darkcomet | 2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2

General

Target

2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Size

452KB
MD5

7de9787876d0ecb71648f25bd1e5fc51
SHA1

2bc2b1a2977b64eb22d069941a45abfe04d44622
SHA256

2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2
SHA512

347a214a9cfbbd799e1a0f11568959884909d9dbd9bafd8302859af9ab7c5a2bb5328a1f28260b1839f1dd6952197e02bd75cd5a09dec4026181857d8b2b4bc9
SSDEEP

12288:6M5tnmfeuL8U3yoWwYLtfCgaNiAY8lIkd+:6M5p2nL8A8wYLgFNfj

Score

10^/10

darkcomet suretey persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

suretey

C2

kaspanet.jed-group.com:1660

Mutex

DC_MUTEX-DW9F7R5

Attributes

gencode
gagSQD1wwynQ
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\SunJava\\JavaUpdata.exe"	reg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3028-135-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3028-136-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3028-137-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3028-138-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3028-141-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3028-144-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

description	pid	process	target process
PID 3388 set thread context of 3028	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeSecurityPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeTakeOwnershipPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeLoadDriverPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeSystemProfilePrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeSystemtimePrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeProfSingleProcessPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeIncBasePriorityPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeCreatePagefilePrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeBackupPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeRestorePrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeShutdownPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeDebugPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeSystemEnvironmentPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeChangeNotifyPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeRemoteShutdownPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeUndockPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeManageVolumePrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeImpersonatePrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: SeCreateGlobalPrivilege	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: 33	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: 34	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: 35	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
Token: 36	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

pid process

3028 2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

pid	process
3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.execmd.exe

description	pid	process	target process
PID 3388 wrote to memory of 3028	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
PID 3388 wrote to memory of 3028	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
PID 3388 wrote to memory of 3028	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
PID 3388 wrote to memory of 3028	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
PID 3388 wrote to memory of 3028	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
PID 3388 wrote to memory of 3028	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
PID 3388 wrote to memory of 3028	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3028 wrote to memory of 4060	3028	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	notepad.exe
PID 3388 wrote to memory of 1444	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	cmd.exe
PID 3388 wrote to memory of 1444	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	cmd.exe
PID 3388 wrote to memory of 1444	3388	2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe	cmd.exe
PID 1444 wrote to memory of 3064	1444	cmd.exe	reg.exe
PID 1444 wrote to memory of 3064	1444	cmd.exe	reg.exe
PID 1444 wrote to memory of 3064	1444	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
"C:\Users\Admin\AppData\Local\Temp\2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3388

C:\Users\Admin\AppData\Local\Temp\2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe
"C:\Users\Admin\AppData\Local\Temp\2702fe34d53dde360af4c114c0ad0d458b2c9ae9500c42c8354d8e57edce74a2.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\SunJava\JavaUpdata.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Roaming\SunJava\JavaUpdata.exe"
3⤵
- Modifies WinLogon for persistence
PID:3064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-140-0x0000000000000000-mapping.dmp

Download
memory/3028-138-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3028-134-0x0000000000000000-mapping.dmp

Download
memory/3028-135-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3028-136-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3028-137-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3028-141-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3028-144-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3064-142-0x0000000000000000-mapping.dmp

Download
memory/3388-132-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3388-133-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/3388-143-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download
memory/4060-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads