darkcomet | dc4961228ae1158818c242e7e9d5e90e4412996dda31d132f96f010b0be4594b

Analysis

max time kernel
281s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO#234323.exe
Size

2.1MB
MD5

23985d8d800a7b82901526105f9c69bc
SHA1

41fb548fddd05c635321c380bf4440688477f9eb
SHA256

6a670d879fe45e275fcead9a363535b899873835231cfbb051c55671b9f9753a
SHA512

49df2f83485f0d15c8717b804d19e5fd79e2f76f02e0ea7c839d4363b89de9eb9968392b3459dd1c17409291d69fe91d5426ab74b0fd71155684e2315823d165
SSDEEP

49152:taxIVry0xxf/AlgRKGY3ZXfxwlPs7IJVDVmLRzZj90w84aLuGv:ta2Fy0xxQI3oXjvouGv

Score

10^/10

darkcomet isrstealer guest16 rat stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

173.254.223.124 :2556

Mutex

DC_MUTEX-4RW38P4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
GRBqclq1WLRg
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3828-150-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3828-160-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3828-169-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral2/memory/3828-171-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

Executes dropped EXE 8 IoCs

Processes:

Purchase DOCUMENT.exeSample.exe547.exe547.exeSample.exePurchase DOCUMENT.exePurchase DOCUMENT.exeSample.exe

pid	process
4444	Purchase DOCUMENT.exe
1872	Sample.exe
1568	547.exe
4744	547.exe
3828	Sample.exe
4180	Purchase DOCUMENT.exe
4996	Purchase DOCUMENT.exe
4152	Sample.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4152-166-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4152-170-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4152-172-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/4152-173-0x0000000000400000-0x0000000000453000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sample.exePurchase DOCUMENT.exePO#234323.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Sample.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Purchase DOCUMENT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	PO#234323.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Sample.exePurchase DOCUMENT.exeSample.exe

description	pid	process	target process
PID 1872 set thread context of 3828	1872	Sample.exe	Sample.exe
PID 4444 set thread context of 4996	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 3828 set thread context of 4152	3828	Sample.exe	Sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Purchase DOCUMENT.exe

pid process

4444 Purchase DOCUMENT.exe
4444 Purchase DOCUMENT.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase DOCUMENT.exeSample.exe

description pid process

Token: SeDebugPrivilege 4444 Purchase DOCUMENT.exe
Token: SeDebugPrivilege 1872 Sample.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Sample.exe

pid process

3828 Sample.exe

description	pid	process
Token: SeDebugPrivilege	4444	Purchase DOCUMENT.exe
Token: SeDebugPrivilege	1872	Sample.exe

pid	process
3828	Sample.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

PO#234323.exeSample.exePurchase DOCUMENT.exeSample.exe

description	pid	process	target process
PID 2152 wrote to memory of 4444	2152	PO#234323.exe	Purchase DOCUMENT.exe
PID 2152 wrote to memory of 4444	2152	PO#234323.exe	Purchase DOCUMENT.exe
PID 2152 wrote to memory of 4444	2152	PO#234323.exe	Purchase DOCUMENT.exe
PID 2152 wrote to memory of 1872	2152	PO#234323.exe	Sample.exe
PID 2152 wrote to memory of 1872	2152	PO#234323.exe	Sample.exe
PID 2152 wrote to memory of 1872	2152	PO#234323.exe	Sample.exe
PID 1872 wrote to memory of 1568	1872	Sample.exe	547.exe
PID 1872 wrote to memory of 1568	1872	Sample.exe	547.exe
PID 1872 wrote to memory of 1568	1872	Sample.exe	547.exe
PID 4444 wrote to memory of 4744	4444	Purchase DOCUMENT.exe	547.exe
PID 4444 wrote to memory of 4744	4444	Purchase DOCUMENT.exe	547.exe
PID 4444 wrote to memory of 4744	4444	Purchase DOCUMENT.exe	547.exe
PID 1872 wrote to memory of 3828	1872	Sample.exe	Sample.exe
PID 1872 wrote to memory of 3828	1872	Sample.exe	Sample.exe
PID 1872 wrote to memory of 3828	1872	Sample.exe	Sample.exe
PID 4444 wrote to memory of 4180	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 4444 wrote to memory of 4180	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 4444 wrote to memory of 4180	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 1872 wrote to memory of 3828	1872	Sample.exe	Sample.exe
PID 1872 wrote to memory of 3828	1872	Sample.exe	Sample.exe
PID 1872 wrote to memory of 3828	1872	Sample.exe	Sample.exe
PID 1872 wrote to memory of 3828	1872	Sample.exe	Sample.exe
PID 4444 wrote to memory of 4996	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 4444 wrote to memory of 4996	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 4444 wrote to memory of 4996	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 4444 wrote to memory of 4996	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 4444 wrote to memory of 4996	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 4444 wrote to memory of 4996	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 4444 wrote to memory of 4996	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 4444 wrote to memory of 4996	4444	Purchase DOCUMENT.exe	Purchase DOCUMENT.exe
PID 3828 wrote to memory of 4152	3828	Sample.exe	Sample.exe
PID 3828 wrote to memory of 4152	3828	Sample.exe	Sample.exe
PID 3828 wrote to memory of 4152	3828	Sample.exe	Sample.exe
PID 3828 wrote to memory of 4152	3828	Sample.exe	Sample.exe
PID 3828 wrote to memory of 4152	3828	Sample.exe	Sample.exe
PID 3828 wrote to memory of 4152	3828	Sample.exe	Sample.exe
PID 3828 wrote to memory of 4152	3828	Sample.exe	Sample.exe
PID 3828 wrote to memory of 4152	3828	Sample.exe	Sample.exe

C:\Users\Admin\AppData\Local\Temp\PO#234323.exe
"C:\Users\Admin\AppData\Local\Temp\PO#234323.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\547.exe
    "C:\Users\Admin\AppData\Local\Temp\547.exe"
    3⤵
    - Executes dropped EXE
    PID:4744
- - C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe"
    3⤵
    - Executes dropped EXE
    PID:4180
- - C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe"
    3⤵
    - Executes dropped EXE
    PID:4996
- C:\Users\Admin\AppData\Local\Temp\Sample.exe
  "C:\Users\Admin\AppData\Local\Temp\Sample.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\547.exe
    "C:\Users\Admin\AppData\Local\Temp\547.exe"
    3⤵
    - Executes dropped EXE
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\Sample.exe
    "C:\Users\Admin\AppData\Local\Temp\Sample.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\Sample.exe
      /scomma "C:\Users\Admin\AppData\Local\Temp\4uYZIman4P.ini"
      4⤵
      Executes dropped EXE
      PID:4152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\547.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\547.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\547.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\547.exe

Filesize
690KB

MD5
4ce43047f83291f0289459da6890118f

SHA1
901b58e1549488f2be634099dc1d614f503d18c6

SHA256
6438a2d3f09f68ac4e4a5b58c06630f39866c676fcbcc20ad20b298bd3a1fa66

SHA512
36e1efcdf4039c5670c4042fa536775f2f8202084801c3e158247859dbf1835b79837a6c2934402d37244b4c37d119cd73c6d300eacca226d22f16ec9155a968

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchase DOCUMENT.exe

Filesize
775KB

MD5
0dbeb3307285753b4340481d615015a8

SHA1
682cb5af6ffa7c1748aaf138e9d0d8212fe976ce

SHA256
f474280a8b2f6f8665af5c37bda7cbf86b38b5ba9b814f82fd4a5462656d1bec

SHA512
e31445cf8bfa84d2b529af617423998c9a487b99846e755700e6a5f9b9322933e25d2b3781caa16d96d9c425bae85b3b15d5523ce225d333ca02aa08026e29a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.exe

Filesize
964KB

MD5
131ab6f47feafee7264fe1327149f478

SHA1
a47dc2fcde03039d8fbadda460bb9dffe0744d3d

SHA256
59141e1289f77c5f53cef07bd4a943e515913329af70b46a79581626f172c0d2

SHA512
2c1d792108171573a386c3cb56ed4a8501757c8fc719b7b2aa5e0b20d5861bbf1b8ff432ebeba3305798fc8ca4a0eec056f166d77ec1d844d0eb71f37fb2b7d5

Download Submit
memory/1568-144-0x0000000000000000-mapping.dmp

Download
memory/1872-141-0x0000000073630000-0x0000000073BE1000-memory.dmp

Filesize
5.7MB

Download
memory/1872-159-0x0000000073630000-0x0000000073BE1000-memory.dmp

Filesize
5.7MB

Download
memory/1872-139-0x0000000073630000-0x0000000073BE1000-memory.dmp

Filesize
5.7MB

Download
memory/1872-135-0x0000000000000000-mapping.dmp

Download
memory/3828-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3828-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3828-148-0x0000000000000000-mapping.dmp

Download
memory/3828-171-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3828-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-166-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4152-170-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4152-173-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4152-172-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4152-165-0x0000000000000000-mapping.dmp

Download
memory/4180-149-0x0000000000000000-mapping.dmp

Download
memory/4444-158-0x0000000073630000-0x0000000073BE1000-memory.dmp

Filesize
5.7MB

Download
memory/4444-140-0x0000000073630000-0x0000000073BE1000-memory.dmp

Filesize
5.7MB

Download
memory/4444-132-0x0000000000000000-mapping.dmp

Download
memory/4444-138-0x0000000073630000-0x0000000073BE1000-memory.dmp

Filesize
5.7MB

Download
memory/4744-145-0x0000000000000000-mapping.dmp

Download
memory/4996-154-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4996-153-0x0000000000000000-mapping.dmp

Download
memory/4996-163-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4996-161-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download