Overview
overview
10Static
static
10DARKCOMET ...ty.exe
windows7-x64
1DARKCOMET ...ty.exe
windows10-2004-x64
1DARKCOMET ...at.exe
windows7-x64
10DARKCOMET ...at.exe
windows10-2004-x64
10DARKCOMET ...er.exe
windows7-x64
1DARKCOMET ...er.exe
windows10-2004-x64
1DARKCOMET ...e3.dll
windows7-x64
3DARKCOMET ...e3.dll
windows10-2004-x64
3DARKCOMET ...er.dll
windows7-x64
1DARKCOMET ...er.dll
windows10-2004-x64
1Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 09:43
Behavioral task
behavioral1
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/Celesty Binder/Celesty.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/Celesty Binder/Celesty.exe
Resource
win10v2004-20220718-en
Behavioral task
behavioral3
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/DarkCometRat.exe
Resource
win7-20220718-en
Behavioral task
behavioral4
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/DarkCometRat.exe
Resource
win10v2004-20220718-en
Behavioral task
behavioral5
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/Spoof extensions/Spoofer.exe
Resource
win7-20220715-en
Behavioral task
behavioral6
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/Spoof extensions/Spoofer.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/sqlite3.dll
Resource
win7-20220715-en
Behavioral task
behavioral8
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/sqlite3.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/userfixer.dll
Resource
win7-20220715-en
Behavioral task
behavioral10
Sample
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/userfixer.dll
Resource
win10v2004-20220718-en
General
-
Target
DARKCOMET 5.3.1 Fixed/DARKCOMET 5.3.1/DarkCometRat.exe
-
Size
12.1MB
-
MD5
c8c39c4d8cdfa38169be4057a70e04f2
-
SHA1
ceddeda4a89ad8c0fc1765511ef9da9696803f9f
-
SHA256
62f21406a307e447db6f0c2d91c626d947544effd6f56800c5e2e1beea18375c
-
SHA512
ab21a5273e481cce2173ea6ee5d450a28f5ab1411699500f62d2c4e1b35dd5fc825931a0cd8cca9da4e92f5e2e06784e3f14006e1d76b8e197baf02ff22f0a30
Malware Config
Extracted
asyncrat
0.5.7B
Default
susiahat24199a.ddns.net:6606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
JavaCrashHandle.exe
-
install_folder
%AppData%
Extracted
darkcomet
Guest16
sussysdfffdfff343.duckdns.org:1604
DC_MUTEX-QH9A6P4
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
YBnxcFaotAui
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
JavaUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HAXIMIZE-V2.0 CRACKED.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" HAXIMIZE-V2.0 CRACKED.EXE -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
iexplore.exemsdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Async RAT payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE asyncrat behavioral4/memory/2296-139-0x00000000002F0000-0x0000000000316000-memory.dmp asyncrat C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE asyncrat C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe asyncrat C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe asyncrat -
Disables RegEdit via registry modification 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Executes dropped EXE 5 IoCs
Processes:
DARKCOMET.EXEDARKCOMETRATLAUNCHER.EXEHAXIMIZE-V2.0 CRACKED.EXEmsdcsc.exeJavaCrashHandle.exepid process 1340 DARKCOMET.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2152 HAXIMIZE-V2.0 CRACKED.EXE 1984 msdcsc.exe 444 JavaCrashHandle.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1220 attrib.exe 692 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DarkCometRat.exeHAXIMIZE-V2.0 CRACKED.EXEDARKCOMETRATLAUNCHER.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation DarkCometRat.exe Key value queried \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation HAXIMIZE-V2.0 CRACKED.EXE Key value queried \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation DARKCOMETRATLAUNCHER.EXE -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
HAXIMIZE-V2.0 CRACKED.EXEmsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" HAXIMIZE-V2.0 CRACKED.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1984 set thread context of 3512 1984 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3324 timeout.exe -
Modifies registry class 1 IoCs
Processes:
HAXIMIZE-V2.0 CRACKED.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ HAXIMIZE-V2.0 CRACKED.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
DARKCOMETRATLAUNCHER.EXEpid process 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE 2296 DARKCOMETRATLAUNCHER.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 3512 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
HAXIMIZE-V2.0 CRACKED.EXEmsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeSecurityPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeTakeOwnershipPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeLoadDriverPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeSystemProfilePrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeSystemtimePrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeProfSingleProcessPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeIncBasePriorityPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeCreatePagefilePrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeBackupPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeRestorePrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeShutdownPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeDebugPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeSystemEnvironmentPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeChangeNotifyPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeRemoteShutdownPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeUndockPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeManageVolumePrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeImpersonatePrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeCreateGlobalPrivilege 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: 33 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: 34 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: 35 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: 36 2152 HAXIMIZE-V2.0 CRACKED.EXE Token: SeIncreaseQuotaPrivilege 1984 msdcsc.exe Token: SeSecurityPrivilege 1984 msdcsc.exe Token: SeTakeOwnershipPrivilege 1984 msdcsc.exe Token: SeLoadDriverPrivilege 1984 msdcsc.exe Token: SeSystemProfilePrivilege 1984 msdcsc.exe Token: SeSystemtimePrivilege 1984 msdcsc.exe Token: SeProfSingleProcessPrivilege 1984 msdcsc.exe Token: SeIncBasePriorityPrivilege 1984 msdcsc.exe Token: SeCreatePagefilePrivilege 1984 msdcsc.exe Token: SeBackupPrivilege 1984 msdcsc.exe Token: SeRestorePrivilege 1984 msdcsc.exe Token: SeShutdownPrivilege 1984 msdcsc.exe Token: SeDebugPrivilege 1984 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1984 msdcsc.exe Token: SeChangeNotifyPrivilege 1984 msdcsc.exe Token: SeRemoteShutdownPrivilege 1984 msdcsc.exe Token: SeUndockPrivilege 1984 msdcsc.exe Token: SeManageVolumePrivilege 1984 msdcsc.exe Token: SeImpersonatePrivilege 1984 msdcsc.exe Token: SeCreateGlobalPrivilege 1984 msdcsc.exe Token: 33 1984 msdcsc.exe Token: 34 1984 msdcsc.exe Token: 35 1984 msdcsc.exe Token: 36 1984 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3512 iexplore.exe Token: SeSecurityPrivilege 3512 iexplore.exe Token: SeTakeOwnershipPrivilege 3512 iexplore.exe Token: SeLoadDriverPrivilege 3512 iexplore.exe Token: SeSystemProfilePrivilege 3512 iexplore.exe Token: SeSystemtimePrivilege 3512 iexplore.exe Token: SeProfSingleProcessPrivilege 3512 iexplore.exe Token: SeIncBasePriorityPrivilege 3512 iexplore.exe Token: SeCreatePagefilePrivilege 3512 iexplore.exe Token: SeBackupPrivilege 3512 iexplore.exe Token: SeRestorePrivilege 3512 iexplore.exe Token: SeShutdownPrivilege 3512 iexplore.exe Token: SeDebugPrivilege 3512 iexplore.exe Token: SeSystemEnvironmentPrivilege 3512 iexplore.exe Token: SeChangeNotifyPrivilege 3512 iexplore.exe Token: SeRemoteShutdownPrivilege 3512 iexplore.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
DARKCOMET.EXEpid process 1340 DARKCOMET.EXE 1340 DARKCOMET.EXE 1340 DARKCOMET.EXE 1340 DARKCOMET.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
DARKCOMET.EXEpid process 1340 DARKCOMET.EXE 1340 DARKCOMET.EXE 1340 DARKCOMET.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
DARKCOMET.EXEiexplore.exepid process 1340 DARKCOMET.EXE 3512 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
DarkCometRat.exeHAXIMIZE-V2.0 CRACKED.EXEcmd.execmd.exemsdcsc.exeiexplore.exeDARKCOMETRATLAUNCHER.EXEcmd.execmd.exedescription pid process target process PID 1100 wrote to memory of 1340 1100 DarkCometRat.exe DARKCOMET.EXE PID 1100 wrote to memory of 1340 1100 DarkCometRat.exe DARKCOMET.EXE PID 1100 wrote to memory of 1340 1100 DarkCometRat.exe DARKCOMET.EXE PID 1100 wrote to memory of 2296 1100 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1100 wrote to memory of 2296 1100 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1100 wrote to memory of 2296 1100 DarkCometRat.exe DARKCOMETRATLAUNCHER.EXE PID 1100 wrote to memory of 2152 1100 DarkCometRat.exe HAXIMIZE-V2.0 CRACKED.EXE PID 1100 wrote to memory of 2152 1100 DarkCometRat.exe HAXIMIZE-V2.0 CRACKED.EXE PID 1100 wrote to memory of 2152 1100 DarkCometRat.exe HAXIMIZE-V2.0 CRACKED.EXE PID 2152 wrote to memory of 2216 2152 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 2152 wrote to memory of 2216 2152 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 2152 wrote to memory of 2216 2152 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 2152 wrote to memory of 3680 2152 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 2152 wrote to memory of 3680 2152 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 2152 wrote to memory of 3680 2152 HAXIMIZE-V2.0 CRACKED.EXE cmd.exe PID 3680 wrote to memory of 692 3680 cmd.exe attrib.exe PID 3680 wrote to memory of 692 3680 cmd.exe attrib.exe PID 3680 wrote to memory of 692 3680 cmd.exe attrib.exe PID 2216 wrote to memory of 1220 2216 cmd.exe attrib.exe PID 2216 wrote to memory of 1220 2216 cmd.exe attrib.exe PID 2216 wrote to memory of 1220 2216 cmd.exe attrib.exe PID 2152 wrote to memory of 1984 2152 HAXIMIZE-V2.0 CRACKED.EXE msdcsc.exe PID 2152 wrote to memory of 1984 2152 HAXIMIZE-V2.0 CRACKED.EXE msdcsc.exe PID 2152 wrote to memory of 1984 2152 HAXIMIZE-V2.0 CRACKED.EXE msdcsc.exe PID 1984 wrote to memory of 3512 1984 msdcsc.exe iexplore.exe PID 1984 wrote to memory of 3512 1984 msdcsc.exe iexplore.exe PID 1984 wrote to memory of 3512 1984 msdcsc.exe iexplore.exe PID 1984 wrote to memory of 3512 1984 msdcsc.exe iexplore.exe PID 1984 wrote to memory of 3512 1984 msdcsc.exe iexplore.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 3512 wrote to memory of 3120 3512 iexplore.exe notepad.exe PID 2296 wrote to memory of 3428 2296 DARKCOMETRATLAUNCHER.EXE cmd.exe PID 2296 wrote to memory of 3428 2296 DARKCOMETRATLAUNCHER.EXE cmd.exe PID 2296 wrote to memory of 3428 2296 DARKCOMETRATLAUNCHER.EXE cmd.exe PID 2296 wrote to memory of 396 2296 DARKCOMETRATLAUNCHER.EXE cmd.exe PID 2296 wrote to memory of 396 2296 DARKCOMETRATLAUNCHER.EXE cmd.exe PID 2296 wrote to memory of 396 2296 DARKCOMETRATLAUNCHER.EXE cmd.exe PID 3428 wrote to memory of 2864 3428 cmd.exe schtasks.exe PID 3428 wrote to memory of 2864 3428 cmd.exe schtasks.exe PID 3428 wrote to memory of 2864 3428 cmd.exe schtasks.exe PID 396 wrote to memory of 3324 396 cmd.exe timeout.exe PID 396 wrote to memory of 3324 396 cmd.exe timeout.exe PID 396 wrote to memory of 3324 396 cmd.exe timeout.exe PID 396 wrote to memory of 444 396 cmd.exe JavaCrashHandle.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1220 attrib.exe 692 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMET 5.3.1 Fixed\DARKCOMET 5.3.1\DarkCometRat.exe"C:\Users\Admin\AppData\Local\Temp\DARKCOMET 5.3.1 Fixed\DARKCOMET 5.3.1\DarkCometRat.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE"C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXE"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE"C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE"C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXE"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "JavaCrashHandle" /tr '"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "JavaCrashHandle" /tr '"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB28C.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE" +s +h1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXE" +s +h2⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Sets file to hidden
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXEFilesize
11.3MB
MD5d761f3aa64064a706a521ba14d0f8741
SHA1ab7382bcfdf494d0327fccce9c884592bcc1adeb
SHA25621ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
SHA512d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMET.EXEFilesize
11.3MB
MD5d761f3aa64064a706a521ba14d0f8741
SHA1ab7382bcfdf494d0327fccce9c884592bcc1adeb
SHA25621ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
SHA512d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXEFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
C:\Users\Admin\AppData\Local\Temp\DARKCOMETRATLAUNCHER.EXEFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXEFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
C:\Users\Admin\AppData\Local\Temp\HAXIMIZE-V2.0 CRACKED.EXEFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
C:\Users\Admin\AppData\Local\Temp\tmpB28C.tmp.batFilesize
159B
MD5bd183659472d47804fe2639af6d276f3
SHA1f0d13f86933e9d1a46db89d6884245d7f6965ef3
SHA256b7b552a9a6c25761fe1bb544d404895ef6adeea1085b84240c6dffe6a9ceb14a
SHA5125b825154302a6d3efdd3157f8093fc91f5777643c2911bdd81e64a807866524d7b46d858fd97d9220c0c0bc9e9e678949f32872b168e042dfa4efbb30b0e7c43
-
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exeFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
C:\Users\Admin\AppData\Roaming\JavaCrashHandle.exeFilesize
126KB
MD53c9ca31b4d07143cc51a965fa8cd7ee8
SHA1f1b83c2ba9955c15d2620b73a42ed92db8b49d49
SHA256605264d2d678094d93a7b38c4539cd940fadd22dfd3b79b03a66ba763a6b6e83
SHA5126fad52177e472ed144f1be46a4e5729f04e42774d92531e091f5c99246f170c9057566caa8302f6dd19d1184f1a5073acd0fee952a0ac6b47e21de26611cef1d
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
658KB
MD5efa6a56bc92b0d9e88d95bdeae626fca
SHA199a1864c799f9c79ac646c9bdab868ba55fc7029
SHA256d30b8a8623dc1d194c115a1f6c11552c7e136deeeed5dd93552ce6c83d94c7d6
SHA512439006fe59afbc8402666747c09994493085eba135eeb0fa523c52e3f7a811ee697b40772116155ba338f03b2e67a7f256db8af8dce32b99b36a447a89991be0
-
memory/396-151-0x0000000000000000-mapping.dmp
-
memory/444-155-0x0000000000000000-mapping.dmp
-
memory/692-142-0x0000000000000000-mapping.dmp
-
memory/1220-143-0x0000000000000000-mapping.dmp
-
memory/1340-130-0x0000000000000000-mapping.dmp
-
memory/1984-144-0x0000000000000000-mapping.dmp
-
memory/2152-136-0x0000000000000000-mapping.dmp
-
memory/2216-140-0x0000000000000000-mapping.dmp
-
memory/2296-139-0x00000000002F0000-0x0000000000316000-memory.dmpFilesize
152KB
-
memory/2296-149-0x00000000050B0000-0x000000000514C000-memory.dmpFilesize
624KB
-
memory/2296-148-0x0000000004C40000-0x0000000004CA6000-memory.dmpFilesize
408KB
-
memory/2296-133-0x0000000000000000-mapping.dmp
-
memory/2864-153-0x0000000000000000-mapping.dmp
-
memory/3120-147-0x0000000000000000-mapping.dmp
-
memory/3324-154-0x0000000000000000-mapping.dmp
-
memory/3428-150-0x0000000000000000-mapping.dmp
-
memory/3680-141-0x0000000000000000-mapping.dmp