darkcomet | 0d6e873aa8faee0a896e6ac7679a216585933bc29bdd2c1bc006ce56a6e86818

Analysis

max time kernel
0s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/Blackkomet.exe
Size

756KB
MD5

c7dcd585b7e8b046f209052bcd6dd84b
SHA1

604dcfae9eed4f65c80a4a39454db409291e08fa
SHA256

0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512

c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
SSDEEP

12288:XOANXryu1S69QwWBIlVi4o858nFBKgmvtOwUATgDQ3:eANOCS6qwWB0V5o8mnqvtrdgDQ3

Score

10^/10

darkcomet evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Blackkomet.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
2484	attrib.exe
2616	attrib.exe
2636	attrib.exe
2640	attrib.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Blackkomet.exenotepad.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	notepad.exe

Drops file in System32 directory 4 IoCs

Processes:

Blackkomet.exenotepad.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	notepad.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

Blackkomet.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2904	Blackkomet.exe
Token: SeSecurityPrivilege	2904	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	2904	Blackkomet.exe
Token: SeLoadDriverPrivilege	2904	Blackkomet.exe
Token: SeSystemProfilePrivilege	2904	Blackkomet.exe
Token: SeSystemtimePrivilege	2904	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	2904	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	2904	Blackkomet.exe
Token: SeCreatePagefilePrivilege	2904	Blackkomet.exe
Token: SeBackupPrivilege	2904	Blackkomet.exe
Token: SeRestorePrivilege	2904	Blackkomet.exe
Token: SeShutdownPrivilege	2904	Blackkomet.exe
Token: SeDebugPrivilege	2904	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	2904	Blackkomet.exe
Token: SeChangeNotifyPrivilege	2904	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	2904	Blackkomet.exe
Token: SeUndockPrivilege	2904	Blackkomet.exe
Token: SeManageVolumePrivilege	2904	Blackkomet.exe
Token: SeImpersonatePrivilege	2904	Blackkomet.exe
Token: SeCreateGlobalPrivilege	2904	Blackkomet.exe
Token: 33	2904	Blackkomet.exe
Token: 34	2904	Blackkomet.exe
Token: 35	2904	Blackkomet.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Blackkomet.exe

description	pid	Process	procid_target
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 1076	2904	Blackkomet.exe	28
PID 2904 wrote to memory of 2636	2904	Blackkomet.exe	29
PID 2904 wrote to memory of 2636	2904	Blackkomet.exe	29
PID 2904 wrote to memory of 2636	2904	Blackkomet.exe	29
PID 2904 wrote to memory of 2636	2904	Blackkomet.exe	29
PID 2904 wrote to memory of 2640	2904	Blackkomet.exe	30
PID 2904 wrote to memory of 2640	2904	Blackkomet.exe	30
PID 2904 wrote to memory of 2640	2904	Blackkomet.exe	30
PID 2904 wrote to memory of 2640	2904	Blackkomet.exe	30

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
2640	attrib.exe
2484	attrib.exe
2616	attrib.exe
2636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\RAT\Blackkomet.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:1076
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\AppData\Local\Temp\RAT\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2636
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\AppData\Local\Temp\RAT" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2640
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2484
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2616
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:1292
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    PID:1564
- C:\Windows\SysWOW64\notepad.exe
  C:\Windows\SysWOW64\notepad.exe
  2⤵
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
704KB

MD5
d1888f015d3ca1387f9c9ddb3704ba26

SHA1
a2957ddf608928114a688cf38693ae844ae91c33

SHA256
ab18412ca757abca015a82c03a4aca03d144ce503ba4ad82981f11dd4ccae9e2

SHA512
9c9da1d33068f1a3bfbd862bf457221776f1f19b06aa9bd914f6c67fddfce09b9fbc373aea545276de98d0df2798654e8e0d64e5ff09559ea6f8da98bb95cbbb

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
628KB

MD5
73b8dac93c63753eaf7a635460b8d162

SHA1
f07d6b2a08d3ccb5fbe1960c3f51eba4c898eb69

SHA256
dc98dbfd5f76079fa104799405327177938c240f16c7d7260ebc2d6ebd2fee77

SHA512
9b41bde99f6e5d55ae77fef30da3438872c149625eee117466ff13072cd0ede756a5465a36731049899a7f32c99660f4b4761c7e1cbf0f0735beb2dfe3570ed4

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
576KB

MD5
4b5be015f22ec87ae75a35d487d4969a

SHA1
01248b2b39ae8f6668466aee58fd091ae4470c7d

SHA256
d71c7466dc5f7b8794085f65d36e425fbc6e6ba857f418b4dc6fef8b4d64a517

SHA512
a98ceeae8d83a70d806ea68732f0d0156e2e862cf95d6cdfbd8de0a4efb5d355dc24459b32356adcc8cf5777c23649b7fab8ee236ddf075626476c335597ed61

Download Submit
\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
640KB

MD5
eadfd323717e6cd21d95fe000adbe370

SHA1
d24d199cca51d08e58592341feef765073fbb530

SHA256
8f564cfadcaf83137468e61cd6280e48813c716c4905535706ab9c99d2ee1ccb

SHA512
b36e4208a3a045b643d56ec2a4f84ea03f1d256016edb1263285587f907bbf6e28ceb7524b15e2c90f3300bcd663e8a78e0f3810cdf595d42eb87f1bde6e3235

Download Submit
memory/1076-2-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1076-30-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2904-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download