darkcomet | c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203

General

Target

c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Size

1.8MB
MD5

89783ca33e2fbe4f121c7784a18ce693
SHA1

47d727f35c802fa9a66713fff0a43b6fc1db73e8
SHA256

c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203
SHA512

cde04a8c32247c444df0fabc1c25c663fdda7d2e96a6799f5adf16c499e1f0006771a63de1decc7a6f1d44515d455ccb32123d2bcbf0972abfde682626b60209
SSDEEP

49152:fiDQLla9zhTig0+8FDHIu3i3+u9R0u+MMp7OE:qDQYrmHxi3+uX3+MwZ

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 1052 set thread context of 1876	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	30

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32\ThreadingModel = "Both"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32\2.0.0.0\Assembly = "mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\ = "System.Runtime.Remoting.Metadata.W3cXsd2001.SoapInteger"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\Implemented Categories	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32\2.0.0.0	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32\2.0.0.0\Class = "System.Runtime.Remoting.Metadata.W3cXsd2001.SoapInteger"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32\RuntimeVersion = "v1.1.4322"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32\2.0.0.0\RuntimeVersion = "v2.0.50727"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\ProgId\ = "System.Runtime.Remoting.Metadata.W3cXsd2001.SoapInteger"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32\Class = "System.Runtime.Remoting.Metadata.W3cXsd2001.SoapInteger"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32\ = "mscoree.dll"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\InprocServer32\Assembly = "mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\ProgId	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: 33	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeIncBasePriorityPrivilege	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeIncreaseQuotaPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeSecurityPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeTakeOwnershipPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeLoadDriverPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeSystemProfilePrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeSystemtimePrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeProfSingleProcessPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeIncBasePriorityPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeCreatePagefilePrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeBackupPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeRestorePrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeShutdownPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeDebugPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeSystemEnvironmentPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeChangeNotifyPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeRemoteShutdownPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeUndockPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeManageVolumePrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeImpersonatePrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeCreateGlobalPrivilege	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: 33	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: 34	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: 35	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 2028 wrote to memory of 1052	2028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	29
PID 1052 wrote to memory of 1876	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	30
PID 1052 wrote to memory of 1876	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	30
PID 1052 wrote to memory of 1876	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	30
PID 1052 wrote to memory of 1876	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	30
PID 1052 wrote to memory of 1876	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	30
PID 1052 wrote to memory of 1876	1052	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	30

C:\Users\Admin\AppData\Local\Temp\c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
"C:\Users\Admin\AppData\Local\Temp\c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
  C:\Users\Admin\AppData\Local\Temp\c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-88-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-91-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-97-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-94-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-78-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-85-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-82-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-69-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-70-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-72-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1052-75-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/2028-55-0x0000000002050000-0x0000000002155000-memory.dmp

Filesize
1.0MB

Download
memory/2028-66-0x0000000000401000-0x0000000000468000-memory.dmp

Filesize
412KB

Download
memory/2028-65-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/2028-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/2028-64-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/2028-63-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/2028-62-0x0000000002051000-0x0000000002113000-memory.dmp

Filesize
776KB

Download
memory/2028-96-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/2028-61-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing