darkcomet | 21095dc807f1c7f783e3758a7edc7b140ac95b0676a04d1d9c06f46d822a6987

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smss.exe
Size

722KB
MD5

d658f9620d213931933fd48dc9848ce0
SHA1

3e372c0cb3943ee6e8962f58175e42939c578231
SHA256

21095dc807f1c7f783e3758a7edc7b140ac95b0676a04d1d9c06f46d822a6987
SHA512

ba120dfa57691454c1801c61853d92638753f00dd0b4c07a8ec00febfe7d06761b931315df8e1fb588644e8ad26ffe4c3882dcb838fd9b0ad86b0e3c4278f812
SSDEEP

12288:wFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJH:g3nbWmJVJFwSddIXvfhqbiaxvRxq9V

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
6	0.tcp.eu.ngrok.io
11	0.tcp.eu.ngrok.io
12	0.tcp.eu.ngrok.io
15	0.tcp.eu.ngrok.io
2	0.tcp.eu.ngrok.io
3	0.tcp.eu.ngrok.io
5	0.tcp.eu.ngrok.io
10	0.tcp.eu.ngrok.io
14	0.tcp.eu.ngrok.io
7	0.tcp.eu.ngrok.io
8	0.tcp.eu.ngrok.io
13	0.tcp.eu.ngrok.io
9	0.tcp.eu.ngrok.io

Suspicious use of SetThreadContext 1 IoCs

Processes:

smss.exe

description pid process target process

PID 3056 set thread context of 1836 3056 smss.exe iexplore.exe

description	pid	process	target process
PID 3056 set thread context of 1836	3056	smss.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

smss.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3056	smss.exe
Token: SeSecurityPrivilege	3056	smss.exe
Token: SeTakeOwnershipPrivilege	3056	smss.exe
Token: SeLoadDriverPrivilege	3056	smss.exe
Token: SeSystemProfilePrivilege	3056	smss.exe
Token: SeSystemtimePrivilege	3056	smss.exe
Token: SeProfSingleProcessPrivilege	3056	smss.exe
Token: SeIncBasePriorityPrivilege	3056	smss.exe
Token: SeCreatePagefilePrivilege	3056	smss.exe
Token: SeBackupPrivilege	3056	smss.exe
Token: SeRestorePrivilege	3056	smss.exe
Token: SeShutdownPrivilege	3056	smss.exe
Token: SeDebugPrivilege	3056	smss.exe
Token: SeSystemEnvironmentPrivilege	3056	smss.exe
Token: SeChangeNotifyPrivilege	3056	smss.exe
Token: SeRemoteShutdownPrivilege	3056	smss.exe
Token: SeUndockPrivilege	3056	smss.exe
Token: SeManageVolumePrivilege	3056	smss.exe
Token: SeImpersonatePrivilege	3056	smss.exe
Token: SeCreateGlobalPrivilege	3056	smss.exe
Token: 33	3056	smss.exe
Token: 34	3056	smss.exe
Token: 35	3056	smss.exe
Token: SeIncreaseQuotaPrivilege	1836	iexplore.exe
Token: SeSecurityPrivilege	1836	iexplore.exe
Token: SeTakeOwnershipPrivilege	1836	iexplore.exe
Token: SeLoadDriverPrivilege	1836	iexplore.exe
Token: SeSystemProfilePrivilege	1836	iexplore.exe
Token: SeSystemtimePrivilege	1836	iexplore.exe
Token: SeProfSingleProcessPrivilege	1836	iexplore.exe
Token: SeIncBasePriorityPrivilege	1836	iexplore.exe
Token: SeCreatePagefilePrivilege	1836	iexplore.exe
Token: SeBackupPrivilege	1836	iexplore.exe
Token: SeRestorePrivilege	1836	iexplore.exe
Token: SeShutdownPrivilege	1836	iexplore.exe
Token: SeDebugPrivilege	1836	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1836	iexplore.exe
Token: SeChangeNotifyPrivilege	1836	iexplore.exe
Token: SeRemoteShutdownPrivilege	1836	iexplore.exe
Token: SeUndockPrivilege	1836	iexplore.exe
Token: SeManageVolumePrivilege	1836	iexplore.exe
Token: SeImpersonatePrivilege	1836	iexplore.exe
Token: SeCreateGlobalPrivilege	1836	iexplore.exe
Token: 33	1836	iexplore.exe
Token: 34	1836	iexplore.exe
Token: 35	1836	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

1836 iexplore.exe

pid	process
1836	iexplore.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

smss.exe

description	pid	process	target process
PID 3056 wrote to memory of 1836	3056	smss.exe	iexplore.exe
PID 3056 wrote to memory of 1836	3056	smss.exe	iexplore.exe
PID 3056 wrote to memory of 1836	3056	smss.exe	iexplore.exe
PID 3056 wrote to memory of 1836	3056	smss.exe	iexplore.exe
PID 3056 wrote to memory of 1836	3056	smss.exe	iexplore.exe
PID 3056 wrote to memory of 1836	3056	smss.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1836-1-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3056-0-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/3056-2-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download