darkcomet | dca15b06df096c0c64040541b93cb082d36da00301e593df1e84c9c4c3755e4e | Triage

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 00:49 UTC

Sharing

Report Analysis Logs

General

Target

e05f7b8e28e8f66bcf8c2285fb5a7418.exe
Size

4.2MB
MD5

e05f7b8e28e8f66bcf8c2285fb5a7418
SHA1

7ecf8fb1f0b66cb822ffdb95c5af26a22a8f21ca
SHA256

dca15b06df096c0c64040541b93cb082d36da00301e593df1e84c9c4c3755e4e
SHA512

93f420af76dcac8cfb2478bf00c2540486f5fb7bd4cb10920be3bcab6f1656fbe9c433a0936492ba0e9dfe97b54a4b9ba58fcf1b2d8d3e6a7743902c15489804
SSDEEP

24576:g8FD4Ib+69Q8VHHA3sE2CognHHdndjsmB/MOs9jqHL2+i+KFYQyNW8HFSGYcXHX0:vzvK8V56H9dt/imVlXc5

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	vbc.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	vbc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2044	vbc.exe
Token: SeSecurityPrivilege	2044	vbc.exe
Token: SeTakeOwnershipPrivilege	2044	vbc.exe
Token: SeLoadDriverPrivilege	2044	vbc.exe
Token: SeSystemProfilePrivilege	2044	vbc.exe
Token: SeSystemtimePrivilege	2044	vbc.exe
Token: SeProfSingleProcessPrivilege	2044	vbc.exe
Token: SeIncBasePriorityPrivilege	2044	vbc.exe
Token: SeCreatePagefilePrivilege	2044	vbc.exe
Token: SeBackupPrivilege	2044	vbc.exe
Token: SeRestorePrivilege	2044	vbc.exe
Token: SeShutdownPrivilege	2044	vbc.exe
Token: SeDebugPrivilege	2044	vbc.exe
Token: SeSystemEnvironmentPrivilege	2044	vbc.exe
Token: SeChangeNotifyPrivilege	2044	vbc.exe
Token: SeRemoteShutdownPrivilege	2044	vbc.exe
Token: SeUndockPrivilege	2044	vbc.exe
Token: SeManageVolumePrivilege	2044	vbc.exe
Token: SeImpersonatePrivilege	2044	vbc.exe
Token: SeCreateGlobalPrivilege	2044	vbc.exe
Token: 33	2044	vbc.exe
Token: 34	2044	vbc.exe
Token: 35	2044	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2736	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	28
PID 2964 wrote to memory of 2736	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	28
PID 2964 wrote to memory of 2736	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	28
PID 2964 wrote to memory of 2736	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	28
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29
PID 2964 wrote to memory of 2044	2964	e05f7b8e28e8f66bcf8c2285fb5a7418.exe	29

C:\Users\Admin\AppData\Local\Temp\e05f7b8e28e8f66bcf8c2285fb5a7418.exe
"C:\Users\Admin\AppData\Local\Temp\e05f7b8e28e8f66bcf8c2285fb5a7418.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Checks BIOS information in registry
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2044

Network

DNS

dz9.no-ip.info

vbc.exe

Remote address:

8.8.8.8:53

Request

dz9.no-ip.info

IN A

Response

No results found

8.8.8.8:53

dz9.no-ip.info

dns

vbc.exe

60 B
120 B
1
1

DNS Request

dz9.no-ip.info

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2044-15-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-13-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-45-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-3-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-5-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-11-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-9-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-21-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-44-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-24-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-26-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2044-29-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-28-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-27-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-25-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-22-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2044-17-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-43-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-42-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-7-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-30-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-31-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-32-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-33-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-34-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-35-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-36-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-37-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-38-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-39-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-40-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2044-41-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2964-0-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2964-1-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2964-23-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2964-2-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download