darkcomet | e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8

General

Target

e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8.exe
Size

1.4MB
MD5

f4fc3c0fcab1840be2093e33ae66a018
SHA1

30e9c92e50cc7c2a7ed8b0feb108517d407e73a0
SHA256

e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8
SHA512

d12d34a9b9a42ffc84c3a5e5ec3d1c738cf00de6a0142ba3d2621afbd1493bed7063f0f06257c5c12b7b8e8404ad410c67cef4746ee87d2b2825105d3169bb57
SSDEEP

24576:/2O/GlWvLA3yu7lhlHkNtHAsfQ5z798aQgMCa84e8XHXKkX:3UCu7l8NbfQ539oNCa8+3xX

Score

10^/10

darkcomet newest7 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Newest7

C2

kitx1029.ddns.net:9001

Mutex

DC_MUTEX-XL4JBP8

Attributes

gencode
QnmjhyVmSgKB
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

dwm.exe

pid process

4140 dwm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dwm.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\f6p73ho8b2z = "C:\\Users\\Admin\\f6p73ho8b2z\\qlgb.vbs"	dwm.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	dwm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

dwm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dwm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dwm.exe

description pid process target process

PID 4140 set thread context of 1412 4140 dwm.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

description	pid	process	target process
PID 4140 set thread context of 1412	4140	dwm.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dwm.exe

pid	process
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe
4140	dwm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

RegSvcs.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1412	RegSvcs.exe
Token: SeSecurityPrivilege	1412	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	1412	RegSvcs.exe
Token: SeLoadDriverPrivilege	1412	RegSvcs.exe
Token: SeSystemProfilePrivilege	1412	RegSvcs.exe
Token: SeSystemtimePrivilege	1412	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: SeCreatePagefilePrivilege	1412	RegSvcs.exe
Token: SeBackupPrivilege	1412	RegSvcs.exe
Token: SeRestorePrivilege	1412	RegSvcs.exe
Token: SeShutdownPrivilege	1412	RegSvcs.exe
Token: SeDebugPrivilege	1412	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	1412	RegSvcs.exe
Token: SeChangeNotifyPrivilege	1412	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	1412	RegSvcs.exe
Token: SeUndockPrivilege	1412	RegSvcs.exe
Token: SeManageVolumePrivilege	1412	RegSvcs.exe
Token: SeImpersonatePrivilege	1412	RegSvcs.exe
Token: SeCreateGlobalPrivilege	1412	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: 34	1412	RegSvcs.exe
Token: 35	1412	RegSvcs.exe
Token: 36	1412	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1412 RegSvcs.exe

pid	process
1412	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8.exedwm.exe

description	pid	process	target process
PID 1712 wrote to memory of 4140	1712	e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8.exe	dwm.exe
PID 1712 wrote to memory of 4140	1712	e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8.exe	dwm.exe
PID 1712 wrote to memory of 4140	1712	e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8.exe	dwm.exe
PID 4140 wrote to memory of 1412	4140	dwm.exe	RegSvcs.exe
PID 4140 wrote to memory of 1412	4140	dwm.exe	RegSvcs.exe
PID 4140 wrote to memory of 1412	4140	dwm.exe	RegSvcs.exe
PID 4140 wrote to memory of 1412	4140	dwm.exe	RegSvcs.exe
PID 4140 wrote to memory of 1412	4140	dwm.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8.exe
"C:\Users\Admin\AppData\Local\Temp\e1a6613e77f8ae19a017d42d99a2b4b51e2e4a91b6c8105cc9d50d1d9de947e8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\f6p73ho8b2z\dwm.exe
"C:\Users\Admin\f6p73ho8b2z\dwm.exe" tLbTonzIG.RZY
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\F6P73H~1\kIfHsGR.IWB

Filesize
144B

MD5
391330e11eac5aa0caa10f9c1dd5d57a

SHA1
0bd0d110ba3aa8b42b545084ecc77fbd39b043e8

SHA256
51fc195e5eb649637fb1a301c6f4ec54c2beb4477bb3d7f0dc7356b4f4ff3c3f

SHA512
2f39c80aaeffddbefe1697c143e967e782d926f54b6f9867bccb024660be7e4638667b48784e75ed58249e6a9dc467e37da75b630525d983c44af8e645d906fc

Download Submit
C:\Users\Admin\F6P73H~1\zBqRS.HZH

Filesize
658KB

MD5
ef8d41120b728cd77a8f9ff6f152da00

SHA1
cabe3ad2c8142796a544808103100e86c50f6457

SHA256
fbcefd0fc0d374b8f7702d3748e3894e69b5733804ecd2997ca624e8d9e15c67

SHA512
fd4314a6b2ac71a2bc325036fea3814b4ce5b842b346744f4dcb22c14131198d2d145680684955c362a5a27defcf5fc831f5310f82e99d38a60af054ebed02c4

Download Submit
C:\Users\Admin\f6p73ho8b2z\dwm.exe

Filesize
918KB

MD5
92729c143c9057725c8ab422aef00b9c

SHA1
1f6e83d15ed51833d91dd511281cede97341e942

SHA256
f5041c37f5bd7deda83395d993376a1c458ab9d9be227fb3df19016302902dcc

SHA512
29295342e1a551fe16db9da456f93b0e1da9db253eb2c21c403ae84ac67f27662e068633aa0b0d21bc5a28a5549ffde8a2328175b96e5fe49375c0caf8507ad3

Download Submit
C:\Users\Admin\f6p73ho8b2z\dwm.exe

Filesize
918KB

MD5
92729c143c9057725c8ab422aef00b9c

SHA1
1f6e83d15ed51833d91dd511281cede97341e942

SHA256
f5041c37f5bd7deda83395d993376a1c458ab9d9be227fb3df19016302902dcc

SHA512
29295342e1a551fe16db9da456f93b0e1da9db253eb2c21c403ae84ac67f27662e068633aa0b0d21bc5a28a5549ffde8a2328175b96e5fe49375c0caf8507ad3

Download Submit
C:\Users\Admin\f6p73ho8b2z\tLbTonzIG.RZY

Filesize
340.5MB

MD5
0be2089d9eda6ba28f68ec283c399cee

SHA1
4286bf7130e990fe6e8a3a185f5d5ae10631e126

SHA256
b939255cd67fc9ed8a5976170a35a2fc34fa17af8c363c47963a49546ee4282c

SHA512
0372c956ce85ab8384ba90be60202599025ed6fb3416b4fd7611356b777b88666d0a70293a8174c02c6febcb6c487c39da1ea5ad8e8e47da1cbeb6e55ed3fb61

Download Submit
memory/1412-138-0x0000000000000000-mapping.dmp

Download
memory/1412-139-0x0000000001300000-0x00000000013B2000-memory.dmp

Filesize
712KB

Download
memory/1412-140-0x0000000001300000-0x00000000013B2000-memory.dmp

Filesize
712KB

Download
memory/1412-141-0x0000000001300000-0x00000000013B2000-memory.dmp

Filesize
712KB

Download
memory/1412-142-0x0000000001300000-0x00000000013B2000-memory.dmp

Filesize
712KB

Download
memory/1412-143-0x0000000001300000-0x00000000013B2000-memory.dmp

Filesize
712KB

Download
memory/4140-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads