darkcomet | 27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f

General

Target

27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f.doc
Size

4.0MB
MD5

3b25dfdf3f89b0a1e161d442d1fd2227
SHA1

964cae96ec5364a84b13edaa305e4e3fb35fa208
SHA256

27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f
SHA512

cb0dcc230066c146926ffc158d47f48c33ba67970963ce72afcef3bb63166996e969f7d0318f6fb604fff54962cc8e934f55079bccec0f2a8f22e4e14ffef2d4
SSDEEP

24576:pVfxRoAIj5FBCQELbeNJDIe5uocMALTipn5yZ0h1j8KmGN2zbRtG23zxQ0atoYBq:9p

Score

10^/10

darkcomet doc rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

doc

C2

67.242.194.118:1604

Mutex

DC_MUTEX-W3TT9NP

Attributes

gencode
QMYYWMGSMDbi
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

dnyoxbau.exeXVeObc.exe

pid process

848 dnyoxbau.exe
2772 XVeObc.exe

pid	process
848	dnyoxbau.exe
2772	XVeObc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dnyoxbau.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dnyoxbau.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

XVeObc.exesvchost.exe

description	pid	process	target process
PID 2772 set thread context of 404	2772	XVeObc.exe	svchost.exe
PID 404 set thread context of 4016	404	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3404 WINWORD.EXE
3404 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

XVeObc.exesvchost.exe

pid	process
2772	XVeObc.exe
2772	XVeObc.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe
404	svchost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4016	svchost.exe
Token: SeSecurityPrivilege	4016	svchost.exe
Token: SeTakeOwnershipPrivilege	4016	svchost.exe
Token: SeLoadDriverPrivilege	4016	svchost.exe
Token: SeSystemProfilePrivilege	4016	svchost.exe
Token: SeSystemtimePrivilege	4016	svchost.exe
Token: SeProfSingleProcessPrivilege	4016	svchost.exe
Token: SeIncBasePriorityPrivilege	4016	svchost.exe
Token: SeCreatePagefilePrivilege	4016	svchost.exe
Token: SeBackupPrivilege	4016	svchost.exe
Token: SeRestorePrivilege	4016	svchost.exe
Token: SeShutdownPrivilege	4016	svchost.exe
Token: SeDebugPrivilege	4016	svchost.exe
Token: SeSystemEnvironmentPrivilege	4016	svchost.exe
Token: SeChangeNotifyPrivilege	4016	svchost.exe
Token: SeRemoteShutdownPrivilege	4016	svchost.exe
Token: SeUndockPrivilege	4016	svchost.exe
Token: SeManageVolumePrivilege	4016	svchost.exe
Token: SeImpersonatePrivilege	4016	svchost.exe
Token: SeCreateGlobalPrivilege	4016	svchost.exe
Token: 33	4016	svchost.exe
Token: 34	4016	svchost.exe
Token: 35	4016	svchost.exe
Token: 36	4016	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXEsvchost.exesvchost.exe

pid	process
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
404	svchost.exe
4016	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

WINWORD.EXEdnyoxbau.exeXVeObc.exesvchost.exe

description	pid	process	target process
PID 3404 wrote to memory of 848	3404	WINWORD.EXE	dnyoxbau.exe
PID 3404 wrote to memory of 848	3404	WINWORD.EXE	dnyoxbau.exe
PID 3404 wrote to memory of 848	3404	WINWORD.EXE	dnyoxbau.exe
PID 848 wrote to memory of 2772	848	dnyoxbau.exe	XVeObc.exe
PID 848 wrote to memory of 2772	848	dnyoxbau.exe	XVeObc.exe
PID 848 wrote to memory of 2772	848	dnyoxbau.exe	XVeObc.exe
PID 2772 wrote to memory of 404	2772	XVeObc.exe	svchost.exe
PID 2772 wrote to memory of 404	2772	XVeObc.exe	svchost.exe
PID 2772 wrote to memory of 404	2772	XVeObc.exe	svchost.exe
PID 2772 wrote to memory of 404	2772	XVeObc.exe	svchost.exe
PID 2772 wrote to memory of 404	2772	XVeObc.exe	svchost.exe
PID 2772 wrote to memory of 404	2772	XVeObc.exe	svchost.exe
PID 2772 wrote to memory of 404	2772	XVeObc.exe	svchost.exe
PID 2772 wrote to memory of 404	2772	XVeObc.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe
PID 404 wrote to memory of 4016	404	svchost.exe	svchost.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27b100ab3073fc1b0b7459862930687aed91aa3fb1770e07472ac8a041fdb87f.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404

C:\Users\Admin\dnyoxbau.exe
C:\Users\Admin\dnyoxbau.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe" "kcwtNy"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MrHFkS.exe
Filesize
102KB

MD5
0df564f1184ac289b353baed6e2a0c46

SHA1
d492f51df890f436f5e0e994b0f19e14e3001f88

SHA256
330df2f54fb09d6d1344668ef458c45af620c2254fbc45e75b68444f963dc5bb

SHA512
30f55f79bd6e7b6f7715f20856614778d3e97a59f8c642c4659690b3f99d3153bbd98bf4e5b96704c6f1698b135d63e8280260bcf6e9cdc040fc0fe7279b0fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XVeObc.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\YKPZyv.txt
Filesize
3.3MB

MD5
efa2349c70a2c2c7a187bd2dc56badd6

SHA1
47b39c026aba067f081659fff5b9c79228868c0c

SHA256
fa343af9019e2f80fc56c1eee777b329322ebb1dc8351895769167313b370127

SHA512
3f51edca1aa4de85d45e1e1f39e1515d95f83b82bf5a50cd9e951221f4719da7f54cb7d7f116b72afee58a1c6dee4f99894beab20294b425b5db7acced280b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kcwtNy
Filesize
6KB

MD5
374b7508bc86f61e1fbffb4bda3543ac

SHA1
95bbd530b272f276d9553d90472234565a0172e7

SHA256
f578c2c0db2e328c94892faace17565e6b1396337c47215b8e6a27ab7d95a77e

SHA512
9b4d9647a0ac7c2853fb4d31d7fede4064068445ac20c2f95d5203eda615178833459b59691fd77709fb4786ba9b0ef7ffcd89713d641143dfd15ce9b3d3c692

Download Submit
C:\Users\Admin\dnyoxbau.exe
Filesize
1001KB

MD5
fdfe234a413d0d7ceaa619162ee41b55

SHA1
d90a8dc1600bd451d8b3eecbce2fb8b6992bf4de

SHA256
b0ec5dca6b01d5a346bfa663d6ae277ef63ac65e7cc0110376e70786d3a7d90d

SHA512
9b5c3392de845fd9444a3d812efd0925dda81795e4af1733f6621b86b2964a37a90dab9074d2572de062a3785353c8a56be27471d64666653bbed7c37e7c2b65

Download Submit
C:\Users\Admin\dnyoxbau.exe
Filesize
1001KB

MD5
fdfe234a413d0d7ceaa619162ee41b55

SHA1
d90a8dc1600bd451d8b3eecbce2fb8b6992bf4de

SHA256
b0ec5dca6b01d5a346bfa663d6ae277ef63ac65e7cc0110376e70786d3a7d90d

SHA512
9b5c3392de845fd9444a3d812efd0925dda81795e4af1733f6621b86b2964a37a90dab9074d2572de062a3785353c8a56be27471d64666653bbed7c37e7c2b65

Download Submit
memory/404-161-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/404-155-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/404-152-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/404-150-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/404-149-0x0000000000000000-mapping.dmp

Download
memory/848-140-0x0000000000000000-mapping.dmp

Download
memory/2772-143-0x0000000000000000-mapping.dmp

Download
memory/3404-136-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/3404-139-0x0000020CAFD6B000-0x0000020CAFD6D000-memory.dmp

Filesize
8KB

Download
memory/3404-138-0x00007FF8D50A0000-0x00007FF8D50B0000-memory.dmp

Filesize
64KB

Download
memory/3404-137-0x00007FF8D50A0000-0x00007FF8D50B0000-memory.dmp

Filesize
64KB

Download
memory/3404-135-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/3404-133-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/3404-134-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/3404-132-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/3404-167-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/3404-166-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/3404-164-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/3404-165-0x00007FF8D78D0000-0x00007FF8D78E0000-memory.dmp

Filesize
64KB

Download
memory/4016-156-0x0000000000000000-mapping.dmp

Download
memory/4016-162-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4016-160-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4016-159-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4016-157-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4016-158-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads