darkcomet | e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b

Analysis

max time kernel
185s
max time network
62s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Size

749KB
MD5

0fa0bc909e6d9e0bb7e698218d120876
SHA1

497f99755892941b0633f1d8832a148829181903
SHA256

e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b
SHA512

1b16a3b25265c58adf10791058dff9d70170dcf87e6a442d565c152f18546273551b26b961d02214223be8629f36094c41b6f1d6353c62b93dce71d6fa6d460b
SSDEEP

12288:l9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hZ56hyF:vZ1xuVVjfFoynPaVBUR8f+kN10EB0s

Score

10^/10

darkcomet hf evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

kwuized.no-ip.org:1337

Mutex

DC_MUTEX-QV66CVE

Attributes

InstallPath
java32\java.exe
gencode
5lCMhl74ZrH0
install
true
offline_keylogger
true
persistence
true
reg_key
java

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\java32\\java.exe"	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe

Executes dropped EXE 1 IoCs

pid	Process
468	java.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1804	attrib.exe
1488	attrib.exe

Loads dropped DLL 2 IoCs

pid	Process
1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\system32\\java32\\java.exe"	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Windows\\system32\\java32\\java.exe"	java.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\java32\java.exe	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
File opened for modification	C:\Windows\SysWOW64\java32\java.exe	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
File opened for modification	C:\Windows\SysWOW64\java32\	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
468	java.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeSecurityPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeTakeOwnershipPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeLoadDriverPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeSystemProfilePrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeSystemtimePrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeProfSingleProcessPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeIncBasePriorityPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeCreatePagefilePrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeBackupPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeRestorePrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeShutdownPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeDebugPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeSystemEnvironmentPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeChangeNotifyPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeRemoteShutdownPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeUndockPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeManageVolumePrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeImpersonatePrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeCreateGlobalPrivilege	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: 33	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: 34	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: 35	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
Token: SeIncreaseQuotaPrivilege	468	java.exe
Token: SeSecurityPrivilege	468	java.exe
Token: SeTakeOwnershipPrivilege	468	java.exe
Token: SeLoadDriverPrivilege	468	java.exe
Token: SeSystemProfilePrivilege	468	java.exe
Token: SeSystemtimePrivilege	468	java.exe
Token: SeProfSingleProcessPrivilege	468	java.exe
Token: SeIncBasePriorityPrivilege	468	java.exe
Token: SeCreatePagefilePrivilege	468	java.exe
Token: SeBackupPrivilege	468	java.exe
Token: SeRestorePrivilege	468	java.exe
Token: SeShutdownPrivilege	468	java.exe
Token: SeDebugPrivilege	468	java.exe
Token: SeSystemEnvironmentPrivilege	468	java.exe
Token: SeChangeNotifyPrivilege	468	java.exe
Token: SeRemoteShutdownPrivilege	468	java.exe
Token: SeUndockPrivilege	468	java.exe
Token: SeManageVolumePrivilege	468	java.exe
Token: SeImpersonatePrivilege	468	java.exe
Token: SeCreateGlobalPrivilege	468	java.exe
Token: 33	468	java.exe
Token: 34	468	java.exe
Token: 35	468	java.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
468	java.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 1496	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	28
PID 1004 wrote to memory of 1496	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	28
PID 1004 wrote to memory of 1496	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	28
PID 1004 wrote to memory of 1496	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	28
PID 1004 wrote to memory of 668	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	30
PID 1004 wrote to memory of 668	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	30
PID 1004 wrote to memory of 668	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	30
PID 1004 wrote to memory of 668	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	30
PID 1004 wrote to memory of 468	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	32
PID 1004 wrote to memory of 468	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	32
PID 1004 wrote to memory of 468	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	32
PID 1004 wrote to memory of 468	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	32
PID 1004 wrote to memory of 468	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	32
PID 1004 wrote to memory of 468	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	32
PID 1004 wrote to memory of 468	1004	e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe	32
PID 668 wrote to memory of 1804	668	cmd.exe	33
PID 668 wrote to memory of 1804	668	cmd.exe	33
PID 668 wrote to memory of 1804	668	cmd.exe	33
PID 668 wrote to memory of 1804	668	cmd.exe	33
PID 1496 wrote to memory of 1488	1496	cmd.exe	34
PID 1496 wrote to memory of 1488	1496	cmd.exe	34
PID 1496 wrote to memory of 1488	1496	cmd.exe	34
PID 1496 wrote to memory of 1488	1496	cmd.exe	34
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35
PID 468 wrote to memory of 1484	468	java.exe	35

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1804	attrib.exe
1488	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe
"C:\Users\Admin\AppData\Local\Temp\e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1804
- C:\Windows\SysWOW64\java32\java.exe
  "C:\Windows\system32\java32\java.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\java32\java.exe

Filesize
749KB

MD5
0fa0bc909e6d9e0bb7e698218d120876

SHA1
497f99755892941b0633f1d8832a148829181903

SHA256
e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b

SHA512
1b16a3b25265c58adf10791058dff9d70170dcf87e6a442d565c152f18546273551b26b961d02214223be8629f36094c41b6f1d6353c62b93dce71d6fa6d460b

Download Submit
C:\Windows\SysWOW64\java32\java.exe

Filesize
749KB

MD5
0fa0bc909e6d9e0bb7e698218d120876

SHA1
497f99755892941b0633f1d8832a148829181903

SHA256
e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b

SHA512
1b16a3b25265c58adf10791058dff9d70170dcf87e6a442d565c152f18546273551b26b961d02214223be8629f36094c41b6f1d6353c62b93dce71d6fa6d460b

Download Submit
\Windows\SysWOW64\java32\java.exe

Filesize
749KB

MD5
0fa0bc909e6d9e0bb7e698218d120876

SHA1
497f99755892941b0633f1d8832a148829181903

SHA256
e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b

SHA512
1b16a3b25265c58adf10791058dff9d70170dcf87e6a442d565c152f18546273551b26b961d02214223be8629f36094c41b6f1d6353c62b93dce71d6fa6d460b

Download Submit
\Windows\SysWOW64\java32\java.exe

Filesize
749KB

MD5
0fa0bc909e6d9e0bb7e698218d120876

SHA1
497f99755892941b0633f1d8832a148829181903

SHA256
e7d43bebb030cbad0b3bb78b3da502427030ef6daa39a888851d93bbc5015c2b

SHA512
1b16a3b25265c58adf10791058dff9d70170dcf87e6a442d565c152f18546273551b26b961d02214223be8629f36094c41b6f1d6353c62b93dce71d6fa6d460b

Download Submit
memory/1004-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads