darkcomet | 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07

Resubmissions

05/02/2025, 07:30

250205-jb9afaxrdl 10

05/02/2025, 07:08

250205-hx7s3axlak 10

01/10/2022, 23:07

221001-235ensceam 10

Analysis

max time kernel
156s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Size

582KB
MD5

6ee8965f23ab498defe80b79ab2ca52c
SHA1

0d74605007a81bf44052dcf43385b236d9401c66
SHA256

0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA512

9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
SSDEEP

12288:3w3BadD1/+wudvYWgktZiE0SJObe2HhcduQ6H6fI:GadVpupYWgktZigsS2Haub6

Score

10^/10

darkcomet dataprotector13.05.2013 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DataProtector13.05.2013

vierus330.no-ip.org:9751

Mutex

DCMIN_MUTEX-P9NPCV7

Attributes

gencode
Ch5FEfuRL0mp
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\cmiadapter.exe"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4212	cmiadapter.exe
764	PrintConfig.exe
4864	cmiadapter.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmiadapter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	PrintConfig.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4388 set thread context of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 764 set thread context of 2876	764	PrintConfig.exe	98

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
File created	C:\Windows\assembly\Desktop.ini	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3256	3108	WerFault.exe	89
1536	2876	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4212	cmiadapter.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe
4212	cmiadapter.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Token: SeDebugPrivilege	4212	cmiadapter.exe
Token: SeDebugPrivilege	764	PrintConfig.exe
Token: SeDebugPrivilege	4864	cmiadapter.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 3108	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	89
PID 4388 wrote to memory of 4212	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	92
PID 4388 wrote to memory of 4212	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	92
PID 4388 wrote to memory of 4212	4388	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	92
PID 4212 wrote to memory of 2528	4212	cmiadapter.exe	94
PID 4212 wrote to memory of 2528	4212	cmiadapter.exe	94
PID 4212 wrote to memory of 2528	4212	cmiadapter.exe	94
PID 2528 wrote to memory of 392	2528	cmd.exe	96
PID 2528 wrote to memory of 392	2528	cmd.exe	96
PID 2528 wrote to memory of 392	2528	cmd.exe	96
PID 4212 wrote to memory of 764	4212	cmiadapter.exe	97
PID 4212 wrote to memory of 764	4212	cmiadapter.exe	97
PID 4212 wrote to memory of 764	4212	cmiadapter.exe	97
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 2876	764	PrintConfig.exe	98
PID 764 wrote to memory of 4864	764	PrintConfig.exe	101
PID 764 wrote to memory of 4864	764	PrintConfig.exe	101
PID 764 wrote to memory of 4864	764	PrintConfig.exe	101

C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
"C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 524
    3⤵
    - Program crash
    PID:3256
- C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe
  "C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f
      4⤵
      Modifies WinLogon for persistence
      PID:392
- - C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe
    "C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 536
        5⤵
        Program crash
        
        PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe
      "C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3108 -ip 3108
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2876 -ip 2876
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cmiadapter.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe

Filesize
582KB

MD5
6ee8965f23ab498defe80b79ab2ca52c

SHA1
0d74605007a81bf44052dcf43385b236d9401c66

SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07

SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe

Filesize
582KB

MD5
6ee8965f23ab498defe80b79ab2ca52c

SHA1
0d74605007a81bf44052dcf43385b236d9401c66

SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07

SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

Filesize
16KB

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

Filesize
16KB

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

Filesize
16KB

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
memory/764-159-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/764-158-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/2876-175-0x0000000000800000-0x00000000008B2000-memory.dmp

Filesize
712KB

Download
memory/2876-174-0x0000000000800000-0x00000000008B2000-memory.dmp

Filesize
712KB

Download
memory/2876-169-0x0000000000800000-0x00000000008B2000-memory.dmp

Filesize
712KB

Download
memory/3108-147-0x0000000000600000-0x00000000006B2000-memory.dmp

Filesize
712KB

Download
memory/3108-141-0x0000000000600000-0x00000000006B2000-memory.dmp

Filesize
712KB

Download
memory/3108-136-0x0000000000600000-0x00000000006B2000-memory.dmp

Filesize
712KB

Download
memory/3108-146-0x0000000000600000-0x00000000006B2000-memory.dmp

Filesize
712KB

Download
memory/4212-151-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4212-160-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4212-152-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4388-161-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4388-132-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4388-133-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4864-179-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/4864-180-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download