darkcomet | ad10bd209a0400769c98b80be60c4eb4962731830d374e7f76ba3455d92c7e67

Analysis

max time kernel
144s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 04:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a0e9c48de4b99b90d67b003e9e159447.exe
Size

1.2MB
MD5

a0e9c48de4b99b90d67b003e9e159447
SHA1

b2d59745cdf8b1aa44e46f8ae0857aca4dfb4368
SHA256

ad10bd209a0400769c98b80be60c4eb4962731830d374e7f76ba3455d92c7e67
SHA512

3c6a5cb1b53dbc504f8f49aedd44daa5d9b167072b4dce8ad0a970255d9648e8e0d1b59721fec93c7fec34544aa4b770834309c0dc287f4dd6e94dc945da0b8f
SSDEEP

12288:SF1bx4wVjyTavQOtx7dFXrrnYvIGIFyhLFbSl/WnLqIioAneMnFuCwvbHODHxfuK:SRyG9hdBGol/WOdpruIQIWAGSTDCNM3

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	vbc.exe

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1636	vbc.exe
2464	winupdate.exe
2556	vbc.exe

Loads dropped DLL 8 IoCs

pid	Process
756	a0e9c48de4b99b90d67b003e9e159447.exe
1636	vbc.exe
2464	winupdate.exe
2464	winupdate.exe
2464	winupdate.exe
2464	winupdate.exe
2556	vbc.exe
2556	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 756 set thread context of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 2464 set thread context of 2556	2464	winupdate.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1452	PING.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1636	vbc.exe
Token: SeSecurityPrivilege	1636	vbc.exe
Token: SeTakeOwnershipPrivilege	1636	vbc.exe
Token: SeLoadDriverPrivilege	1636	vbc.exe
Token: SeSystemProfilePrivilege	1636	vbc.exe
Token: SeSystemtimePrivilege	1636	vbc.exe
Token: SeProfSingleProcessPrivilege	1636	vbc.exe
Token: SeIncBasePriorityPrivilege	1636	vbc.exe
Token: SeCreatePagefilePrivilege	1636	vbc.exe
Token: SeBackupPrivilege	1636	vbc.exe
Token: SeRestorePrivilege	1636	vbc.exe
Token: SeShutdownPrivilege	1636	vbc.exe
Token: SeDebugPrivilege	1636	vbc.exe
Token: SeSystemEnvironmentPrivilege	1636	vbc.exe
Token: SeChangeNotifyPrivilege	1636	vbc.exe
Token: SeRemoteShutdownPrivilege	1636	vbc.exe
Token: SeUndockPrivilege	1636	vbc.exe
Token: SeManageVolumePrivilege	1636	vbc.exe
Token: SeImpersonatePrivilege	1636	vbc.exe
Token: SeCreateGlobalPrivilege	1636	vbc.exe
Token: 33	1636	vbc.exe
Token: 34	1636	vbc.exe
Token: 35	1636	vbc.exe
Token: SeIncreaseQuotaPrivilege	2556	vbc.exe
Token: SeSecurityPrivilege	2556	vbc.exe
Token: SeTakeOwnershipPrivilege	2556	vbc.exe
Token: SeLoadDriverPrivilege	2556	vbc.exe
Token: SeSystemProfilePrivilege	2556	vbc.exe
Token: SeSystemtimePrivilege	2556	vbc.exe
Token: SeProfSingleProcessPrivilege	2556	vbc.exe
Token: SeIncBasePriorityPrivilege	2556	vbc.exe
Token: SeCreatePagefilePrivilege	2556	vbc.exe
Token: SeBackupPrivilege	2556	vbc.exe
Token: SeRestorePrivilege	2556	vbc.exe
Token: SeShutdownPrivilege	2556	vbc.exe
Token: SeDebugPrivilege	2556	vbc.exe
Token: SeSystemEnvironmentPrivilege	2556	vbc.exe
Token: SeChangeNotifyPrivilege	2556	vbc.exe
Token: SeRemoteShutdownPrivilege	2556	vbc.exe
Token: SeUndockPrivilege	2556	vbc.exe
Token: SeManageVolumePrivilege	2556	vbc.exe
Token: SeImpersonatePrivilege	2556	vbc.exe
Token: SeCreateGlobalPrivilege	2556	vbc.exe
Token: 33	2556	vbc.exe
Token: 34	2556	vbc.exe
Token: 35	2556	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2556	vbc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 756 wrote to memory of 1636	756	a0e9c48de4b99b90d67b003e9e159447.exe	28
PID 1636 wrote to memory of 2464	1636	vbc.exe	33
PID 1636 wrote to memory of 2464	1636	vbc.exe	33
PID 1636 wrote to memory of 2464	1636	vbc.exe	33
PID 1636 wrote to memory of 2464	1636	vbc.exe	33
PID 1636 wrote to memory of 2464	1636	vbc.exe	33
PID 1636 wrote to memory of 2464	1636	vbc.exe	33
PID 1636 wrote to memory of 2464	1636	vbc.exe	33
PID 1636 wrote to memory of 2580	1636	vbc.exe	32
PID 1636 wrote to memory of 2580	1636	vbc.exe	32
PID 1636 wrote to memory of 2580	1636	vbc.exe	32
PID 1636 wrote to memory of 2580	1636	vbc.exe	32
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2580 wrote to memory of 1452	2580	cmd.exe	29
PID 2580 wrote to memory of 1452	2580	cmd.exe	29
PID 2580 wrote to memory of 1452	2580	cmd.exe	29
PID 2580 wrote to memory of 1452	2580	cmd.exe	29
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31
PID 2464 wrote to memory of 2556	2464	winupdate.exe	31

C:\Users\Admin\AppData\Local\Temp\a0e9c48de4b99b90d67b003e9e159447.exe
"C:\Users\Admin\AppData\Local\Temp\a0e9c48de4b99b90d67b003e9e159447.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\a0e9c48de4b99b90d67b003e9e159447.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2580
- - C:\Windupdt\winupdate.exe
    "C:\Windupdt\winupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2464

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
1⤵
- Runs ping.exe
PID:1452

C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
64KB

MD5
fad38e27c34fe8326760d0a671c90df6

SHA1
69704cd33db8fa242e41af632e7a4da46497e40d

SHA256
9fc9dd394fb27ddab47e22dbbc76b0a644043ad9a818fb4f339134c429cae394

SHA512
818a6833e1a57cd54e325a344cf1719311009853b506475eb319be951c56cbe5b9193446b3d8e59b6fd41d2bd37ee196bbeb08dba4b2980e727d2dcbc9e0f1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
704KB

MD5
0976f2ca37196e8541e5244f0d0cf5a1

SHA1
ad103a93d9428c082624a44cde505d8c94d87a26

SHA256
8be138c97a705884740cd2e8077b9f6ec5b9dab6b37643d04a122f0856100a8f

SHA512
53f6d0e2391952fb60a9ea061893fa85a8f6ca8b07fc5546f2643e83edc5e0ebf3d6266b0ee770f35ed1371d90bdafa0845b09c631c018a5202b29502aa20a18

Download Submit
C:\Windupdt\winupdate.exe

Filesize
1.2MB

MD5
a0e9c48de4b99b90d67b003e9e159447

SHA1
b2d59745cdf8b1aa44e46f8ae0857aca4dfb4368

SHA256
ad10bd209a0400769c98b80be60c4eb4962731830d374e7f76ba3455d92c7e67

SHA512
3c6a5cb1b53dbc504f8f49aedd44daa5d9b167072b4dce8ad0a970255d9648e8e0d1b59721fec93c7fec34544aa4b770834309c0dc287f4dd6e94dc945da0b8f

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
5ff2482aaf89a0abae4bbc81d3472568

SHA1
39b9ccc060292cf4968e5154d8e6c7ec0c5b9596

SHA256
1489b71d830b774f0edf3e8d4422018c107e4505bbf7e71d199e42709ab45162

SHA512
87471d6f0f3503d064ceb5cf7df6d1ac0a24c537eed2b850eb2e48388253ebc11f2b05fbf77aa6328fcb9c07a3765489d2c0681e6a829f547e711195094f525f

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1004KB

MD5
fe6e8f9736bade905e66447436520126

SHA1
742bb436bc2c22df57948b6919d483435821adc1

SHA256
c9cf89a758ef4b6efd2ac2d60dcae59c2f781b9689b73dc803721980785204ed

SHA512
f9fc7f179c574b9057456bffb3ee79db94d5a616a35cae1f1c45ffb2de9a91edc876bb7ea8484a3923137c1169e8928e51589c9e7cef72880c971d2ad68294e8

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Windupdt\winupdate.exe

Filesize
819KB

MD5
d13a77ebead844bcbcdf7b4623b83630

SHA1
20a775519e6eb7ccab6ff7099b1c5c329454ee29

SHA256
5b23a90796158c1ac01a17ec35a395f34dabe27617fe759d77b594d9ab27d55b

SHA512
2dfeb7cd3494439922a91033c314977e7997e7755b4e0ceb526a5e9571a37893eb6796c8f3bb3c0a3920c9bdd215e27cb03e293c09246234e4c87ce37b41defe

Download Submit
\Windupdt\winupdate.exe

Filesize
775KB

MD5
4d7d2d8248e5d5b317067aceeb969a80

SHA1
4d07db171f84dff1469efb5d723ed8ce722d7884

SHA256
0b4c2ede50b8a3f2edcc7a56d35d43d6f669b7e3e88327566a2477e71415c713

SHA512
59db8335883131e1ddb5122af7fbac62f7735100e46130683a0151aa5fb68c3f45c538c7aa711ee70c60dde90af38a1b10eb27c5f8f9eb01c92478a742510255

Download Submit
\Windupdt\winupdate.exe

Filesize
760KB

MD5
314c5e16e371ba1c762eecb3fd657d62

SHA1
fdd60c9406b7bc3dd6bea3d18ddd735f8a51457e

SHA256
cd8f901783c414ddc4717a2de27e261f707708884b23ab943d7f1a418cf66cb6

SHA512
a68e6ab2ef10acd6ce5cfcf8c6570b91060552d4e1d7516537fdafb8c6243e7c7749e91636be7590c965390bbf2d14884d6f6ce9f382a41ec7199623f18f3cd0

Download Submit
memory/756-33-0x0000000074960000-0x0000000074F0B000-memory.dmp

Filesize
5.7MB

Download
memory/756-2-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/756-0-0x0000000074960000-0x0000000074F0B000-memory.dmp

Filesize
5.7MB

Download
memory/756-1-0x0000000074960000-0x0000000074F0B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-21-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-11-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1636-32-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-28-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-34-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-35-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-36-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1636-25-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-19-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-7-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-48-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-15-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-13-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1636-27-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1636-9-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2464-53-0x0000000072980000-0x0000000072F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2464-60-0x0000000072980000-0x0000000072F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2464-85-0x0000000072980000-0x0000000072F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-86-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-83-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-78-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-84-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-87-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-88-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-89-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-90-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2556-91-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads