darkcomet | 6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f

General

Target

6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Size

690KB
MD5

f3e32c779b5a58213a677ac48de9fa81
SHA1

5f702f105dea53d7de6b0c18ea68fa138d6cc850
SHA256

6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f
SHA512

42d86c6cb1681ac51d47ae2ad3cb642f12d4a5984d6d9ad182047cac4e3fbb40d46bf6689e659ae168782775d797e4b6f682de93f24385a6e70876fb4715908c
SSDEEP

12288:G9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyFqNp:iiBIGkbxqEcjsWiDxguehC2ST

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

46.119.167.97:1604

Mutex

DC_MUTEX-AUY6MJH

Attributes

InstallPath
windowslogon.exe
gencode
jkazcn7pg5c1
install
true
offline_keylogger
true
persistence
false
reg_key
windowslogon.exe

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\windowslogon.exe"	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

windowslogon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	windowslogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	windowslogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	windowslogon.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

windowslogon.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" windowslogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	windowslogon.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

windowslogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	windowslogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	windowslogon.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

windowslogon.exe

pid process

3128 windowslogon.exe

pid	process
3128	windowslogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

windowslogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	windowslogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	windowslogon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowslogon.exe = "C:\\Windows\\system32\\windowslogon.exe"	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe

Drops file in System32 directory 3 IoCs

Processes:

6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
File created	C:\Windows\SysWOW64\windowslogon.exe	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
File opened for modification	C:\Windows\SysWOW64\windowslogon.exe	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

windowslogon.exe

pid process

3128 windowslogon.exe

pid	process
3128	windowslogon.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exewindowslogon.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeSecurityPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeTakeOwnershipPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeLoadDriverPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeSystemProfilePrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeSystemtimePrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeProfSingleProcessPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeIncBasePriorityPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeCreatePagefilePrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeBackupPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeRestorePrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeShutdownPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeDebugPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeSystemEnvironmentPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeChangeNotifyPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeRemoteShutdownPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeUndockPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeManageVolumePrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeImpersonatePrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeCreateGlobalPrivilege	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: 33	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: 34	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: 35	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: 36	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
Token: SeIncreaseQuotaPrivilege	3128	windowslogon.exe
Token: SeSecurityPrivilege	3128	windowslogon.exe
Token: SeTakeOwnershipPrivilege	3128	windowslogon.exe
Token: SeLoadDriverPrivilege	3128	windowslogon.exe
Token: SeSystemProfilePrivilege	3128	windowslogon.exe
Token: SeSystemtimePrivilege	3128	windowslogon.exe
Token: SeProfSingleProcessPrivilege	3128	windowslogon.exe
Token: SeIncBasePriorityPrivilege	3128	windowslogon.exe
Token: SeCreatePagefilePrivilege	3128	windowslogon.exe
Token: SeBackupPrivilege	3128	windowslogon.exe
Token: SeRestorePrivilege	3128	windowslogon.exe
Token: SeShutdownPrivilege	3128	windowslogon.exe
Token: SeDebugPrivilege	3128	windowslogon.exe
Token: SeSystemEnvironmentPrivilege	3128	windowslogon.exe
Token: SeChangeNotifyPrivilege	3128	windowslogon.exe
Token: SeRemoteShutdownPrivilege	3128	windowslogon.exe
Token: SeUndockPrivilege	3128	windowslogon.exe
Token: SeManageVolumePrivilege	3128	windowslogon.exe
Token: SeImpersonatePrivilege	3128	windowslogon.exe
Token: SeCreateGlobalPrivilege	3128	windowslogon.exe
Token: 33	3128	windowslogon.exe
Token: 34	3128	windowslogon.exe
Token: 35	3128	windowslogon.exe
Token: 36	3128	windowslogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windowslogon.exe

pid process

3128 windowslogon.exe

pid	process
3128	windowslogon.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe

description	pid	process	target process
PID 3372 wrote to memory of 3128	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe	windowslogon.exe
PID 3372 wrote to memory of 3128	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe	windowslogon.exe
PID 3372 wrote to memory of 3128	3372	6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe	windowslogon.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

windowslogon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	windowslogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	windowslogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	windowslogon.exe

C:\Users\Admin\AppData\Local\Temp\6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe
"C:\Users\Admin\AppData\Local\Temp\6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\windowslogon.exe
"C:\Windows\system32\windowslogon.exe"
2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windowslogon.exe

Filesize
690KB

MD5
f3e32c779b5a58213a677ac48de9fa81

SHA1
5f702f105dea53d7de6b0c18ea68fa138d6cc850

SHA256
6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f

SHA512
42d86c6cb1681ac51d47ae2ad3cb642f12d4a5984d6d9ad182047cac4e3fbb40d46bf6689e659ae168782775d797e4b6f682de93f24385a6e70876fb4715908c

Download Submit
C:\Windows\SysWOW64\windowslogon.exe

Filesize
690KB

MD5
f3e32c779b5a58213a677ac48de9fa81

SHA1
5f702f105dea53d7de6b0c18ea68fa138d6cc850

SHA256
6cf2b3bc154cbcb50c6d065c6422880736a92d8ca80a553621da67488943717f

SHA512
42d86c6cb1681ac51d47ae2ad3cb642f12d4a5984d6d9ad182047cac4e3fbb40d46bf6689e659ae168782775d797e4b6f682de93f24385a6e70876fb4715908c

Download Submit
memory/3128-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads