darkcomet | 98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7

General

Target

98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
Size

1.4MB
MD5

22625b92798482b19fdcb6bd850eb5ff
SHA1

f5f82940efafbaa945d5f94726035e7572f342ae
SHA256

98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7
SHA512

0fcd9d431be0984db80a7658c022fbb52317ef824dab6e88d3f6fcdafab4d8ae23d135c5b27ab1562ab1b9db41975b75026c1e2d6345870d2e334a7ebc274954
SSDEEP

24576:xh9Y+kyJinDuGgD4Ydx2hY95qFB+JVYTQ6Wu/kKzToRbA:xh9rH0nDu18KSAUVToR

Score

10^/10

darkcomet tetro spreading persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Tetro spreading

C2

narcotraf.mooo.com:1604

Mutex

DCMIN_MUTEX-AQYCEGU

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
ifTBbaPvKEs1
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Tet\\Tetro"	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

description	pid	process	target process
PID 2012 set thread context of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1016 460 WerFault.exe 98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1716 timeout.exe

pid	pid_target	process	target process
1016	460	WerFault.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

pid	process
1716	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

pid	process
2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

description pid process

Token: SeDebugPrivilege 2012 98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

description	pid	process
Token: SeDebugPrivilege	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.execmd.exe98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exewscript.execmd.exe

description	pid	process	target process
PID 2012 wrote to memory of 1528	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	cmd.exe
PID 2012 wrote to memory of 1528	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	cmd.exe
PID 2012 wrote to memory of 1528	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	cmd.exe
PID 2012 wrote to memory of 1528	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	cmd.exe
PID 1528 wrote to memory of 668	1528	cmd.exe	wscript.exe
PID 1528 wrote to memory of 668	1528	cmd.exe	wscript.exe
PID 1528 wrote to memory of 668	1528	cmd.exe	wscript.exe
PID 1528 wrote to memory of 668	1528	cmd.exe	wscript.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 2012 wrote to memory of 460	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
PID 460 wrote to memory of 1016	460	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	WerFault.exe
PID 460 wrote to memory of 1016	460	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	WerFault.exe
PID 460 wrote to memory of 1016	460	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	WerFault.exe
PID 460 wrote to memory of 1016	460	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	WerFault.exe
PID 668 wrote to memory of 380	668	wscript.exe	cmd.exe
PID 668 wrote to memory of 380	668	wscript.exe	cmd.exe
PID 668 wrote to memory of 380	668	wscript.exe	cmd.exe
PID 668 wrote to memory of 380	668	wscript.exe	cmd.exe
PID 2012 wrote to memory of 540	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	cmd.exe
PID 2012 wrote to memory of 540	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	cmd.exe
PID 2012 wrote to memory of 540	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	cmd.exe
PID 2012 wrote to memory of 540	2012	98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe	cmd.exe
PID 540 wrote to memory of 1716	540	cmd.exe	timeout.exe
PID 540 wrote to memory of 1716	540	cmd.exe	timeout.exe
PID 540 wrote to memory of 1716	540	cmd.exe	timeout.exe
PID 540 wrote to memory of 1716	540	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
"C:\Users\Admin\AppData\Local\Temp\98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Tet\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Tet\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\Tet\mata2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Tet\mata2.bat" "
4⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
C:\Users\Admin\AppData\Local\Temp\98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 36
3⤵
- Program crash
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Tet\stres.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:1716

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tet\Tetro
Filesize
1.4MB

MD5
22625b92798482b19fdcb6bd850eb5ff

SHA1
f5f82940efafbaa945d5f94726035e7572f342ae

SHA256
98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7

SHA512
0fcd9d431be0984db80a7658c022fbb52317ef824dab6e88d3f6fcdafab4d8ae23d135c5b27ab1562ab1b9db41975b75026c1e2d6345870d2e334a7ebc274954

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tet\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tet\mata.bat
Filesize
55B

MD5
9e5bfba3027cb1771d79c4c9ec48bf7c

SHA1
a6bfdabbc34010b18be72b52c407a3c626522d42

SHA256
5d276a11286e7e3fa01d12af9e0a12a2a46ec999463971a8a0cf50f058ea414a

SHA512
d3aee74475f880a85e5524ce15d596284758bddd466ed025c27e952d0607d15418643d4cb4a96ac1e8651713154ed4021ff36a5db5cbeafce9c63bbd88ad527d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tet\mata2.bat
Filesize
54B

MD5
5b0598b120b2336087d7d3e6d5e9c62c

SHA1
fbf01fc2d2657ab144a7ad5e1025f09306d1a327

SHA256
2bb6d67dc1f390a6053cad6d9f50ddccd24ede0066e70b45a5258c885afd0fe2

SHA512
9fbe1d976ce38a1c22a494f64b79989574014d3fa906c3921e7e39928e468adf530aefdfdd24c4f63c32bde81c27e5280e9af38fd745b9c2835d56453667f4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tet\rundll11-.txt
Filesize
1.4MB

MD5
22625b92798482b19fdcb6bd850eb5ff

SHA1
f5f82940efafbaa945d5f94726035e7572f342ae

SHA256
98bcf6c401ec9812061c01777f378061036666124a79aaa4586635f197660db7

SHA512
0fcd9d431be0984db80a7658c022fbb52317ef824dab6e88d3f6fcdafab4d8ae23d135c5b27ab1562ab1b9db41975b75026c1e2d6345870d2e334a7ebc274954

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tet\stres.bat
Filesize
201B

MD5
6812c605ef998e82918dd11c4bd48b25

SHA1
1f4a9f6035d8e5e698204a7ec7088dc60fc1012b

SHA256
200894947e0659717dd858cc08db4e12a20029621e310175ec517aba2e2a125c

SHA512
1d0e19ba7de9331c3d4fa21868c59f0efe3ee58d92bd45f4d85b5390aaf334af3b55adbb7311490f91487567036d7fb325d8b3f935b2185d149c1825dad90fb5

Download Submit
memory/380-80-0x0000000000000000-mapping.dmp

Download
memory/460-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-75-0x0000000000000000-mapping.dmp

Download
memory/460-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/460-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/540-83-0x0000000000000000-mapping.dmp

Download
memory/668-58-0x0000000000000000-mapping.dmp

Download
memory/1016-78-0x0000000000000000-mapping.dmp

Download
memory/1528-56-0x0000000000000000-mapping.dmp

Download
memory/1716-86-0x0000000000000000-mapping.dmp

Download
memory/2012-82-0x0000000074C90000-0x000000007523B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000074C90000-0x000000007523B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-87-0x0000000074C90000-0x000000007523B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads