darkcomet | 427f8b826a8cc9e9059fcd956636a37a6aab8a3162b1ad1a3cc24752f6e8f351

General

Target

ce6de8599b565fddf67ee026ee4bc285.exe
Size

232KB
MD5

ce6de8599b565fddf67ee026ee4bc285
SHA1

a6045faafaecb660b65d45759b13a38ea2a7ce23
SHA256

427f8b826a8cc9e9059fcd956636a37a6aab8a3162b1ad1a3cc24752f6e8f351
SHA512

192e3ce197a090904d5e3838eb411e38097c20d5d7efbc6d055140fcc88e0a4cef78293e8c1c9c8abaeec55f075e17456e7607b7eaad1ed3b87866aa648d2a71
SSDEEP

3072:SNztnBlBp9ALvNKMKWqXs8NqU+xwDbUe2WpZJmXHB8zrYqHphTfBsbOEU0+rDGLh:SNJfRAzNK5W/1WRmR4r7JhuyE8wPQ

Score

10^/10

darkcomet latentbot guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

trackingservice.zapto.org:1604

Mutex

DC_MUTEX-Q0QBNJA

Attributes

InstallPath
Windupdt\winupdate.exe
gencode
ujn2qDPvmCGP
install
true
offline_keylogger
true
persistence
true
reg_key
winupdater

Extracted

Family

latentbot

C2

trackingservice.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ce6de8599b565fddf67ee026ee4bc285.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	ce6de8599b565fddf67ee026ee4bc285.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

winupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winupdate.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winupdate.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	winupdate.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

winupdate.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winupdate.exe

Executes dropped EXE 1 IoCs

Processes:

winupdate.exe

pid process

2028 winupdate.exe
Loads dropped DLL 4 IoCs

Processes:

ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exe

pid process

2484 ce6de8599b565fddf67ee026ee4bc285.exe
2028 winupdate.exe
2028 winupdate.exe
2028 winupdate.exe

pid	process
2028	winupdate.exe

pid	process
2484	ce6de8599b565fddf67ee026ee4bc285.exe
2028	winupdate.exe
2028	winupdate.exe
2028	winupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	ce6de8599b565fddf67ee026ee4bc285.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeSecurityPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeTakeOwnershipPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeLoadDriverPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeSystemProfilePrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeSystemtimePrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeProfSingleProcessPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeIncBasePriorityPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeCreatePagefilePrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeBackupPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeRestorePrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeShutdownPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeDebugPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeSystemEnvironmentPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeChangeNotifyPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeRemoteShutdownPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeUndockPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeManageVolumePrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeImpersonatePrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeCreateGlobalPrivilege	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: 33	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: 34	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: 35	2484	ce6de8599b565fddf67ee026ee4bc285.exe
Token: SeIncreaseQuotaPrivilege	2028	winupdate.exe
Token: SeSecurityPrivilege	2028	winupdate.exe
Token: SeTakeOwnershipPrivilege	2028	winupdate.exe
Token: SeLoadDriverPrivilege	2028	winupdate.exe
Token: SeSystemProfilePrivilege	2028	winupdate.exe
Token: SeSystemtimePrivilege	2028	winupdate.exe
Token: SeProfSingleProcessPrivilege	2028	winupdate.exe
Token: SeIncBasePriorityPrivilege	2028	winupdate.exe
Token: SeCreatePagefilePrivilege	2028	winupdate.exe
Token: SeBackupPrivilege	2028	winupdate.exe
Token: SeRestorePrivilege	2028	winupdate.exe
Token: SeShutdownPrivilege	2028	winupdate.exe
Token: SeDebugPrivilege	2028	winupdate.exe
Token: SeSystemEnvironmentPrivilege	2028	winupdate.exe
Token: SeChangeNotifyPrivilege	2028	winupdate.exe
Token: SeRemoteShutdownPrivilege	2028	winupdate.exe
Token: SeUndockPrivilege	2028	winupdate.exe
Token: SeManageVolumePrivilege	2028	winupdate.exe
Token: SeImpersonatePrivilege	2028	winupdate.exe
Token: SeCreateGlobalPrivilege	2028	winupdate.exe
Token: 33	2028	winupdate.exe
Token: 34	2028	winupdate.exe
Token: 35	2028	winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winupdate.exe

pid process

2028 winupdate.exe

pid	process
2028	winupdate.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ce6de8599b565fddf67ee026ee4bc285.exewinupdate.exe

description	pid	process	target process
PID 2484 wrote to memory of 2028	2484	ce6de8599b565fddf67ee026ee4bc285.exe	winupdate.exe
PID 2484 wrote to memory of 2028	2484	ce6de8599b565fddf67ee026ee4bc285.exe	winupdate.exe
PID 2484 wrote to memory of 2028	2484	ce6de8599b565fddf67ee026ee4bc285.exe	winupdate.exe
PID 2484 wrote to memory of 2028	2484	ce6de8599b565fddf67ee026ee4bc285.exe	winupdate.exe
PID 2484 wrote to memory of 2028	2484	ce6de8599b565fddf67ee026ee4bc285.exe	winupdate.exe
PID 2484 wrote to memory of 2028	2484	ce6de8599b565fddf67ee026ee4bc285.exe	winupdate.exe
PID 2484 wrote to memory of 2028	2484	ce6de8599b565fddf67ee026ee4bc285.exe	winupdate.exe
PID 2028 wrote to memory of 2552	2028	winupdate.exe	iexplore.exe
PID 2028 wrote to memory of 2552	2028	winupdate.exe	iexplore.exe
PID 2028 wrote to memory of 2552	2028	winupdate.exe	iexplore.exe
PID 2028 wrote to memory of 2552	2028	winupdate.exe	iexplore.exe
PID 2028 wrote to memory of 2552	2028	winupdate.exe	iexplore.exe
PID 2028 wrote to memory of 2552	2028	winupdate.exe	iexplore.exe
PID 2028 wrote to memory of 2552	2028	winupdate.exe	iexplore.exe
PID 2028 wrote to memory of 2548	2028	winupdate.exe	explorer.exe
PID 2028 wrote to memory of 2548	2028	winupdate.exe	explorer.exe
PID 2028 wrote to memory of 2548	2028	winupdate.exe	explorer.exe
PID 2028 wrote to memory of 2548	2028	winupdate.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ce6de8599b565fddf67ee026ee4bc285.exe
"C:\Users\Admin\AppData\Local\Temp\ce6de8599b565fddf67ee026ee4bc285.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windupdt\winupdate.exe
"C:\Windupdt\winupdate.exe"
2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:2552

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windupdt\winupdate.exe
Filesize
232KB

MD5
ce6de8599b565fddf67ee026ee4bc285

SHA1
a6045faafaecb660b65d45759b13a38ea2a7ce23

SHA256
427f8b826a8cc9e9059fcd956636a37a6aab8a3162b1ad1a3cc24752f6e8f351

SHA512
192e3ce197a090904d5e3838eb411e38097c20d5d7efbc6d055140fcc88e0a4cef78293e8c1c9c8abaeec55f075e17456e7607b7eaad1ed3b87866aa648d2a71

Download Submit
memory/2028-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-37-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-11-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-16-0x0000000000230000-0x00000000002E3000-memory.dmp

Filesize
716KB

Download
memory/2028-17-0x0000000000230000-0x00000000002E3000-memory.dmp

Filesize
716KB

Download
memory/2028-24-0x0000000000230000-0x00000000002E3000-memory.dmp

Filesize
716KB

Download
memory/2028-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-20-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2028-19-0x0000000000230000-0x00000000002E3000-memory.dmp

Filesize
716KB

Download
memory/2028-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-22-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-23-0x0000000000230000-0x00000000002E3000-memory.dmp

Filesize
716KB

Download
memory/2028-39-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-38-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-30-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-27-0x0000000000230000-0x00000000002E3000-memory.dmp

Filesize
716KB

Download
memory/2028-28-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-29-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-26-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-31-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-32-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-33-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-34-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-35-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2028-36-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2484-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2484-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2484-10-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads