darkcomet | dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479

General

Target

dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe
Size

1.4MB
MD5

544f7f5a6d0737a80f746b7a3cb09f40
SHA1

69c2ded66b5b8754f16fdcf47ce98f8921644e52
SHA256

dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479
SHA512

a8e96e06aff26f60deda7a946f0ee36159a9ec89eda0f77fbc7d5f6c01beacdae587bbd56a8f33290a1a16ed7b3b10d5a38a6cabeb4be7c2e3d21eae43204d2b
SSDEEP

24576:3qu7gwCeYC5o1M8gh6hvNKk7mxQbKau5IHvpwppQr2ie6XWC0hhoK:3RmJ6tv3xOi0qgBl50hho

Score

10^/10

darkcomet wrdex persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Wrdex

C2

127.0.0.1:1454

larryking.no-ip.biz:1454

Mutex

DC_MUTEX-7MQCAT1

Attributes

gencode
ujzd2CCjR7AN
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tesc.exe"	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe

Executes dropped EXE 1 IoCs

Processes:

notepad .exe

pid process

1960 notepad .exe

pid	process
1960	notepad .exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe

description	pid	process	target process
PID 1876 set thread context of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe

pid	process
1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe
1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exenotepad .exe

description	pid	process
Token: SeDebugPrivilege	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe
Token: SeIncreaseQuotaPrivilege	1960	notepad .exe
Token: SeSecurityPrivilege	1960	notepad .exe
Token: SeTakeOwnershipPrivilege	1960	notepad .exe
Token: SeLoadDriverPrivilege	1960	notepad .exe
Token: SeSystemProfilePrivilege	1960	notepad .exe
Token: SeSystemtimePrivilege	1960	notepad .exe
Token: SeProfSingleProcessPrivilege	1960	notepad .exe
Token: SeIncBasePriorityPrivilege	1960	notepad .exe
Token: SeCreatePagefilePrivilege	1960	notepad .exe
Token: SeBackupPrivilege	1960	notepad .exe
Token: SeRestorePrivilege	1960	notepad .exe
Token: SeShutdownPrivilege	1960	notepad .exe
Token: SeDebugPrivilege	1960	notepad .exe
Token: SeSystemEnvironmentPrivilege	1960	notepad .exe
Token: SeChangeNotifyPrivilege	1960	notepad .exe
Token: SeRemoteShutdownPrivilege	1960	notepad .exe
Token: SeUndockPrivilege	1960	notepad .exe
Token: SeManageVolumePrivilege	1960	notepad .exe
Token: SeImpersonatePrivilege	1960	notepad .exe
Token: SeCreateGlobalPrivilege	1960	notepad .exe
Token: 33	1960	notepad .exe
Token: 34	1960	notepad .exe
Token: 35	1960	notepad .exe
Token: 36	1960	notepad .exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

notepad .exe

pid process

1960 notepad .exe

pid	process
1960	notepad .exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.execmd.exewscript.exe

description	pid	process	target process
PID 1876 wrote to memory of 3688	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	cmd.exe
PID 1876 wrote to memory of 3688	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	cmd.exe
PID 1876 wrote to memory of 3688	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	cmd.exe
PID 3688 wrote to memory of 1352	3688	cmd.exe	wscript.exe
PID 3688 wrote to memory of 1352	3688	cmd.exe	wscript.exe
PID 3688 wrote to memory of 1352	3688	cmd.exe	wscript.exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1876 wrote to memory of 1960	1876	dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe	notepad .exe
PID 1352 wrote to memory of 4932	1352	wscript.exe	cmd.exe
PID 1352 wrote to memory of 4932	1352	wscript.exe	cmd.exe
PID 1352 wrote to memory of 4932	1352	wscript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe
"C:\Users\Admin\AppData\Local\Temp\dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\mata2.bat
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mata2.bat" "
4⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mata.bat

Filesize
47B

MD5
58c538a6ae20a3c6031217903cdf8e5d

SHA1
399fd50eadf4945b665877facfc4f53d16e18b1e

SHA256
6bcc0e04d9bc32209d90a65c320dc6363e523dd94b38b17bcdc5b980b6405f53

SHA512
c01828a5390fec3443e19d317137ae873de77c7737db7802650430e6a0a1edbd3aabe362903243b372536418fbd8482c2a6efd122d853744a41ade567956c359

Download Submit
C:\Users\Admin\AppData\Local\Temp\mata2.bat

Filesize
47B

MD5
78ec439c3e817e200125f76a92e87b25

SHA1
0e07e9ce05340f73269ea8c5242848323c0e4c3d

SHA256
7c1fff1072e6022befb4436e3b2ad704d6f13327e60fdc787e40346a40cdde17

SHA512
00b401f41eb23d9910c2e6497197784cfbb76852e0e9beaea531a3cffb67b19b52447ecc88e770afce1ad074da85e6d2d49de54ce7015e7c2de24aeaa0e87396

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll11-.txt

Filesize
1.4MB

MD5
544f7f5a6d0737a80f746b7a3cb09f40

SHA1
69c2ded66b5b8754f16fdcf47ce98f8921644e52

SHA256
dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479

SHA512
a8e96e06aff26f60deda7a946f0ee36159a9ec89eda0f77fbc7d5f6c01beacdae587bbd56a8f33290a1a16ed7b3b10d5a38a6cabeb4be7c2e3d21eae43204d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesc.exe

Filesize
1.4MB

MD5
544f7f5a6d0737a80f746b7a3cb09f40

SHA1
69c2ded66b5b8754f16fdcf47ce98f8921644e52

SHA256
dceb61f8153519337f35a04fc46c4aa09945318cf4d0630abb942ac035369479

SHA512
a8e96e06aff26f60deda7a946f0ee36159a9ec89eda0f77fbc7d5f6c01beacdae587bbd56a8f33290a1a16ed7b3b10d5a38a6cabeb4be7c2e3d21eae43204d2b

Download Submit
memory/1352-136-0x0000000000000000-mapping.dmp

Download
memory/1876-132-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/1876-133-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/1876-150-0x0000000074860000-0x0000000074E11000-memory.dmp

Filesize
5.7MB

Download
memory/1960-137-0x0000000000000000-mapping.dmp

Download
memory/1960-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1960-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1960-146-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1960-148-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3688-134-0x0000000000000000-mapping.dmp

Download
memory/4932-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads