darkcomet | 458ea5c258bf60dc9bc05e215e1dfbe360ebdd5e7d1e4cacb8afb2d459d8c589

General

Target

IMG_WA-D0014/IMG_WA-D0014.exe
Size

1.5MB
MD5

f43802841b34045780b19c44f10652aa
SHA1

8395ff25a349459512b81c26eddff2812c486595
SHA256

e771b871b56ae87849d567a693ac3c01c5f57b737dc74435289425869ae17657
SHA512

c50e5a8c76b27bb3bb50761c7f0b9c8b0535bc604a8f687189048bb69cb903d896eb2931ab585d77c1493daec83c8369fc7f1d3ea5c7d5549fb28da2d9fb8eab

Score

10^/10

darkcomet oct 29 19 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Oct 29 19

C2

bio4kobs.geekgalaxy.com:1609

Mutex

DC_MUTEX-QUS1L2L

Attributes

gencode
sgZH9wbBsjsB
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

doctbqr.exe

pid process

2840 doctbqr.exe

pid	process
2840	doctbqr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/32-135-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/32-136-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/32-137-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/32-138-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/32-139-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/32-140-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IMG_WA-D0014.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	IMG_WA-D0014.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

doctbqr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doct = "C:\\Users\\Admin\\AppData\\Local\\doct\\doctos.vbs"	doctbqr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

doctbqr.exe

description pid process target process

PID 2840 set thread context of 32 2840 doctbqr.exe TapiUnattend.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

doctbqr.exe

pid process

2840 doctbqr.exe
2840 doctbqr.exe
2840 doctbqr.exe
2840 doctbqr.exe

description	pid	process	target process
PID 2840 set thread context of 32	2840	doctbqr.exe	TapiUnattend.exe

pid	process
2840	doctbqr.exe
2840	doctbqr.exe
2840	doctbqr.exe
2840	doctbqr.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

TapiUnattend.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	32	TapiUnattend.exe
Token: SeSecurityPrivilege	32	TapiUnattend.exe
Token: SeTakeOwnershipPrivilege	32	TapiUnattend.exe
Token: SeLoadDriverPrivilege	32	TapiUnattend.exe
Token: SeSystemProfilePrivilege	32	TapiUnattend.exe
Token: SeSystemtimePrivilege	32	TapiUnattend.exe
Token: SeProfSingleProcessPrivilege	32	TapiUnattend.exe
Token: SeIncBasePriorityPrivilege	32	TapiUnattend.exe
Token: SeCreatePagefilePrivilege	32	TapiUnattend.exe
Token: SeBackupPrivilege	32	TapiUnattend.exe
Token: SeRestorePrivilege	32	TapiUnattend.exe
Token: SeShutdownPrivilege	32	TapiUnattend.exe
Token: SeDebugPrivilege	32	TapiUnattend.exe
Token: SeSystemEnvironmentPrivilege	32	TapiUnattend.exe
Token: SeChangeNotifyPrivilege	32	TapiUnattend.exe
Token: SeRemoteShutdownPrivilege	32	TapiUnattend.exe
Token: SeUndockPrivilege	32	TapiUnattend.exe
Token: SeManageVolumePrivilege	32	TapiUnattend.exe
Token: SeImpersonatePrivilege	32	TapiUnattend.exe
Token: SeCreateGlobalPrivilege	32	TapiUnattend.exe
Token: 33	32	TapiUnattend.exe
Token: 34	32	TapiUnattend.exe
Token: 35	32	TapiUnattend.exe
Token: 36	32	TapiUnattend.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TapiUnattend.exe

pid process

32 TapiUnattend.exe

pid	process
32	TapiUnattend.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

IMG_WA-D0014.exedoctbqr.exe

description	pid	process	target process
PID 552 wrote to memory of 2840	552	IMG_WA-D0014.exe	doctbqr.exe
PID 552 wrote to memory of 2840	552	IMG_WA-D0014.exe	doctbqr.exe
PID 552 wrote to memory of 2840	552	IMG_WA-D0014.exe	doctbqr.exe
PID 2840 wrote to memory of 32	2840	doctbqr.exe	TapiUnattend.exe
PID 2840 wrote to memory of 32	2840	doctbqr.exe	TapiUnattend.exe
PID 2840 wrote to memory of 32	2840	doctbqr.exe	TapiUnattend.exe
PID 2840 wrote to memory of 32	2840	doctbqr.exe	TapiUnattend.exe
PID 2840 wrote to memory of 32	2840	doctbqr.exe	TapiUnattend.exe

C:\Users\Admin\AppData\Local\Temp\IMG_WA-D0014\IMG_WA-D0014.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_WA-D0014\IMG_WA-D0014.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Roaming\doctbqr.exe
"C:\Users\Admin\AppData\Roaming\doctbqr.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\TapiUnattend.exe
"C:\Windows\System32\TapiUnattend.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:32

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\doct.bmp

Filesize
1.1MB

MD5
3e9f0eb34cd0aa86faadc2c19b1aadc8

SHA1
f755c8b082f46c97e9c377e93bacae0a3f5521c1

SHA256
5fb71c17a71dcc2dedc9d45c56f5621e9fd5773f8f7b2409fc83a0edf3df8dfa

SHA512
b6b337cdbf0a2d5f57edae8781a1745e9784f667cc3922bf576b467c4a5817b41b4aafd5322a0808b377a6407d851998bf84b69384f52266f286be4066c63f85

Download Submit
C:\Users\Admin\AppData\Roaming\doctbqr.exe

Filesize
891KB

MD5
8336ccaea93bd351eca733be59cc95a6

SHA1
c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

SHA256
a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

SHA512
5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

Download Submit
C:\Users\Admin\AppData\Roaming\doctbqr.exe

Filesize
891KB

MD5
8336ccaea93bd351eca733be59cc95a6

SHA1
c4a7abdd39e9dd0ec560a3ec3f9cab0e65b19488

SHA256
a0663ae9e890d831284aa95a6aacbef1e99b01440319ee4b05b747dbba7ee5ea

SHA512
5e3acaf8cf0c0b70e008b4fa030116652d84253ae6b2cbdfc718aa3a643b3f397b8ba6a3b72d94954af550caceda72af2edc457f278eb4c11628860614f980c3

Download Submit
memory/32-134-0x0000000000000000-mapping.dmp

Download
memory/32-135-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/32-136-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/32-137-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/32-138-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/32-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/32-140-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2840-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads