darkcomet | aecef6d3695122c47aa63b8987aad0155c36b54016a3bab9b59c216ac8e53027

General

Target

prevmkali.exe
Size

251KB
MD5

e556b66a52ae28b3c877a9f3c419c5e3
SHA1

3a71dfde7b64c92cca1a023d0c807364d7d4cc1f
SHA256

1993dacf9211a1dab3c7cca176add0714f3061a7c9cb2edaacd31448c16c746a
SHA512

cd8b4a5ba819848cf48b8e59da0099324b06c54bb913381720e612e003a47cef583b4f96947d70a40e41445a802d4368835d339c0a2a2b5c7b91bfbd604df277
SSDEEP

6144:TdcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37k1:TdcW7KEZlPzCy37

Score

10^/10

darkcomet guest16 evasion rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

6.tcp.us-cal-1.ngrok.io:12638

127.0.0.1:1337

Mutex

DC_MUTEX-RSWN5YL

Attributes

gencode
7gEewe3dp4fF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

prevmkali.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	prevmkali.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

prevmkali.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	prevmkali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	prevmkali.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/732-0-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/732-3-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

prevmkali.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	prevmkali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	prevmkali.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

10 6.tcp.us-cal-1.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
10	6.tcp.us-cal-1.ngrok.io

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

prevmkali.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	732	prevmkali.exe
Token: SeSecurityPrivilege	732	prevmkali.exe
Token: SeTakeOwnershipPrivilege	732	prevmkali.exe
Token: SeLoadDriverPrivilege	732	prevmkali.exe
Token: SeSystemProfilePrivilege	732	prevmkali.exe
Token: SeSystemtimePrivilege	732	prevmkali.exe
Token: SeProfSingleProcessPrivilege	732	prevmkali.exe
Token: SeIncBasePriorityPrivilege	732	prevmkali.exe
Token: SeCreatePagefilePrivilege	732	prevmkali.exe
Token: SeBackupPrivilege	732	prevmkali.exe
Token: SeRestorePrivilege	732	prevmkali.exe
Token: SeShutdownPrivilege	732	prevmkali.exe
Token: SeDebugPrivilege	732	prevmkali.exe
Token: SeSystemEnvironmentPrivilege	732	prevmkali.exe
Token: SeChangeNotifyPrivilege	732	prevmkali.exe
Token: SeRemoteShutdownPrivilege	732	prevmkali.exe
Token: SeUndockPrivilege	732	prevmkali.exe
Token: SeManageVolumePrivilege	732	prevmkali.exe
Token: SeImpersonatePrivilege	732	prevmkali.exe
Token: SeCreateGlobalPrivilege	732	prevmkali.exe
Token: 33	732	prevmkali.exe
Token: 34	732	prevmkali.exe
Token: 35	732	prevmkali.exe
Token: 36	732	prevmkali.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

prevmkali.exe

pid process

732 prevmkali.exe

pid	process
732	prevmkali.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

prevmkali.exe

description	pid	process	target process
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe
PID 732 wrote to memory of 4836	732	prevmkali.exe	notepad.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

prevmkali.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	prevmkali.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	prevmkali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	prevmkali.exe

C:\Users\Admin\AppData\Local\Temp\prevmkali.exe
"C:\Users\Admin\AppData\Local\Temp\prevmkali.exe"
1⤵
- Modifies security service
- Windows security bypass
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:732

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:4836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

4

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/732-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/732-1-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/732-3-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/732-5-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4836-2-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads