darkcomet | c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203

General

Target

c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Size

1.8MB
MD5

89783ca33e2fbe4f121c7784a18ce693
SHA1

47d727f35c802fa9a66713fff0a43b6fc1db73e8
SHA256

c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203
SHA512

cde04a8c32247c444df0fabc1c25c663fdda7d2e96a6799f5adf16c499e1f0006771a63de1decc7a6f1d44515d455ccb32123d2bcbf0972abfde682626b60209
SSDEEP

49152:fiDQLla9zhTig0+8FDHIu3i3+u9R0u+MMp7OE:qDQYrmHxi3+uX3+MwZ

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5028 set thread context of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 4444 set thread context of 1644	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	86

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\DefaultIcon	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE,1"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\NotInsertable	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\NotInsertable\	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\ProgID\ = "Word.Picture.6"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\TreatAs	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\ = "Microsoft Word 6.0 - 7.0 Picture"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\AutoConvertTo\ = "{00020907-0000-0000-C000-000000000046}"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\TreatAs\ = "{00020906-0000-0000-C000-000000000046}"	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\ProgID	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{87DC6BA4-9707-2A1E-4717-EA198D2749EC}\AutoConvertTo	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: 33	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeIncBasePriorityPrivilege	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeIncreaseQuotaPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeSecurityPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeTakeOwnershipPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeLoadDriverPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeSystemProfilePrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeSystemtimePrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeProfSingleProcessPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeIncBasePriorityPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeCreatePagefilePrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeBackupPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeRestorePrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeShutdownPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeDebugPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeSystemEnvironmentPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeChangeNotifyPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeRemoteShutdownPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeUndockPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeManageVolumePrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeImpersonatePrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: SeCreateGlobalPrivilege	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: 33	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: 34	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: 35	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
Token: 36	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 5028 wrote to memory of 4444	5028	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	85
PID 4444 wrote to memory of 1644	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	86
PID 4444 wrote to memory of 1644	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	86
PID 4444 wrote to memory of 1644	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	86
PID 4444 wrote to memory of 1644	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	86
PID 4444 wrote to memory of 1644	4444	c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe	86

C:\Users\Admin\AppData\Local\Temp\c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
"C:\Users\Admin\AppData\Local\Temp\c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
  C:\Users\Admin\AppData\Local\Temp\c2a89abace500e1cd78481e2590c0403f0dd1eb5df4ef0120f51e4d89fb20203.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4444-157-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4444-155-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4444-148-0x0000000000000000-mapping.dmp

Download
memory/4444-163-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4444-149-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4444-160-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4444-156-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4444-150-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4444-153-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4444-161-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/4444-151-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/5028-147-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/5028-164-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/5028-134-0x0000000002180000-0x0000000002285000-memory.dmp

Filesize
1.0MB

Download
memory/5028-144-0x0000000000401000-0x0000000000468000-memory.dmp

Filesize
412KB

Download
memory/5028-132-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/5028-143-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/5028-142-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/5028-141-0x0000000000400000-0x00000000005E0000-memory.dmp

Filesize
1.9MB

Download
memory/5028-140-0x0000000002181000-0x0000000002243000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing