darkcomet | bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742

General

Target

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Size

251KB
MD5

42c4dc5105eff86f69d8c3d0d1e9e773
SHA1

a4c1c4f627ac87cb180f3e70751bf525ef658def
SHA256

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742
SHA512

8017b10da3f275a719dee0d7cdea1fc066af93a99748501d4d2519827f651d1dd7dbab5bab8f8ed268ef5cb72573c6f95a0e77e4e5e0af68a08a524feab8d91f

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\nVidiaExpe\\nvmdch.exe"	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

Disables RegEdit via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

nvmdch.exe

pid process

2216 nvmdch.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
2216	nvmdch.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe	upx
C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3592 notepad.exe

pid	process
3592	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exenvmdch.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\nVidiaExpe\\nvmdch.exe"	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\nVidiaExpe\\nvmdch.exe"	nvmdch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nvmdch.exe

pid process

2216 nvmdch.exe

pid	process
2216	nvmdch.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exenvmdch.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeSecurityPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeTakeOwnershipPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeLoadDriverPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeSystemProfilePrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeSystemtimePrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeProfSingleProcessPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeIncBasePriorityPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeCreatePagefilePrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeBackupPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeRestorePrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeShutdownPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeDebugPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeSystemEnvironmentPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeChangeNotifyPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeRemoteShutdownPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeUndockPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeManageVolumePrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeImpersonatePrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeCreateGlobalPrivilege	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: 33	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: 34	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: 35	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: 36	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
Token: SeIncreaseQuotaPrivilege	2216	nvmdch.exe
Token: SeSecurityPrivilege	2216	nvmdch.exe
Token: SeTakeOwnershipPrivilege	2216	nvmdch.exe
Token: SeLoadDriverPrivilege	2216	nvmdch.exe
Token: SeSystemProfilePrivilege	2216	nvmdch.exe
Token: SeSystemtimePrivilege	2216	nvmdch.exe
Token: SeProfSingleProcessPrivilege	2216	nvmdch.exe
Token: SeIncBasePriorityPrivilege	2216	nvmdch.exe
Token: SeCreatePagefilePrivilege	2216	nvmdch.exe
Token: SeBackupPrivilege	2216	nvmdch.exe
Token: SeRestorePrivilege	2216	nvmdch.exe
Token: SeShutdownPrivilege	2216	nvmdch.exe
Token: SeDebugPrivilege	2216	nvmdch.exe
Token: SeSystemEnvironmentPrivilege	2216	nvmdch.exe
Token: SeChangeNotifyPrivilege	2216	nvmdch.exe
Token: SeRemoteShutdownPrivilege	2216	nvmdch.exe
Token: SeUndockPrivilege	2216	nvmdch.exe
Token: SeManageVolumePrivilege	2216	nvmdch.exe
Token: SeImpersonatePrivilege	2216	nvmdch.exe
Token: SeCreateGlobalPrivilege	2216	nvmdch.exe
Token: 33	2216	nvmdch.exe
Token: 34	2216	nvmdch.exe
Token: 35	2216	nvmdch.exe
Token: 36	2216	nvmdch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nvmdch.exe

pid process

2216 nvmdch.exe

pid	process
2216	nvmdch.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.execmd.execmd.exenvmdch.exe

description	pid	process	target process
PID 4760 wrote to memory of 3472	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 4760 wrote to memory of 3472	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 4760 wrote to memory of 3472	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 4760 wrote to memory of 3580	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 4760 wrote to memory of 3580	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 4760 wrote to memory of 3580	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	cmd.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 4760 wrote to memory of 3592	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	notepad.exe
PID 3472 wrote to memory of 2368	3472	cmd.exe	attrib.exe
PID 3472 wrote to memory of 2368	3472	cmd.exe	attrib.exe
PID 3472 wrote to memory of 2368	3472	cmd.exe	attrib.exe
PID 3580 wrote to memory of 516	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 516	3580	cmd.exe	attrib.exe
PID 3580 wrote to memory of 516	3580	cmd.exe	attrib.exe
PID 4760 wrote to memory of 2216	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	nvmdch.exe
PID 4760 wrote to memory of 2216	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	nvmdch.exe
PID 4760 wrote to memory of 2216	4760	bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe	nvmdch.exe
PID 2216 wrote to memory of 3280	2216	nvmdch.exe	iexplore.exe
PID 2216 wrote to memory of 3280	2216	nvmdch.exe	iexplore.exe
PID 2216 wrote to memory of 3280	2216	nvmdch.exe	iexplore.exe
PID 2216 wrote to memory of 3340	2216	nvmdch.exe	explorer.exe
PID 2216 wrote to memory of 3340	2216	nvmdch.exe	explorer.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe
PID 2216 wrote to memory of 3732	2216	nvmdch.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2368 attrib.exe
516 attrib.exe

pid	process
2368	attrib.exe
516	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe
"C:\Users\Admin\AppData\Local\Temp\bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742.exe" +s +h
3⤵
- Views/modifies file attributes
PID:2368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:516

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:3592

C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe
"C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
PID:3280

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:3340

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:3732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe
MD5
42c4dc5105eff86f69d8c3d0d1e9e773

SHA1
a4c1c4f627ac87cb180f3e70751bf525ef658def

SHA256
bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742

SHA512
8017b10da3f275a719dee0d7cdea1fc066af93a99748501d4d2519827f651d1dd7dbab5bab8f8ed268ef5cb72573c6f95a0e77e4e5e0af68a08a524feab8d91f

Download Submit
C:\Users\Admin\AppData\Roaming\nVidiaExpe\nvmdch.exe
MD5
42c4dc5105eff86f69d8c3d0d1e9e773

SHA1
a4c1c4f627ac87cb180f3e70751bf525ef658def

SHA256
bcd956aebc76db25ef4891d1b85eaf7151dee287c61637d59aa7c071e258f742

SHA512
8017b10da3f275a719dee0d7cdea1fc066af93a99748501d4d2519827f651d1dd7dbab5bab8f8ed268ef5cb72573c6f95a0e77e4e5e0af68a08a524feab8d91f

Download Submit
memory/516-6-0x0000000000000000-mapping.dmp

Download
memory/2216-7-0x0000000000000000-mapping.dmp

Download
memory/2368-5-0x0000000000000000-mapping.dmp

Download
memory/3472-0-0x0000000000000000-mapping.dmp

Download
memory/3580-1-0x0000000000000000-mapping.dmp

Download
memory/3592-3-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/3592-4-0x0000000000000000-mapping.dmp

Download
memory/3592-2-0x0000000000000000-mapping.dmp

Download
memory/3732-10-0x0000000000000000-mapping.dmp

Download
memory/3732-11-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/3732-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads