darkcomet | 49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94

General

Target

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
Size

544KB
MD5

8ebb4c054d2872a208baba4f2d6d4c35
SHA1

8c3c349de7b8a251a415634892081e192d3897ab
SHA256

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94
SHA512

3cc09d2e2e71ec1042e2a5e9480566dacf28ad251f6b102f3d4c05825060de83f859ef01d5362906cb12cbde0f261f0bfe0e81e0062a1105289e682d3ff54236

Score

10^/10

darkcomet guest16 rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

aca33.no-ip.biz:1088

Mutex

DC_MUTEX-JCDE4M2

Attributes

gencode
82Yjkqrl1Z2U
install
false
offline_keylogger
true
password
penis3311
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1528 svchost.exe

pid	process
1528	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

description	pid	process	target process
PID 2252 set thread context of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

pid	process
2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
Token: SeIncreaseQuotaPrivilege	1528	svchost.exe
Token: SeSecurityPrivilege	1528	svchost.exe
Token: SeTakeOwnershipPrivilege	1528	svchost.exe
Token: SeLoadDriverPrivilege	1528	svchost.exe
Token: SeSystemProfilePrivilege	1528	svchost.exe
Token: SeSystemtimePrivilege	1528	svchost.exe
Token: SeProfSingleProcessPrivilege	1528	svchost.exe
Token: SeIncBasePriorityPrivilege	1528	svchost.exe
Token: SeCreatePagefilePrivilege	1528	svchost.exe
Token: SeBackupPrivilege	1528	svchost.exe
Token: SeRestorePrivilege	1528	svchost.exe
Token: SeShutdownPrivilege	1528	svchost.exe
Token: SeDebugPrivilege	1528	svchost.exe
Token: SeSystemEnvironmentPrivilege	1528	svchost.exe
Token: SeChangeNotifyPrivilege	1528	svchost.exe
Token: SeRemoteShutdownPrivilege	1528	svchost.exe
Token: SeUndockPrivilege	1528	svchost.exe
Token: SeManageVolumePrivilege	1528	svchost.exe
Token: SeImpersonatePrivilege	1528	svchost.exe
Token: SeCreateGlobalPrivilege	1528	svchost.exe
Token: 33	1528	svchost.exe
Token: 34	1528	svchost.exe
Token: 35	1528	svchost.exe
Token: 36	1528	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1528 svchost.exe

pid	process
1528	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exesvchost.exe

description	pid	process	target process
PID 2252 wrote to memory of 4500	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	WScript.exe
PID 2252 wrote to memory of 4500	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	WScript.exe
PID 2252 wrote to memory of 4500	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	WScript.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe	svchost.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe
PID 1528 wrote to memory of 5080	1528	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe
"C:\Users\Admin\AppData\Local\Temp\49135d58b75a7f25cd28d53cc7e65aa71401e039f1654cd7fab3bb9be7d43f94.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc.vbs"
2⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cc.vbs
Filesize
368B

MD5
4d484d8c8b267638ff93e5d47323f010

SHA1
5d1af0d07fd60e659d23d05a73934bd79e8eb342

SHA256
2a6de7dd75db60b65edf3219a27cf182f572caac0d71ef7bd5e841b06b2df5af

SHA512
8c9db7c749aa309e094e26c1ed1f0a7b071fbf63dfef8197c5d45694ee2f59bb50643bfa46fa6102e2268d175ac41d3f121c783464b86294de4639736f1d8b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/1528-133-0x0000000000000000-mapping.dmp

Download
memory/1528-134-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1528-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1528-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1528-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1528-143-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1528-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2252-139-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2252-130-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/2252-131-0x0000000075130000-0x00000000756E1000-memory.dmp

Filesize
5.7MB

Download
memory/4500-132-0x0000000000000000-mapping.dmp

Download
memory/5080-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads