darkcomet | 838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933

Analysis

max time kernel
134s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
Size

1.3MB
MD5

2ceb126e45e29ae5260343d67d666379
SHA1

44bfc88df3e9bbaddbc08da0d2cfb18cce9d7722
SHA256

838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933
SHA512

142317bf8f5f5a2bb09011b90fe1b20c6d465f74aaa4b429554e0bbb9841f2ac1fffc6fbdf7b2f1ac4417732b14550a21162871404a0bb28c0c9e9697ef12039
SSDEEP

24576:1t24elz/eTxEP26JA7bnH2v27efUlcaVW67fsMxTLc2UgaRg299pWN7wyyw:h/WPK7QlsqKWKf15op1Wiyh

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

5.254.112.46:1604

Mutex

DC_MUTEX-TWH65U6

Attributes

gencode
g2krJbMz8YKU
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

rsqrc.batrsqrc.batRegSvcs.exe

pid process

344 rsqrc.bat
4724 rsqrc.bat
1392 RegSvcs.exe

pid	process
344	rsqrc.bat
4724	rsqrc.bat
1392	RegSvcs.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1392-153-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1392-156-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1392-157-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1392-159-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1392-160-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1392-161-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exersqrc.bat

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rsqrc.bat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rsqrc.bat

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	rsqrc.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\jhnjd\\rsqrc.bat C:\\Users\\Admin\\AppData\\Roaming\\jhnjd\\wptjq.kll"	rsqrc.bat

Suspicious use of SetThreadContext 1 IoCs

Processes:

rsqrc.bat

description pid process target process

PID 4724 set thread context of 1392 4724 rsqrc.bat RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4232 taskkill.exe

description	pid	process	target process
PID 4724 set thread context of 1392	4724	rsqrc.bat	RegSvcs.exe

pid	process
4232	taskkill.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

rsqrc.bat

pid	process
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat
4724	rsqrc.bat

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

taskkill.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1392	RegSvcs.exe
Token: SeSecurityPrivilege	1392	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	1392	RegSvcs.exe
Token: SeLoadDriverPrivilege	1392	RegSvcs.exe
Token: SeSystemProfilePrivilege	1392	RegSvcs.exe
Token: SeSystemtimePrivilege	1392	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	1392	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1392	RegSvcs.exe
Token: SeCreatePagefilePrivilege	1392	RegSvcs.exe
Token: SeBackupPrivilege	1392	RegSvcs.exe
Token: SeRestorePrivilege	1392	RegSvcs.exe
Token: SeShutdownPrivilege	1392	RegSvcs.exe
Token: SeDebugPrivilege	1392	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	1392	RegSvcs.exe
Token: SeChangeNotifyPrivilege	1392	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	1392	RegSvcs.exe
Token: SeUndockPrivilege	1392	RegSvcs.exe
Token: SeManageVolumePrivilege	1392	RegSvcs.exe
Token: SeImpersonatePrivilege	1392	RegSvcs.exe
Token: SeCreateGlobalPrivilege	1392	RegSvcs.exe
Token: 33	1392	RegSvcs.exe
Token: 34	1392	RegSvcs.exe
Token: 35	1392	RegSvcs.exe
Token: 36	1392	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1392 RegSvcs.exe

pid	process
1392	RegSvcs.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exersqrc.batrsqrc.batcmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 344	1688	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 1688 wrote to memory of 344	1688	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 1688 wrote to memory of 344	1688	838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe	rsqrc.bat
PID 344 wrote to memory of 4724	344	rsqrc.bat	rsqrc.bat
PID 344 wrote to memory of 4724	344	rsqrc.bat	rsqrc.bat
PID 344 wrote to memory of 4724	344	rsqrc.bat	rsqrc.bat
PID 4724 wrote to memory of 2016	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 2016	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 2016	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4420	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4420	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4420	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4316	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4316	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4316	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 1868	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 1868	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 1868	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4900	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4900	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4900	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4848	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4848	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4848	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 1828	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 1828	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 1828	4724	rsqrc.bat	mshta.exe
PID 4724 wrote to memory of 4568	4724	rsqrc.bat	cmd.exe
PID 4724 wrote to memory of 4568	4724	rsqrc.bat	cmd.exe
PID 4724 wrote to memory of 4568	4724	rsqrc.bat	cmd.exe
PID 4568 wrote to memory of 4232	4568	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 4232	4568	cmd.exe	taskkill.exe
PID 4568 wrote to memory of 4232	4568	cmd.exe	taskkill.exe
PID 4724 wrote to memory of 1392	4724	rsqrc.bat	RegSvcs.exe
PID 4724 wrote to memory of 1392	4724	rsqrc.bat	RegSvcs.exe
PID 4724 wrote to memory of 1392	4724	rsqrc.bat	RegSvcs.exe
PID 4724 wrote to memory of 1392	4724	rsqrc.bat	RegSvcs.exe
PID 4724 wrote to memory of 1392	4724	rsqrc.bat	RegSvcs.exe
PID 4724 wrote to memory of 1392	4724	rsqrc.bat	RegSvcs.exe
PID 4724 wrote to memory of 1392	4724	rsqrc.bat	RegSvcs.exe
PID 4724 wrote to memory of 1392	4724	rsqrc.bat	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe
"C:\Users\Admin\AppData\Local\Temp\838ba1578a4d8a917dd4f9ef7754a9e25389b4d67d271c3c71500c55f5f62933.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
"C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat" wptjq.kll
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat C:\Users\Admin\AppData\Roaming\jhnjd\KYXTC
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:2016

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4420

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4316

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1868

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4900

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4848

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM mshta.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
33KB

MD5
2ea40335b22cf0d92a8a5bae75008900

SHA1
d37cc7b9386c8aa3004d312464747a41bede25a7

SHA256
634070eb837cec61ee45efd6372231b59589bbbf0f75cd98cd18fd3364fb6e1c

SHA512
de04fae62ac3a5ed949ad8e7e625a76fb0906039395990ab07b82b0d0294b0f6e5d5804c08e7fdee7d856a4dc5d8837eb5cf5164477bc69c91c18e12f51b9448

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
33KB

MD5
2ea40335b22cf0d92a8a5bae75008900

SHA1
d37cc7b9386c8aa3004d312464747a41bede25a7

SHA256
634070eb837cec61ee45efd6372231b59589bbbf0f75cd98cd18fd3364fb6e1c

SHA512
de04fae62ac3a5ed949ad8e7e625a76fb0906039395990ab07b82b0d0294b0f6e5d5804c08e7fdee7d856a4dc5d8837eb5cf5164477bc69c91c18e12f51b9448

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\KYXTC
Filesize
117KB

MD5
3384979a23fbe4de79286b1901121b19

SHA1
5e69f43dcc8ed992ab17c233271712bb0bf60f13

SHA256
ae2427d833c91c213875fe7e70b05c88e949859da91b33681d598e3fd6b4f740

SHA512
0f98ff4b4c631dfc388e515dcaa3e858ed2c9581a63d9ab3ec588ea9ef17a593dc632c6f9093c13944812f273153ea0f0b37a1ca8aaa30a23d1199dcdf832fa3

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\YMQGIX
Filesize
36KB

MD5
0aac4b05aeb233740b90d11654cfb4c5

SHA1
b593bba4350616176b1a545098120fff9e2d7e2a

SHA256
1a9d10aeeff5c9d2b7fde7171980ce29585b7815fb40d10812a85768f12ff8ca

SHA512
8225d0f32cd6ef4b2ce124dd534fd0127beafce07b88b38b0ce2c54d3d1249d53ad306b0524f48a706c7da38151a41a06d6935ce17d663663db19139bcc18120

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\evcvt
Filesize
1KB

MD5
29dbcf965f4dff981947089c033ce279

SHA1
4515a4a916ddd532916623a5c1e3dce65b23ebe0

SHA256
a1b87f397a8247361bea88e4fc9586ab9cf0dda6b63025bd7e381861a1153b9b

SHA512
5c12af9573942a9277de140f541f2b4793eb9de131f79a3b871890e390ae5c025a29b74f260d94792a3197ebb505f1416fb4d3d4769947e9bac6b30b9acd42c5

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\kjuqx
Filesize
253KB

MD5
cc9b49169076c95352ff036ec8d5b417

SHA1
961b7929f2f2a6a5847c90b5e31822cf9e9d9bd7

SHA256
394554cefb606f39adf9fbd6bce30d4d9e7eed21d08a906f499702a3558df436

SHA512
ca3f6463f1080e7471fcfc95cda867cebf1fd2a411232cbbc47c74cc100d5eb6f91aa4c9ce51bab72e267a7b79211e0193072b131d50c0f6b18e416afc394e07

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\rsqrc.bat
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\ruhpc.nxm
Filesize
117KB

MD5
74f54b55d58214debc9039ede4212c1a

SHA1
f2008323fa362b20808c00c6b27001802059fafd

SHA256
57f3016b9344b070f515928149652c0579c5319504c206a200412f44efb0c571

SHA512
329953a8293b7247c03cad7ef93b2f6ba652e399256acb09f7c7820e6d17756520038ab20148b6b4f3cf6580c8a0b01719bfb4fe03ee7bb8148d61274150380a

Download Submit
C:\Users\Admin\AppData\Roaming\jhnjd\wptjq.kll
Filesize
3KB

MD5
79d5c6f556e0bd45eb399cb806488195

SHA1
0dbf3209bc2c21c4ce40497b8210b3d03e3a95a4

SHA256
b6715a8d5b4651cbda91206008672a0350fbb22c9f159a253f33d63d575159ce

SHA512
f0b6ef4db0edb893aaca0d12b0491e8c00e654df6e39fb271b0dad6fe2b25b71a53582fdf2377324ba2958bc4ae3b29de9b3352fa5f1842fdc6653a8b689551b

Download Submit
memory/344-132-0x0000000000000000-mapping.dmp

Download
memory/1392-153-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1392-156-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1392-161-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1392-160-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1392-159-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1392-157-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1392-152-0x0000000000000000-mapping.dmp

Download
memory/1828-147-0x0000000000000000-mapping.dmp

Download
memory/1868-144-0x0000000000000000-mapping.dmp

Download
memory/2016-141-0x0000000000000000-mapping.dmp

Download
memory/4232-149-0x0000000000000000-mapping.dmp

Download
memory/4316-143-0x0000000000000000-mapping.dmp

Download
memory/4420-142-0x0000000000000000-mapping.dmp

Download
memory/4568-148-0x0000000000000000-mapping.dmp

Download
memory/4724-138-0x0000000000000000-mapping.dmp

Download
memory/4848-146-0x0000000000000000-mapping.dmp

Download
memory/4900-145-0x0000000000000000-mapping.dmp

Download