darkcomet | e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21

General

Target

e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe
Size

555KB
MD5

0eb34141a4641bfed8aad9ff39e769c0
SHA1

1db95c652b573a812c54f0d43fee28817d001652
SHA256

e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21
SHA512

561aa2635ff79bb88724b38a195faaadb346c5ee4e6bee5f46d7e1bccc511b03edf58885478fd4aa7d8ca0c1f16db15d081440e14cdc70f209d4f1093cc2ad60
SSDEEP

12288:cgztz6C2jce9DKy4bi1De6wW2gIbJl0ekRzO0FzJAdq:F96zRl+d7luVKmUq

Score

10^/10

darkcomet victime evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Victime

C2

taraji19.no-ip.org:81

Mutex

DC_MUTEX-PJKYUUB

Attributes

gencode
7uBzBgo1DC3L
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

cvtres.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	cvtres.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	cvtres.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	cvtres.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

cvtres.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" cvtres.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	cvtres.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cvtres.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cvtres.exe

Executes dropped EXE 1 IoCs

Processes:

Tempbackup.exe

pid process

2020 Tempbackup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Tempbackup.exe

description pid process target process

PID 2020 set thread context of 1880 2020 Tempbackup.exe cvtres.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2020 set thread context of 1880	2020	Tempbackup.exe	cvtres.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Tempbackup.exe

pid	process
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe
2020	Tempbackup.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

Tempbackup.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	2020	Tempbackup.exe
Token: SeIncreaseQuotaPrivilege	1880	cvtres.exe
Token: SeSecurityPrivilege	1880	cvtres.exe
Token: SeTakeOwnershipPrivilege	1880	cvtres.exe
Token: SeLoadDriverPrivilege	1880	cvtres.exe
Token: SeSystemProfilePrivilege	1880	cvtres.exe
Token: SeSystemtimePrivilege	1880	cvtres.exe
Token: SeProfSingleProcessPrivilege	1880	cvtres.exe
Token: SeIncBasePriorityPrivilege	1880	cvtres.exe
Token: SeCreatePagefilePrivilege	1880	cvtres.exe
Token: SeBackupPrivilege	1880	cvtres.exe
Token: SeRestorePrivilege	1880	cvtres.exe
Token: SeShutdownPrivilege	1880	cvtres.exe
Token: SeDebugPrivilege	1880	cvtres.exe
Token: SeSystemEnvironmentPrivilege	1880	cvtres.exe
Token: SeChangeNotifyPrivilege	1880	cvtres.exe
Token: SeRemoteShutdownPrivilege	1880	cvtres.exe
Token: SeUndockPrivilege	1880	cvtres.exe
Token: SeManageVolumePrivilege	1880	cvtres.exe
Token: SeImpersonatePrivilege	1880	cvtres.exe
Token: SeCreateGlobalPrivilege	1880	cvtres.exe
Token: 33	1880	cvtres.exe
Token: 34	1880	cvtres.exe
Token: 35	1880	cvtres.exe
Token: 36	1880	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvtres.exe

pid process

1880 cvtres.exe

pid	process
1880	cvtres.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exeTempbackup.exe

description	pid	process	target process
PID 1828 wrote to memory of 2020	1828	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe	Tempbackup.exe
PID 1828 wrote to memory of 2020	1828	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe	Tempbackup.exe
PID 1828 wrote to memory of 2020	1828	e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe	Tempbackup.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe
PID 2020 wrote to memory of 1880	2020	Tempbackup.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe
"C:\Users\Admin\AppData\Local\Temp\e9ff6f4a20f8f503790936f5a6601d523b0543284d763dedf8525ea5f3ed8e21.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Tempbackup.exe
"C:\Users\Admin\AppData\Local\Tempbackup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tempbackup.exe
Filesize
712KB

MD5
01fbb6e64191fa99010e6b9bd11e5897

SHA1
2c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef

SHA256
cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021

SHA512
bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083

Download Submit
C:\Users\Admin\AppData\Local\Tempbackup.exe
Filesize
712KB

MD5
01fbb6e64191fa99010e6b9bd11e5897

SHA1
2c5d27b3c9065bebe9d5f8cda7e45dc63f2b88ef

SHA256
cb38969a8bfb689ead2ffdd11007a96bd5291681f4fa635cd23742332ee79021

SHA512
bfafa4b4eaf70edc5e741db405d6f5a99c7a6e8df909b69d1ec507522a886780275424a5b2fa7a944f3a4af0851947e50ab25b040989113fb024586532161083

Download Submit
memory/1828-136-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/1828-133-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/1828-132-0x0000000000CC0000-0x0000000000D50000-memory.dmp

Filesize
576KB

Download
memory/1828-137-0x0000000005830000-0x0000000005886000-memory.dmp

Filesize
344KB

Download
memory/1828-134-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/1828-135-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/1880-143-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-142-0x0000000000000000-mapping.dmp

Download
memory/1880-144-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-147-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1880-148-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2020-141-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2020-138-0x0000000000000000-mapping.dmp

Download
memory/2020-146-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads