darkcomet | 4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248

General

Target

4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Size

720KB
MD5

f5ec22b04ff24ba717ef4f7c567f8e52
SHA1

51bd7372c4f9d1b90f43d0f5d1d080bda770d043
SHA256

4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248
SHA512

0e5f67c8f45cf5c304fb7fc1601174a036d86fde6fdfee7d0efd2616d690fc6bd7fbafcd64ba749c9fe874eb31235bb161b9fd02bb63c550e0cd090f25ce9512
SSDEEP

12288:jrgXPhw9xGblYKJPa2dILqneS4+oVOcb9hd8qOFINneXFXgIv5VhmkQWNMf:4XOu9HIL9XOcb9hdNOFINeXb00Ne

Score

10^/10

darkcomet silk persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

silk

C2

chinahacking.zapto.org:1509

Mutex

DC_MUTEX-KGBE2JX

Attributes

gencode
BqtloSbbcP1S
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe"	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\InstallDir\\help.exe"	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeSecurityPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeTakeOwnershipPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeLoadDriverPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeSystemProfilePrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeSystemtimePrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeProfSingleProcessPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeIncBasePriorityPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeCreatePagefilePrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeBackupPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeRestorePrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeShutdownPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeDebugPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeSystemEnvironmentPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeChangeNotifyPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeRemoteShutdownPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeUndockPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeManageVolumePrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeImpersonatePrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: SeCreateGlobalPrivilege	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: 33	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: 34	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: 35	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
Token: 36	1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1296	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 864	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	82
PID 2808 wrote to memory of 864	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	82
PID 2808 wrote to memory of 864	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	82
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 2808 wrote to memory of 1296	2808	4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe	83
PID 864 wrote to memory of 1520	864	cmd.exe	85
PID 864 wrote to memory of 1520	864	cmd.exe	85
PID 864 wrote to memory of 1520	864	cmd.exe	85
PID 1520 wrote to memory of 1036	1520	net.exe	86
PID 1520 wrote to memory of 1036	1520	net.exe	86
PID 1520 wrote to memory of 1036	1520	net.exe	86

C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
"C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\cmd.exe
  /c net stop MpsSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:1036
- C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
  C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248.exe

Filesize
720KB

MD5
f5ec22b04ff24ba717ef4f7c567f8e52

SHA1
51bd7372c4f9d1b90f43d0f5d1d080bda770d043

SHA256
4a798faf015bbbc263a0de880c66c5ddd858d9daa75876474cea18ca8ed3c248

SHA512
0e5f67c8f45cf5c304fb7fc1601174a036d86fde6fdfee7d0efd2616d690fc6bd7fbafcd64ba749c9fe874eb31235bb161b9fd02bb63c550e0cd090f25ce9512

Download Submit
memory/1296-135-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1296-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1296-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1296-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1296-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2808-132-0x0000000000650000-0x0000000000654000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing