darkcomet | 6ff88fc070118d3dbffb5c1b7cf3a328d1d82f741418038d974f4406d8c1a93b

General

Target

9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Size

821KB
MD5

49f227f4711ee473da73cefa669d6e0e
SHA1

5af5186ee656020ee301c48dd92b9720d3ccf4ad
SHA256

9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e
SHA512

63abcd3ef56ecfa80fed804c7993a0e54ab9d0fdf7bd15c5379f6e16ccd56f230edcb0d6c559cd837a892ff50b4944aaaec9bf95a253460352dbb14fbbb7249f
SSDEEP

12288:TFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJ:h3nbWmJVJFwSddIXvfhqbiaxvRxq9

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\windupdt\\winupdate.exe"	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\windupdt\\winupdate.exe"	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1500 1308 WerFault.exe 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

pid	pid_target	process	target process
1500	1308	WerFault.exe	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeSecurityPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeTakeOwnershipPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeLoadDriverPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeSystemProfilePrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeSystemtimePrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeProfSingleProcessPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeIncBasePriorityPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeCreatePagefilePrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeBackupPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeRestorePrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeShutdownPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeDebugPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeSystemEnvironmentPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeChangeNotifyPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeRemoteShutdownPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeUndockPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeManageVolumePrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeImpersonatePrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: SeCreateGlobalPrivilege	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: 33	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: 34	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Token: 35	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe

description	pid	process	target process
PID 1308 wrote to memory of 584	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe	cmd.exe
PID 1308 wrote to memory of 584	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe	cmd.exe
PID 1308 wrote to memory of 584	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe	cmd.exe
PID 1308 wrote to memory of 584	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe	cmd.exe
PID 1308 wrote to memory of 1500	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe	WerFault.exe
PID 1308 wrote to memory of 1500	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe	WerFault.exe
PID 1308 wrote to memory of 1500	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe	WerFault.exe
PID 1308 wrote to memory of 1500	1308	9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
"C:\Users\Admin\AppData\Local\Temp\9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
2⤵
PID:584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 624
2⤵
- Program crash
PID:1500

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
119B

MD5
3e8ac0bd466eee9c57c75a47a9e2ecaf

SHA1
9e989f33e24b591c896ac7abdf455282744c89ee

SHA256
b4b8bca723141caee872820a83aa75d4cb2d8056a59d4fff3e3363bd2922140a

SHA512
399aec5f1f256d734bf2a487d3fc3c6799388d9de4ba6ee9f32f76c28d40e1dcd5ca46b9bd9e0052b847a86d452a6b1f2ef7673bc5703c8d5aac02c1b1959896

Download Submit
memory/1308-65-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1308-66-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads