darkcomet | 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f

General

Target

5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
Size

860KB
MD5

092b49f0c3b6f861931daa51dee4407f
SHA1

9babf781166b9e361bf42c0ab68da61851e31dc3
SHA256

5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f
SHA512

fd72863c788e282c946ce94e8fa09985565e6e023ea9e0fb91d9ff2469a460ae43e95a61722410d00156e9e448603a494c4b0ad9bb503b72b6c18a52d3b35518
SSDEEP

12288:YLoHy90PuADQPt5tgo5y08XVFstOxfhquCaSX6eg0EkplAWL94IYtndeqgmk2Nm+:HygdMt+08KOhiCqlAWL9dWk+mj2jh

Score

10^/10

darkcomet modiloader persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

4724 svhost.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svhost.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation svhost.exe

pid	process
4724	svhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2792	4724	WerFault.exe	svhost.exe
232	4724	WerFault.exe	svhost.exe
4844	4724	WerFault.exe	svhost.exe
4464	4724	WerFault.exe	svhost.exe

Modifies registry class 1 IoCs

Processes:

svhost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings svhost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svhost.exe

pid process

4724 svhost.exe
4724 svhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	svhost.exe

pid	process
4724	svhost.exe
4724	svhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

svhost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4724	svhost.exe
Token: SeSecurityPrivilege	4724	svhost.exe
Token: SeTakeOwnershipPrivilege	4724	svhost.exe
Token: SeLoadDriverPrivilege	4724	svhost.exe
Token: SeSystemProfilePrivilege	4724	svhost.exe
Token: SeSystemtimePrivilege	4724	svhost.exe
Token: SeProfSingleProcessPrivilege	4724	svhost.exe
Token: SeIncBasePriorityPrivilege	4724	svhost.exe
Token: SeCreatePagefilePrivilege	4724	svhost.exe
Token: SeBackupPrivilege	4724	svhost.exe
Token: SeRestorePrivilege	4724	svhost.exe
Token: SeShutdownPrivilege	4724	svhost.exe
Token: SeDebugPrivilege	4724	svhost.exe
Token: SeSystemEnvironmentPrivilege	4724	svhost.exe
Token: SeChangeNotifyPrivilege	4724	svhost.exe
Token: SeRemoteShutdownPrivilege	4724	svhost.exe
Token: SeUndockPrivilege	4724	svhost.exe
Token: SeManageVolumePrivilege	4724	svhost.exe
Token: SeImpersonatePrivilege	4724	svhost.exe
Token: SeCreateGlobalPrivilege	4724	svhost.exe
Token: 33	4724	svhost.exe
Token: 34	4724	svhost.exe
Token: 35	4724	svhost.exe
Token: 36	4724	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svhost.exe

pid process

4724 svhost.exe

pid	process
4724	svhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exesvhost.exe

description	pid	process	target process
PID 4012 wrote to memory of 4724	4012	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 4012 wrote to memory of 4724	4012	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 4012 wrote to memory of 4724	4012	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 4724 wrote to memory of 1584	4724	svhost.exe	WScript.exe
PID 4724 wrote to memory of 1584	4724	svhost.exe	WScript.exe
PID 4724 wrote to memory of 1584	4724	svhost.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
"C:\Users\Admin\AppData\Local\Temp\5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp3.vbs"
3⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1484
3⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1476
3⤵
- Program crash
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1220
3⤵
- Program crash
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1248
3⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 4724
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4724 -ip 4724
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4724 -ip 4724
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4724 -ip 4724
1⤵
PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
Filesize
715KB

MD5
7e047d6b75ff28c0bfb5971ea11df4c8

SHA1
9bc13061ac2129117753781c7b31c67facae5d85

SHA256
11d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3

SHA512
13d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
Filesize
715KB

MD5
7e047d6b75ff28c0bfb5971ea11df4c8

SHA1
9bc13061ac2129117753781c7b31c67facae5d85

SHA256
11d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3

SHA512
13d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3.vbs
Filesize
351B

MD5
cbb9d404e8923607d52f5b72f0e6b08a

SHA1
e8823b0e7ec1665c6c80733c699f48c51a2b2c93

SHA256
ac68650090db47c13402db9b9233a25ac7cfc035e8400a8c4d4e6701a483f347

SHA512
f0ecc48bda1982dfc4dd2fc39ad7f5c0c1579f4babe76f30cf63e803601571a6fb4515f94d06bf935bb7a2c1fd17b9bf149d0a8925ec7caf20f5d8104a5117c7

Download Submit
memory/1584-135-0x0000000000000000-mapping.dmp

Download
memory/4724-132-0x0000000000000000-mapping.dmp

Download
memory/4724-137-0x0000000000400000-0x0000000000569C24-memory.dmp

Filesize
1.4MB

Download
memory/4724-138-0x0000000000400000-0x0000000000569C24-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads