darkcomet | ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d

General

Target

ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Size

1.5MB
MD5

1d06209309e0b8f18e3d769d21728591
SHA1

e02024506c73a4487cfa4cd209c7f07346ce2c58
SHA256

ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d
SHA512

575e02ba1633b5ba30a9387dd63d0e7737ec41a6f619a4d5fb7794e85660f522e2867d1ca6ec790eb7fdaed3ee9fcde7ce68931fd01011ce12051ce11747cfa3
SSDEEP

24576:YRmYkcoQricOIrxiZY1iapYfP7wKaHnCMjORymu7Xmg7FT2b8:dYZoQrbT8ZY1iapMP16zt2g7FaY

Score

10^/10

darkcomet hb persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HB

C2

ridingdark.no-ip.biz:1337

Mutex

DC_MUTEX-L7FRRW9

Attributes

gencode
5BpKzfGArBf6
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\839011 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\839011\\svhost.exe"	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\f:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\l:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\m:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\u:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\i:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\n:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\o:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\r:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\b:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\g:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\h:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\p:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\t:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\w:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\x:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\y:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\z:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\e:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\j:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\k:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\q:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\s:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
File opened (read-only)	\??\v:	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeSecurityPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeTakeOwnershipPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeLoadDriverPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeSystemProfilePrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeSystemtimePrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeProfSingleProcessPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeIncBasePriorityPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeCreatePagefilePrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeBackupPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeRestorePrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeShutdownPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeDebugPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeSystemEnvironmentPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeChangeNotifyPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeRemoteShutdownPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeUndockPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeManageVolumePrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeImpersonatePrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: SeCreateGlobalPrivilege	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: 33	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: 34	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: 35	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
Token: 36	1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1020	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80
PID 2884 wrote to memory of 1020	2884	ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe	80

C:\Users\Admin\AppData\Local\Temp\ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
"C:\Users\Admin\AppData\Local\Temp\ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe
  "C:\Users\Admin\AppData\Local\Temp\ba27ee9e692a97b1d58f6aa006072349040cc3fc39aed79bc8998c3c524d5c2d.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-134-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-133-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-135-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing