darkcomet | 97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd

Analysis

max time kernel
151s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe
Size

1.1MB
MD5

ac674190fce443fa79a572aa94f5c507
SHA1

26ff1ecffb8a5770c64b17c88771ad73c320c702
SHA256

97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd
SHA512

ae1183f4c6092b5516eb966df7ff22c81c0cebb1930705d81e3f729e20e3857ece51d46da9bdc462dcb56cb29a0f3423aefb331d5b70c0e661b8284e07bb1dbb
SSDEEP

12288:Fuz5YhnUAQyjTeFiPgbFpfgjxFRpQqrfd0MzmUOLhnK2higmjQlQHeQ1ag4fobaE:mA7jTeFiIyjtxqLhnphigwQljAb

Score

10^/10

darkcomet sss persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

sss

ssss.ddns.net:1604

Mutex

DC_MUTEX-KNS55JC

Attributes

gencode
uArTCC80KXnu
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\UBbNprctW = "C:\\Users\\Admin\\AppData\\Roaming\\aAAszIoRi.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 set thread context of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\aAAszIoRi.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe
Token: SeIncreaseQuotaPrivilege	692	vbc.exe
Token: SeSecurityPrivilege	692	vbc.exe
Token: SeTakeOwnershipPrivilege	692	vbc.exe
Token: SeLoadDriverPrivilege	692	vbc.exe
Token: SeSystemProfilePrivilege	692	vbc.exe
Token: SeSystemtimePrivilege	692	vbc.exe
Token: SeProfSingleProcessPrivilege	692	vbc.exe
Token: SeIncBasePriorityPrivilege	692	vbc.exe
Token: SeCreatePagefilePrivilege	692	vbc.exe
Token: SeBackupPrivilege	692	vbc.exe
Token: SeRestorePrivilege	692	vbc.exe
Token: SeShutdownPrivilege	692	vbc.exe
Token: SeDebugPrivilege	692	vbc.exe
Token: SeSystemEnvironmentPrivilege	692	vbc.exe
Token: SeChangeNotifyPrivilege	692	vbc.exe
Token: SeRemoteShutdownPrivilege	692	vbc.exe
Token: SeUndockPrivilege	692	vbc.exe
Token: SeManageVolumePrivilege	692	vbc.exe
Token: SeImpersonatePrivilege	692	vbc.exe
Token: SeCreateGlobalPrivilege	692	vbc.exe
Token: 33	692	vbc.exe
Token: 34	692	vbc.exe
Token: 35	692	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
544	vbc.exe
692	vbc.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1292	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	28
PID 2040 wrote to memory of 1292	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	28
PID 2040 wrote to memory of 1292	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	28
PID 2040 wrote to memory of 1292	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	28
PID 1292 wrote to memory of 1496	1292	vbc.exe	30
PID 1292 wrote to memory of 1496	1292	vbc.exe	30
PID 1292 wrote to memory of 1496	1292	vbc.exe	30
PID 1292 wrote to memory of 1496	1292	vbc.exe	30
PID 2040 wrote to memory of 1720	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	31
PID 2040 wrote to memory of 1720	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	31
PID 2040 wrote to memory of 1720	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	31
PID 2040 wrote to memory of 1720	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	31
PID 1720 wrote to memory of 924	1720	vbc.exe	33
PID 1720 wrote to memory of 924	1720	vbc.exe	33
PID 1720 wrote to memory of 924	1720	vbc.exe	33
PID 1720 wrote to memory of 924	1720	vbc.exe	33
PID 2040 wrote to memory of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 wrote to memory of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 wrote to memory of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 wrote to memory of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 wrote to memory of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 wrote to memory of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 wrote to memory of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 wrote to memory of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 wrote to memory of 544	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	34
PID 2040 wrote to memory of 1160	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	35
PID 2040 wrote to memory of 1160	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	35
PID 2040 wrote to memory of 1160	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	35
PID 2040 wrote to memory of 1160	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	35
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37
PID 2040 wrote to memory of 692	2040	97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe	37

C:\Users\Admin\AppData\Local\Temp\97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe
"C:\Users\Admin\AppData\Local\Temp\97dde71e4e5a7bf54b2ca0381b5daf60df5ed8f70529c11c50475e316e1f8ecd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qt6palnx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A65.tmp"
    3⤵
    PID:1496
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qobcu2nf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AE3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8AE2.tmp"
    3⤵
    PID:924
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:544
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - NTFS ADS
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8A66.tmp

Filesize
1KB

MD5
7c38919ab447be8822e100ef88083ecc

SHA1
5665e857f63bf4c6309d8cb35f1f6bcb52e0c7f2

SHA256
374904a21e79d9e3ca09f6d1d703f264ba937fda1d775ffdddfc9c7da5e14105

SHA512
02b22764e623a96f6f3d5c215b83503efd0202e2e18d7be435c3547428f0d2181c9ce91ee03cd67b6b87707a1249443c58659dcc36a861a337b5f9a4dc880b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8AE3.tmp

Filesize
1KB

MD5
b54eed82b497ca7ff17eb6e69b8d0220

SHA1
65418e4ecbe2fed5eaa98800a7e66b8c4fdcf9f4

SHA256
732d2ac48d05e491d3fefda4b50cd4422a9614c05dbc7a9647c9862b58cdaa9e

SHA512
a065489395b67a79b9fffc321edf9dc1e2c6846e9a79d09631b4007ec9b7d6ef200ac615a5302c1854e5542f630f114e30222e2ffcdc2343a944fba6aed245a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qobcu2nf.0.vb

Filesize
256B

MD5
9f362c5084b0126d5460310d3353d13e

SHA1
8617abc0a8c22a109b52e2e3c85b4400ed04b40e

SHA256
83ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0

SHA512
9f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qobcu2nf.cmdline

Filesize
317B

MD5
fe4b4ca411afef14d3ce64283589c024

SHA1
5b84e5a6ebe7369b85dd0762d3003f0ca75208e5

SHA256
2c9a21aeddcf1b9349936ed67335170ed9119a974fd51cadd21f57813310cbc6

SHA512
f4e30eb5661a11cbb4fa0922bdbdc5da5d011bf7b2e86e8eab9749890fb620bf87f7ed6016f04caca31a5697886cc68fb4636454198ee62c38bc19098d310935

Download Submit
C:\Users\Admin\AppData\Local\Temp\qobcu2nf.dll

Filesize
6KB

MD5
c4cacf7606b418184b55de68ef79e9d1

SHA1
8fbedbdaae4ef7fe5d002b32b5bcf2352a42ec96

SHA256
64cf0bba2e8801100cb7a90af809d0ad28b154a4f51570dcd2361efe8eb1d992

SHA512
e5e7a4b802b5150ed661c585c5be8fb614b43ea7af698c0feb51a8ec2b0bd372455ed5f99bbb521ce34618407f5ea288f31530e5c66632d88c92e6bb8f7c7dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qt6palnx.0.vb

Filesize
256B

MD5
9f362c5084b0126d5460310d3353d13e

SHA1
8617abc0a8c22a109b52e2e3c85b4400ed04b40e

SHA256
83ef5a38a9ddf6fcb030ef4f4f63c0e989a49c83691f18b07f851bf35544f2d0

SHA512
9f701a8cec9297f50533ee6cf72851f2400bc777013b663cacea1b531801446d08ffc9a3f5d120b7e81a0f363c7421b9c2103e26be6606f7fe29de3107c4cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qt6palnx.cmdline

Filesize
317B

MD5
38e8c943cb1652ed26f756ec6c34c531

SHA1
f3102a71188489d778a0a8089a53bd099dee38dc

SHA256
56c8633c450fd86d525e2a55bd4bcee0a919f5a99030e62d9be7d831c87f91f7

SHA512
60c4de81bdd32b33b48f628d27a998da802088147dae3311baaeca22c0c3dbe7dac79aabf7074af459b1ac32e2b737dcbf643389367b38dca5e91bdee2a6fd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\qt6palnx.dll

Filesize
6KB

MD5
493b8e50af509a411ea3decb2826c908

SHA1
5e74b67d0c8de993c2a9fe9601469e9b44d721e5

SHA256
41ed891aa2ff8eef69b5572707b71c55d355e209d5aa6bb69861dbad5e6ddfb0

SHA512
d51969eb411fc4c745805c878d7ae2fd8d59fb6f669aa7897c6b3983e4d180ee2ecd01ba6bf745c90c4cfe2b71af998c9cb8056bc5ce8707f8009dd1461dd578

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8A65.tmp

Filesize
652B

MD5
1c3c83ba7ff2d174a7f508c70e2119a9

SHA1
778df32461b98060a90dada040859964453cf9f6

SHA256
aeeb4643ab7700d834f4cbfa952afba457584e9b9df602e651fda6997553c118

SHA512
50b1559b32e1f789f2af3d60276c063a14cdf41df5353d36c39bcc41f302edd3698040d1537fc422d88988e253de8b28d239b787461b6bf58a620e9677683706

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8AE2.tmp

Filesize
652B

MD5
7b092dbab1f0cf38b415ba7bc05d4dc7

SHA1
80eb4634997d745cfcfdb20ff139b67f470a0fb9

SHA256
df2657744b0fd79ee3712e8ea2cb92f4ff95d45b4a418aebf53260a6a3f3e3ea

SHA512
22a41a57536ff2b1f1b3a6a4a6e0b4490bb9b46bd006727b6a88df7fcd0df68fe55807a7c746646b164e341a34671ce66a037d87816631e30e586d1acb2502f0

Download Submit
C:\Users\Admin\AppData\Roaming\aAAszIoRi.exe:ZONE.identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Roaming\fp.txt

Filesize
124B

MD5
8f32197b0b97cccf211c1a6f83f5102e

SHA1
0b3b186978521836b36e9471170e1d89707b5814

SHA256
69484f76377991d32f1e0d075cbd50b877edceb999b17d415ef7d7230190b071

SHA512
cdfb8db3007c7d022ac8e5cc241447fe4e3ee77361b2a06b2ff633b2b08ef87b07a9d104efff8c738bd799aaf828049d5e15aab633648e72b6f551fa9061f068

Download Submit
memory/544-76-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/544-74-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/544-83-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/544-77-0x0000000000401238-mapping.dmp

Download
memory/544-70-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/544-71-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/692-100-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-98-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-107-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-106-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-105-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-102-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-101-0x000000000048F888-mapping.dmp

Download
memory/692-96-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-86-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-87-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-89-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-91-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-93-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/692-95-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/924-66-0x0000000000000000-mapping.dmp

Download
memory/1160-84-0x0000000000000000-mapping.dmp

Download
memory/1292-55-0x0000000000000000-mapping.dmp

Download
memory/1496-59-0x0000000000000000-mapping.dmp

Download
memory/1720-63-0x0000000000000000-mapping.dmp

Download
memory/2040-73-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-104-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-57-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download