darkcomet | 82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec

General

Target

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Size

764KB
MD5

72424af22fd4bda472713106e905af9b
SHA1

f2e8e93369c973daad899265d4308fd195a3ac28
SHA256

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec
SHA512

4b3285af8793e71d58e91d2abfa76bbab4bf7e6e3d7035686f2af98d5b5950fdc551fab78654067b90c580a69f1c9fc78067e34517e47b4d20b2ebc23711bdc2
SSDEEP

12288:hYmt0E2jF7bXNbG8a31+r+4jFn3udW5yDSNrSgXmtLc8/NU:hYFE2jNb9bGgjJemRX7mN

Score

10^/10

darkcomet 829 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

829

C2

kelgr95167.crabdance.com:4390

kelgr95167.crabdance.com:4391

Mutex

DC_MUTEX-RJ23YU3

Attributes

gencode
cGAxaBVeCxjm
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IjqlzCUk\\UQNF1Xp.exe,explorer.exe"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid process

3056 82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid	process
3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

description	pid	process	target process
PID 1688 set thread context of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid	process
1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

description	pid	process
Token: SeDebugPrivilege	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeIncreaseQuotaPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeSecurityPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeTakeOwnershipPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeLoadDriverPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeSystemProfilePrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeSystemtimePrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeProfSingleProcessPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeIncBasePriorityPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeCreatePagefilePrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeBackupPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeRestorePrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeShutdownPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeDebugPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeSystemEnvironmentPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeChangeNotifyPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeRemoteShutdownPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeUndockPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeManageVolumePrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeImpersonatePrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: SeCreateGlobalPrivilege	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: 33	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: 34	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: 35	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
Token: 36	3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid process

3056 82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

pid	process
3056	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.execmd.exe

C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
"C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IjqlzCUk\UQNF1Xp.exe,explorer.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IjqlzCUk\UQNF1Xp.exe,explorer.exe"
3⤵
- Modifies WinLogon for persistence
PID:2252

C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
"C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Filesize
764KB

MD5
72424af22fd4bda472713106e905af9b

SHA1
f2e8e93369c973daad899265d4308fd195a3ac28

SHA256
82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec

SHA512
4b3285af8793e71d58e91d2abfa76bbab4bf7e6e3d7035686f2af98d5b5950fdc551fab78654067b90c580a69f1c9fc78067e34517e47b4d20b2ebc23711bdc2

Download Submit
memory/628-134-0x0000000000000000-mapping.dmp

Download
memory/1688-132-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-133-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-141-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/2252-135-0x0000000000000000-mapping.dmp

Download
memory/3056-136-0x0000000000000000-mapping.dmp

Download
memory/3056-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3056-139-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3056-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3056-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3056-143-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

description	pid	process	target process
PID 1688 wrote to memory of 628	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	cmd.exe
PID 1688 wrote to memory of 628	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	cmd.exe
PID 1688 wrote to memory of 628	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	cmd.exe
PID 628 wrote to memory of 2252	628	cmd.exe	reg.exe
PID 628 wrote to memory of 2252	628	cmd.exe	reg.exe
PID 628 wrote to memory of 2252	628	cmd.exe	reg.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe
PID 1688 wrote to memory of 3056	1688	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe	82d559a7e5b90b8c3844f5405388f31501d03771535ad69ec3b24f30f473e6ec.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads