exe
Token: 36	3288	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe

pid	process
2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe
2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe

description	pid	process	target process
PID 2064 wrote to memory of 3288	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	vbc.exe
PID 2064 wrote to memory of 3288	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	vbc.exe
PID 2064 wrote to memory of 3288	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	vbc.exe
PID 2064 wrote to memory of 3288	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	vbc.exe
PID 2064 wrote to memory of 3288	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	vbc.exe
PID 2064 wrote to memory of 3288	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	vbc.exe
PID 2064 wrote to memory of 3288	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	vbc.exe
PID 2064 wrote to memory of 3288	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	vbc.exe
PID 2064 wrote to memory of 4932	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	cmd.exe
PID 2064 wrote to memory of 4932	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	cmd.exe
PID 2064 wrote to memory of 4932	2064	c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe
"C:\Users\Admin\AppData\Local\Temp\c101131318f582f4e5cbb47f039efcb1ce9de2446fc9870892e82933d0fe8fb2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Deadly DDoSer.bat" "
2⤵
PID:4932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Deadly DDoSer.bat
Filesize
6KB

MD5
0ebf2430bd76b25eed50e62348303da5

SHA1
381964d30507181cf88fbb0282768643e9f2ad68

SHA256
9fdd4bdac8625e74bb633f69bcde97ac0cb7fb9b1d141afada367aa489600716

SHA512
ad113ed63edecaf86d9734ae93f52ed260fa66608b9dfab5fe838a5bf7ae4158d92d6e593062b4d789eb9c2e3ad7215471f1169d94ba227aba06ca08655409e4

Download Submit
memory/2064-133-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/2064-142-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/2064-132-0x00000000753E0000-0x0000000075991000-memory.dmp

Filesize
5.7MB

Download
memory/3288-135-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3288-137-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3288-138-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3288-139-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3288-136-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3288-134-0x0000000000000000-mapping.dmp

Download
memory/3288-143-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3288-144-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4932-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads