darkcomet | 27dc3db12cc3ab888b6603b1030fde1980d371a4c5c51f66ac0c0c8b3df8e57e

General

Target

3cffc7f6b4348cb2dfa4c853f46d974c.exe
Size

950KB
MD5

3cffc7f6b4348cb2dfa4c853f46d974c
SHA1

6cb57a4bd75bbea231b52ea57d19dff657a74131
SHA256

27dc3db12cc3ab888b6603b1030fde1980d371a4c5c51f66ac0c0c8b3df8e57e
SHA512

2284a38e26298150b2ee0d769e9bee2e4776842f853b0b5fd6a165531d88c33d7fc16d44a6448e693b06e41b21136471964af8ac8f045306ee9e2222c7ce9adf
SSDEEP

24576:5cwSVhrNLH609ntlQAHiBKeJlJWNvk4kt434mt:IJhhpo+vkhb+

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\Java\\jusched.exe"	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
1240	jusched.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jusched = "C:\\Users\\Admin\\Documents\\Java\\jusched.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3568 set thread context of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4344	vbc.exe
Token: SeSecurityPrivilege	4344	vbc.exe
Token: SeTakeOwnershipPrivilege	4344	vbc.exe
Token: SeLoadDriverPrivilege	4344	vbc.exe
Token: SeSystemProfilePrivilege	4344	vbc.exe
Token: SeSystemtimePrivilege	4344	vbc.exe
Token: SeProfSingleProcessPrivilege	4344	vbc.exe
Token: SeIncBasePriorityPrivilege	4344	vbc.exe
Token: SeCreatePagefilePrivilege	4344	vbc.exe
Token: SeBackupPrivilege	4344	vbc.exe
Token: SeRestorePrivilege	4344	vbc.exe
Token: SeShutdownPrivilege	4344	vbc.exe
Token: SeDebugPrivilege	4344	vbc.exe
Token: SeSystemEnvironmentPrivilege	4344	vbc.exe
Token: SeChangeNotifyPrivilege	4344	vbc.exe
Token: SeRemoteShutdownPrivilege	4344	vbc.exe
Token: SeUndockPrivilege	4344	vbc.exe
Token: SeManageVolumePrivilege	4344	vbc.exe
Token: SeImpersonatePrivilege	4344	vbc.exe
Token: SeCreateGlobalPrivilege	4344	vbc.exe
Token: 33	4344	vbc.exe
Token: 34	4344	vbc.exe
Token: 35	4344	vbc.exe
Token: 36	4344	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 3568 wrote to memory of 4344	3568	3cffc7f6b4348cb2dfa4c853f46d974c.exe	24
PID 4344 wrote to memory of 1240	4344	vbc.exe	37
PID 4344 wrote to memory of 1240	4344	vbc.exe	37
PID 4344 wrote to memory of 1240	4344	vbc.exe	37

C:\Users\Admin\AppData\Local\Temp\3cffc7f6b4348cb2dfa4c853f46d974c.exe
"C:\Users\Admin\AppData\Local\Temp\3cffc7f6b4348cb2dfa4c853f46d974c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\Documents\Java\jusched.exe
    "C:\Users\Admin\Documents\Java\jusched.exe"
    3⤵
    - Executes dropped EXE
    PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Java\jusched.exe

Filesize
32KB

MD5
50a915722200ecbadfaf9a1cff586694

SHA1
40120d5fa1ce932562e905a1aeef772c4d839455

SHA256
0db368599932dfba2a3c10a37acb4122cdbf88fa8f15fec252954c51187229e5

SHA512
3eece77e747881cb9573ef3bad5a0ae55bcf950da802ece732d823efe025256f4b83692ca5784c54d3ff419d429a22ed5bbd2796b66b108f102bc6c3fe6ebf2f

Download Submit
C:\Users\Admin\Documents\Java\jusched.exe

Filesize
92KB

MD5
9b801e44bbf63dafca93f850a9d9d51e

SHA1
6b3415f645d35810333bdf66182433ba91bf3224

SHA256
29eb6bf28d74d11f3ee25f8bacb42ffa4dff12762af46cf0398a0eb5f606e768

SHA512
acd30db7236bb74d1114366ba1b1bba036a6f6c59b89dc77bcd52447286c2e192acabe2ad1d871696690d3af7e308216fa42f552403b72992b5151084d5b387e

Download Submit
memory/3568-2-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/3568-1-0x0000000074600000-0x0000000074BB1000-memory.dmp

Filesize
5.7MB

Download
memory/3568-0-0x0000000074600000-0x0000000074BB1000-memory.dmp

Filesize
5.7MB

Download
memory/3568-8-0x0000000074600000-0x0000000074BB1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-3-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4344-7-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4344-6-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4344-69-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4344-9-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4344-4-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads