darkcomet | 198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8

Resubmissions

02-09-2021 10:21

210902-6nr3zm1qya 10

15-05-2021 13:00

210515-3jn65bnc6x 10

Analysis

max time kernel
143s
max time network
151s
platform
windows10_x64
resource
win10-en
submitted
02-09-2021 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe
Size

3.9MB
MD5

1172133c5174fcc69b7376efe3cdf91d
SHA1

7492a278541a7161eb4deb3829deb9bccffe91a7
SHA256

198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8
SHA512

41315d272ac32c052944860ba97e966a8e0a7aad4e17a9c1ba6ae5e8ee2fc522c5f5187665541e1858be0c4bc8f71d9940c6623f190cc46e5445abb723ed3404

Score

10^/10

darkcomet evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

192.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Program Files\\7-Zip\\Zip.exe"	192.exe

Executes dropped EXE 4 IoCs

Processes:

YahooD.exeY!Disruption.exe192.exeZip.exe

pid process

5064 YahooD.exe
5112 Y!Disruption.exe
3852 192.exe
4260 Zip.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

192.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation 192.exe

pid	process
5064	YahooD.exe
5112	Y!Disruption.exe
3852	192.exe
4260	Zip.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	192.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

192.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\7zip = "C:\\Users\\Admin\\AppData\\Roaming\\Program Files\\7-Zip\\Zip.exe"	192.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Zip.exe

description pid process target process

PID 4260 set thread context of 3268 4260 Zip.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

192.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 192.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

3268 iexplore.exe

description	pid	process	target process
PID 4260 set thread context of 3268	4260	Zip.exe	iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	192.exe

pid	process
3268	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

192.exeZip.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3852	192.exe
Token: SeSecurityPrivilege	3852	192.exe
Token: SeTakeOwnershipPrivilege	3852	192.exe
Token: SeLoadDriverPrivilege	3852	192.exe
Token: SeSystemProfilePrivilege	3852	192.exe
Token: SeSystemtimePrivilege	3852	192.exe
Token: SeProfSingleProcessPrivilege	3852	192.exe
Token: SeIncBasePriorityPrivilege	3852	192.exe
Token: SeCreatePagefilePrivilege	3852	192.exe
Token: SeBackupPrivilege	3852	192.exe
Token: SeRestorePrivilege	3852	192.exe
Token: SeShutdownPrivilege	3852	192.exe
Token: SeDebugPrivilege	3852	192.exe
Token: SeSystemEnvironmentPrivilege	3852	192.exe
Token: SeChangeNotifyPrivilege	3852	192.exe
Token: SeRemoteShutdownPrivilege	3852	192.exe
Token: SeUndockPrivilege	3852	192.exe
Token: SeManageVolumePrivilege	3852	192.exe
Token: SeImpersonatePrivilege	3852	192.exe
Token: SeCreateGlobalPrivilege	3852	192.exe
Token: 33	3852	192.exe
Token: 34	3852	192.exe
Token: 35	3852	192.exe
Token: 36	3852	192.exe
Token: SeIncreaseQuotaPrivilege	4260	Zip.exe
Token: SeSecurityPrivilege	4260	Zip.exe
Token: SeTakeOwnershipPrivilege	4260	Zip.exe
Token: SeLoadDriverPrivilege	4260	Zip.exe
Token: SeSystemProfilePrivilege	4260	Zip.exe
Token: SeSystemtimePrivilege	4260	Zip.exe
Token: SeProfSingleProcessPrivilege	4260	Zip.exe
Token: SeIncBasePriorityPrivilege	4260	Zip.exe
Token: SeCreatePagefilePrivilege	4260	Zip.exe
Token: SeBackupPrivilege	4260	Zip.exe
Token: SeRestorePrivilege	4260	Zip.exe
Token: SeShutdownPrivilege	4260	Zip.exe
Token: SeDebugPrivilege	4260	Zip.exe
Token: SeSystemEnvironmentPrivilege	4260	Zip.exe
Token: SeChangeNotifyPrivilege	4260	Zip.exe
Token: SeRemoteShutdownPrivilege	4260	Zip.exe
Token: SeUndockPrivilege	4260	Zip.exe
Token: SeManageVolumePrivilege	4260	Zip.exe
Token: SeImpersonatePrivilege	4260	Zip.exe
Token: SeCreateGlobalPrivilege	4260	Zip.exe
Token: 33	4260	Zip.exe
Token: 34	4260	Zip.exe
Token: 35	4260	Zip.exe
Token: 36	4260	Zip.exe
Token: SeIncreaseQuotaPrivilege	3268	iexplore.exe
Token: SeSecurityPrivilege	3268	iexplore.exe
Token: SeTakeOwnershipPrivilege	3268	iexplore.exe
Token: SeLoadDriverPrivilege	3268	iexplore.exe
Token: SeSystemProfilePrivilege	3268	iexplore.exe
Token: SeSystemtimePrivilege	3268	iexplore.exe
Token: SeProfSingleProcessPrivilege	3268	iexplore.exe
Token: SeIncBasePriorityPrivilege	3268	iexplore.exe
Token: SeCreatePagefilePrivilege	3268	iexplore.exe
Token: SeBackupPrivilege	3268	iexplore.exe
Token: SeRestorePrivilege	3268	iexplore.exe
Token: SeShutdownPrivilege	3268	iexplore.exe
Token: SeDebugPrivilege	3268	iexplore.exe
Token: SeSystemEnvironmentPrivilege	3268	iexplore.exe
Token: SeChangeNotifyPrivilege	3268	iexplore.exe
Token: SeRemoteShutdownPrivilege	3268	iexplore.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Y!Disruption.exeiexplore.exe

pid process

5112 Y!Disruption.exe
5112 Y!Disruption.exe
3268 iexplore.exe

pid	process
5112	Y!Disruption.exe
5112	Y!Disruption.exe
3268	iexplore.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exeYahooD.exe192.execmd.execmd.exeZip.exe

description	pid	process	target process
PID 4476 wrote to memory of 5064	4476	198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe	YahooD.exe
PID 4476 wrote to memory of 5064	4476	198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe	YahooD.exe
PID 4476 wrote to memory of 5112	4476	198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe	Y!Disruption.exe
PID 4476 wrote to memory of 5112	4476	198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe	Y!Disruption.exe
PID 4476 wrote to memory of 5112	4476	198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe	Y!Disruption.exe
PID 5064 wrote to memory of 3852	5064	YahooD.exe	192.exe
PID 5064 wrote to memory of 3852	5064	YahooD.exe	192.exe
PID 5064 wrote to memory of 3852	5064	YahooD.exe	192.exe
PID 3852 wrote to memory of 3992	3852	192.exe	cmd.exe
PID 3852 wrote to memory of 3992	3852	192.exe	cmd.exe
PID 3852 wrote to memory of 3992	3852	192.exe	cmd.exe
PID 3852 wrote to memory of 1928	3852	192.exe	cmd.exe
PID 3852 wrote to memory of 1928	3852	192.exe	cmd.exe
PID 3852 wrote to memory of 1928	3852	192.exe	cmd.exe
PID 3992 wrote to memory of 4300	3992	cmd.exe	attrib.exe
PID 3992 wrote to memory of 4300	3992	cmd.exe	attrib.exe
PID 3992 wrote to memory of 4300	3992	cmd.exe	attrib.exe
PID 1928 wrote to memory of 4276	1928	cmd.exe	attrib.exe
PID 1928 wrote to memory of 4276	1928	cmd.exe	attrib.exe
PID 1928 wrote to memory of 4276	1928	cmd.exe	attrib.exe
PID 3852 wrote to memory of 4260	3852	192.exe	Zip.exe
PID 3852 wrote to memory of 4260	3852	192.exe	Zip.exe
PID 3852 wrote to memory of 4260	3852	192.exe	Zip.exe
PID 4260 wrote to memory of 3268	4260	Zip.exe	iexplore.exe
PID 4260 wrote to memory of 3268	4260	Zip.exe	iexplore.exe
PID 4260 wrote to memory of 3268	4260	Zip.exe	iexplore.exe
PID 4260 wrote to memory of 3268	4260	Zip.exe	iexplore.exe
PID 4260 wrote to memory of 3268	4260	Zip.exe	iexplore.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4300 attrib.exe
4276 attrib.exe

pid	process
4300	attrib.exe
4276	attrib.exe

C:\Users\Admin\AppData\Local\Temp\198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe
"C:\Users\Admin\AppData\Local\Temp\198d51cd77f96832b3f6c733455ce8921e153fd31542e7a3e89a788ab792ede8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\YahooD.exe
"C:\Users\Admin\AppData\Local\Temp\YahooD.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\192.exe
C:\Users\Admin\AppData\Local\Temp\192.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Views/modifies file attributes
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Views/modifies file attributes
PID:4276

C:\Users\Admin\AppData\Roaming\Program Files\7-Zip\Zip.exe
"C:\Users\Admin\AppData\Roaming\Program Files\7-Zip\Zip.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3268

C:\Users\Admin\AppData\Local\Temp\Y!Disruption.exe
"C:\Users\Admin\AppData\Local\Temp\Y!Disruption.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\192.exe
MD5
1fd8280bcea9dad2648bd791eaf7c6c2

SHA1
db71d7e856b0b18ca46ca9542f7aae5faaf2ab42

SHA256
3ae9046697489f5359a7b5e01f2edc1bdaa7ba428c995e2aca33c0c4943d0c32

SHA512
bebce9cd7e7f1c6789abfd8cfd2510276a25550da6bd713f3fa4aa9e2c8378d8856476891608a3abb024fb3735cd381b6b99b621bae8a26fc3b28690a7fa2503

Download Submit
C:\Users\Admin\AppData\Local\Temp\192.exe
MD5
1fd8280bcea9dad2648bd791eaf7c6c2

SHA1
db71d7e856b0b18ca46ca9542f7aae5faaf2ab42

SHA256
3ae9046697489f5359a7b5e01f2edc1bdaa7ba428c995e2aca33c0c4943d0c32

SHA512
bebce9cd7e7f1c6789abfd8cfd2510276a25550da6bd713f3fa4aa9e2c8378d8856476891608a3abb024fb3735cd381b6b99b621bae8a26fc3b28690a7fa2503

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y!Disruption.exe
MD5
b36656b020dc4650336938ee68584478

SHA1
e41ba229c62e47b7a202ceba28d707e37ce5420d

SHA256
b7502d34e6f0fb5adf94e52b1b3054a8ecef9008fec02419219891a7677fffea

SHA512
6915577524aa980f45ec2bc1d5b52fa9b31ae6e63ebf403b6b900a2ca53cb741a2a43b7871a373de49e4d75bf75548a94caff18c4177aea4795dc1a0cd95ca3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y!Disruption.exe
MD5
b36656b020dc4650336938ee68584478

SHA1
e41ba229c62e47b7a202ceba28d707e37ce5420d

SHA256
b7502d34e6f0fb5adf94e52b1b3054a8ecef9008fec02419219891a7677fffea

SHA512
6915577524aa980f45ec2bc1d5b52fa9b31ae6e63ebf403b6b900a2ca53cb741a2a43b7871a373de49e4d75bf75548a94caff18c4177aea4795dc1a0cd95ca3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YahooD.exe
MD5
3e07cdbbaef9e033dc30a360a7896403

SHA1
5beee4f051cf330e8f024eb2be3645630a7133f4

SHA256
d8d52d1a8ae209b1ae09281e2eacf4a0f2c9fb0625220897eca41b4d26adabf0

SHA512
dd8025bc22b646757b046d83c339849ce1949f9af06720e6016278050445bc379dc57e0bbfb57ffef05152f61446c0df2574098712c13ef609d0f298929fdf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YahooD.exe
MD5
3e07cdbbaef9e033dc30a360a7896403

SHA1
5beee4f051cf330e8f024eb2be3645630a7133f4

SHA256
d8d52d1a8ae209b1ae09281e2eacf4a0f2c9fb0625220897eca41b4d26adabf0

SHA512
dd8025bc22b646757b046d83c339849ce1949f9af06720e6016278050445bc379dc57e0bbfb57ffef05152f61446c0df2574098712c13ef609d0f298929fdf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
C:\Users\Admin\AppData\Roaming\Program Files\7-Zip\Zip.exe
MD5
1fd8280bcea9dad2648bd791eaf7c6c2

SHA1
db71d7e856b0b18ca46ca9542f7aae5faaf2ab42

SHA256
3ae9046697489f5359a7b5e01f2edc1bdaa7ba428c995e2aca33c0c4943d0c32

SHA512
bebce9cd7e7f1c6789abfd8cfd2510276a25550da6bd713f3fa4aa9e2c8378d8856476891608a3abb024fb3735cd381b6b99b621bae8a26fc3b28690a7fa2503

Download Submit
C:\Users\Admin\AppData\Roaming\Program Files\7-Zip\Zip.exe
MD5
1fd8280bcea9dad2648bd791eaf7c6c2

SHA1
db71d7e856b0b18ca46ca9542f7aae5faaf2ab42

SHA256
3ae9046697489f5359a7b5e01f2edc1bdaa7ba428c995e2aca33c0c4943d0c32

SHA512
bebce9cd7e7f1c6789abfd8cfd2510276a25550da6bd713f3fa4aa9e2c8378d8856476891608a3abb024fb3735cd381b6b99b621bae8a26fc3b28690a7fa2503

Download Submit
memory/1928-131-0x0000000000000000-mapping.dmp

Download
memory/3268-139-0x000000000049F92C-mapping.dmp

Download
memory/3268-138-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3852-129-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3852-122-0x0000000000000000-mapping.dmp

Download
memory/3992-130-0x0000000000000000-mapping.dmp

Download
memory/4260-142-0x0000000000540000-0x00000000005EE000-memory.dmp

Filesize
696KB

Download
memory/4260-135-0x0000000000000000-mapping.dmp

Download
memory/4276-134-0x0000000000000000-mapping.dmp

Download
memory/4300-133-0x0000000000000000-mapping.dmp

Download
memory/4476-115-0x0000000001350000-0x0000000001352000-memory.dmp

Filesize
8KB

Download
memory/5064-128-0x00000000025B0000-0x00000000025B2000-memory.dmp

Filesize
8KB

Download
memory/5064-116-0x0000000000000000-mapping.dmp

Download
memory/5112-118-0x0000000000000000-mapping.dmp

Download