darkcomet | d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2022, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Size

1020KB
MD5

6eb8c9e5bdefba159845ea5a03cd83fb
SHA1

add104b21b3064c7d2b465c0f02ac32d9880d43e
SHA256

d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd
SHA512

1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952
SSDEEP

24576:9VUkyvjjmr0Jc8+U9h8qkLl54LWyzaSfuRfDasGIy/EnyiZOQc:3UkMEVU9h2ZiPzaSmRrfWEnrZNc

Score

10^/10

darkcomet ganzneu rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Ganzneu

windowshomesetup.no-ip.biz:8088

Mutex

DC_MUTEX-DL446XT

Attributes

gencode
CzbzF2gzTSH5
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
4296	csrss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4828 set thread context of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe
4296	csrss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeSecurityPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeTakeOwnershipPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeLoadDriverPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeSystemProfilePrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeSystemtimePrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeProfSingleProcessPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeIncBasePriorityPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeCreatePagefilePrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeBackupPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeRestorePrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeShutdownPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeDebugPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeSystemEnvironmentPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeChangeNotifyPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeRemoteShutdownPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeUndockPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeManageVolumePrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeImpersonatePrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeCreateGlobalPrivilege	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: 33	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: 34	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: 35	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: 36	1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
Token: SeDebugPrivilege	4296	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1280	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4312	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	80
PID 4828 wrote to memory of 4312	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	80
PID 4828 wrote to memory of 4312	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	80
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 1280	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	82
PID 4828 wrote to memory of 4296	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	83
PID 4828 wrote to memory of 4296	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	83
PID 4828 wrote to memory of 4296	4828	d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe	83

C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
"C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\Windows" /XML "C:\Users\Admin\AppData\Local\Temp\454552065.xml"
  2⤵
  - Creates scheduled task(s)
  PID:4312
- C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
  "C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrss.exe" -proc 1280 C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\454552065.xml

Filesize
1KB

MD5
f7f0a1fe7aa1123bbfdfd67a4f3ecdae

SHA1
bedd8af48c666fb3b6033cdb0d3af3361c3ce7bd

SHA256
e242ecc3987fe4eccd6dc7115980bb1f847578a9341937e19b5475b8b21d8918

SHA512
785530b197d3c338b5bc5eeee016c7d00013bf42fc542f35977e64f64943098221edc548bd2211b9281be65651f313d0ebc4be985b10b168315cd6a866845383

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
C:\Users\Admin\AppData\Local\Temp\d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd.exe

Filesize
1020KB

MD5
6eb8c9e5bdefba159845ea5a03cd83fb

SHA1
add104b21b3064c7d2b465c0f02ac32d9880d43e

SHA256
d449e6e983233884f78f3c42a9aab270d125912b0b376a18795d1e73075dddcd

SHA512
1fafc39f9724740b88db1efc2f5ef1f5951ad2b0b7b4dc2c784be179360dedd39debf7f89886fde0aace1f57fb0445e1b885fa250ea03a9975747e805e563952

Download Submit
memory/1280-144-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-148-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-143-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-155-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-147-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1280-149-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4296-154-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4296-156-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-153-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/4828-132-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download