darkcomet | b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733

General

Target

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Size

659KB
MD5

ab9f0ba9e9a9f560b1a751753bbda072
SHA1

ab74ddcb47d0f2380f8d6f7033946a0efb57ef05
SHA256

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733
SHA512

86468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

dark666.ddns.net:4404

Mutex

DC_MUTEX-JEQGQ39

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
sfuC1uourBRa
install
true
offline_keylogger
true
persistence
false
reg_key
svchost

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\svchost.exe"	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4916 svchost.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4120 attrib.exe
616 attrib.exe

pid	process
4916	svchost.exe

pid	process
4120	attrib.exe
616	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\svchost.exe"	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

4916 svchost.exe

pid	process
4916	svchost.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeSecurityPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeTakeOwnershipPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeLoadDriverPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeSystemProfilePrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeSystemtimePrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeProfSingleProcessPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeIncBasePriorityPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeCreatePagefilePrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeBackupPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeRestorePrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeShutdownPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeDebugPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeSystemEnvironmentPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeChangeNotifyPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeRemoteShutdownPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeUndockPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeManageVolumePrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeImpersonatePrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeCreateGlobalPrivilege	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: 33	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: 34	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: 35	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: 36	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeIncreaseQuotaPrivilege	4916	svchost.exe
Token: SeSecurityPrivilege	4916	svchost.exe
Token: SeTakeOwnershipPrivilege	4916	svchost.exe
Token: SeLoadDriverPrivilege	4916	svchost.exe
Token: SeSystemProfilePrivilege	4916	svchost.exe
Token: SeSystemtimePrivilege	4916	svchost.exe
Token: SeProfSingleProcessPrivilege	4916	svchost.exe
Token: SeIncBasePriorityPrivilege	4916	svchost.exe
Token: SeCreatePagefilePrivilege	4916	svchost.exe
Token: SeBackupPrivilege	4916	svchost.exe
Token: SeRestorePrivilege	4916	svchost.exe
Token: SeShutdownPrivilege	4916	svchost.exe
Token: SeDebugPrivilege	4916	svchost.exe
Token: SeSystemEnvironmentPrivilege	4916	svchost.exe
Token: SeChangeNotifyPrivilege	4916	svchost.exe
Token: SeRemoteShutdownPrivilege	4916	svchost.exe
Token: SeUndockPrivilege	4916	svchost.exe
Token: SeManageVolumePrivilege	4916	svchost.exe
Token: SeImpersonatePrivilege	4916	svchost.exe
Token: SeCreateGlobalPrivilege	4916	svchost.exe
Token: 33	4916	svchost.exe
Token: 34	4916	svchost.exe
Token: 35	4916	svchost.exe
Token: 36	4916	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

4916 svchost.exe

pid	process
4916	svchost.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 4084 wrote to memory of 2132	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 4084 wrote to memory of 2132	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 4084 wrote to memory of 2132	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 4084 wrote to memory of 4100	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 4084 wrote to memory of 4100	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 4084 wrote to memory of 4100	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 2132 wrote to memory of 4120	2132	cmd.exe	attrib.exe
PID 2132 wrote to memory of 4120	2132	cmd.exe	attrib.exe
PID 2132 wrote to memory of 4120	2132	cmd.exe	attrib.exe
PID 4100 wrote to memory of 616	4100	cmd.exe	attrib.exe
PID 4100 wrote to memory of 616	4100	cmd.exe	attrib.exe
PID 4100 wrote to memory of 616	4100	cmd.exe	attrib.exe
PID 4084 wrote to memory of 4916	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	svchost.exe
PID 4084 wrote to memory of 4916	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	svchost.exe
PID 4084 wrote to memory of 4916	4084	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	svchost.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe
PID 4916 wrote to memory of 4544	4916	svchost.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4120 attrib.exe
616 attrib.exe

pid	process
4120	attrib.exe
616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
"C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:616

C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe"
2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:4544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe
Filesize
659KB

MD5
ab9f0ba9e9a9f560b1a751753bbda072

SHA1
ab74ddcb47d0f2380f8d6f7033946a0efb57ef05

SHA256
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733

SHA512
86468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe
Filesize
659KB

MD5
ab9f0ba9e9a9f560b1a751753bbda072

SHA1
ab74ddcb47d0f2380f8d6f7033946a0efb57ef05

SHA256
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733

SHA512
86468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c

Download Submit
memory/616-133-0x0000000000000000-mapping.dmp

Download
memory/2132-130-0x0000000000000000-mapping.dmp

Download
memory/4100-131-0x0000000000000000-mapping.dmp

Download
memory/4120-132-0x0000000000000000-mapping.dmp

Download
memory/4544-137-0x0000000000000000-mapping.dmp

Download
memory/4916-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads