darkcomet | e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552

General

Target

e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe
Size

1.4MB
MD5

e5aaaac2fcd910193e0e68491a549308
SHA1

41a38a84a97599310e5cdacf04b16da6aded7697
SHA256

e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552
SHA512

cd39febbfed12dda594cd057c21c88f0a2834fed9c5efeac6b0066dd39a4111c1b10343c23bfa8bb317fbf9d22e700cbd3ebefc31ebb56dcbe12be02983b58f0
SSDEEP

24576:6iC8pRuPliuuYmjBgtojHLJR533s4GoBg80IaKqVrS7i0ZESx3Y:6YpUPliuuYYutoTLJR533SoBg8bqxSJG

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe
888	a4fe0657ae664d0daa7527c3786c1ed8.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	vbc.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vbc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1652	vbc.exe
Token: SeSecurityPrivilege	1652	vbc.exe
Token: SeTakeOwnershipPrivilege	1652	vbc.exe
Token: SeLoadDriverPrivilege	1652	vbc.exe
Token: SeSystemProfilePrivilege	1652	vbc.exe
Token: SeSystemtimePrivilege	1652	vbc.exe
Token: SeProfSingleProcessPrivilege	1652	vbc.exe
Token: SeIncBasePriorityPrivilege	1652	vbc.exe
Token: SeCreatePagefilePrivilege	1652	vbc.exe
Token: SeBackupPrivilege	1652	vbc.exe
Token: SeRestorePrivilege	1652	vbc.exe
Token: SeShutdownPrivilege	1652	vbc.exe
Token: SeDebugPrivilege	1652	vbc.exe
Token: SeSystemEnvironmentPrivilege	1652	vbc.exe
Token: SeChangeNotifyPrivilege	1652	vbc.exe
Token: SeRemoteShutdownPrivilege	1652	vbc.exe
Token: SeUndockPrivilege	1652	vbc.exe
Token: SeManageVolumePrivilege	1652	vbc.exe
Token: SeImpersonatePrivilege	1652	vbc.exe
Token: SeCreateGlobalPrivilege	1652	vbc.exe
Token: 33	1652	vbc.exe
Token: 34	1652	vbc.exe
Token: 35	1652	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1832	1064	e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe	27
PID 1064 wrote to memory of 1832	1064	e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe	27
PID 1064 wrote to memory of 1832	1064	e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe	27
PID 1064 wrote to memory of 1832	1064	e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe	27
PID 1064 wrote to memory of 888	1064	e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe	28
PID 1064 wrote to memory of 888	1064	e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe	28
PID 1064 wrote to memory of 888	1064	e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe	28
PID 1064 wrote to memory of 888	1064	e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe	28
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29
PID 1832 wrote to memory of 1652	1832	07697bc2a6aa4b1abb4ac54fe08d5a42.exe	29

C:\Users\Admin\AppData\Local\Temp\e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe
"C:\Users\Admin\AppData\Local\Temp\e770e0c3d4ceed1562df98de7eb4a72728be2e71d8935a55ebe531bffd57c552.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\07697bc2a6aa4b1abb4ac54fe08d5a42.exe
  "C:\Users\Admin\AppData\Local\Temp\07697bc2a6aa4b1abb4ac54fe08d5a42.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Checks BIOS information in registry
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- C:\Users\Admin\AppData\Local\Temp\a4fe0657ae664d0daa7527c3786c1ed8.exe
  "C:\Users\Admin\AppData\Local\Temp\a4fe0657ae664d0daa7527c3786c1ed8.exe"
  2⤵
  - Executes dropped EXE
  PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\07697bc2a6aa4b1abb4ac54fe08d5a42.exe

Filesize
947KB

MD5
4765736a08a7eb356a47b46b296089a3

SHA1
a9b7293c9c976fb7b63b0b194742779df8bd9c26

SHA256
fe6dc4d190ee5fd064e80b35391706fbe7dbf262c4e4bd5ec1f1d43206d788df

SHA512
9f32c4f06fc1e85303ba5c041dd434933945afa66c205d662d1ca406ffb8dfb42ebc08fee696f9c2521dbd85143f1de559afa4a7dbfddf33330de4bf00a9d0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\07697bc2a6aa4b1abb4ac54fe08d5a42.exe

Filesize
947KB

MD5
4765736a08a7eb356a47b46b296089a3

SHA1
a9b7293c9c976fb7b63b0b194742779df8bd9c26

SHA256
fe6dc4d190ee5fd064e80b35391706fbe7dbf262c4e4bd5ec1f1d43206d788df

SHA512
9f32c4f06fc1e85303ba5c041dd434933945afa66c205d662d1ca406ffb8dfb42ebc08fee696f9c2521dbd85143f1de559afa4a7dbfddf33330de4bf00a9d0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4fe0657ae664d0daa7527c3786c1ed8.exe

Filesize
188KB

MD5
67fc3caef08bd36a362bafc15d7a363b

SHA1
797f9e84a63b2d18656a6a9bd8794d25ffe1921b

SHA256
dddc5b4f3b43ec0aad7c36d97df3d6206356e1eae709644db014a5d4a26cd495

SHA512
31075cbbf21f1f4b4f3f5c52434e7856ea3c789760d793e982e31c0262d81ba00afc7bc7e17ab285ae2251d4848d9c6f77f9b8d981555006b7bc8d13628a3cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4fe0657ae664d0daa7527c3786c1ed8.exe

Filesize
188KB

MD5
67fc3caef08bd36a362bafc15d7a363b

SHA1
797f9e84a63b2d18656a6a9bd8794d25ffe1921b

SHA256
dddc5b4f3b43ec0aad7c36d97df3d6206356e1eae709644db014a5d4a26cd495

SHA512
31075cbbf21f1f4b4f3f5c52434e7856ea3c789760d793e982e31c0262d81ba00afc7bc7e17ab285ae2251d4848d9c6f77f9b8d981555006b7bc8d13628a3cce

Download Submit
memory/888-63-0x0000000000E80000-0x0000000000EB6000-memory.dmp

Filesize
216KB

Download
memory/888-85-0x00000000049B5000-0x00000000049C6000-memory.dmp

Filesize
68KB

Download
memory/1064-55-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1064-54-0x000007FEF4360000-0x000007FEF4D83000-memory.dmp

Filesize
10.1MB

Download
memory/1652-68-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-80-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-66-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-86-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-70-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-72-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-74-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-75-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-78-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-77-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-84-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1652-83-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1832-82-0x0000000074760000-0x0000000074D0B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-62-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads