darkcomet | 223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b

General

Target

223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe
Size

860KB
MD5

96c40928f2da30340d1a6a1c5854f8cd
SHA1

b33efb2af4a8a682a839e297e9a8b9de17b0ee30
SHA256

223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b
SHA512

6326c8989c5440a6b407ec43fdc59674747691ccee6aa6497167f5dd3cf05d37510ed08272e318d83b784ecee4386b8f23bc665b3a2aa7887549305833fbc0cd
SSDEEP

24576:kah/9z7xCLpi4vRT1XSM9RxD9A8k0hvKaOy38:kahlxCQOLJLc8kLhy3

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

linda2much.no-ip.org:1604

Mutex

DC_MUTEX-NHXBEBR

Attributes

gencode
sUEA8PvV8vwV
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 1 IoCs

pid	Process
3276	winlogon.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	winlogon.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe"	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3276 set thread context of 5028	3276	winlogon.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe:ZONE.identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe\:ZONE.identifier:$DATA	223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe:ZONE.identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5028	vbc.exe
Token: SeSecurityPrivilege	5028	vbc.exe
Token: SeTakeOwnershipPrivilege	5028	vbc.exe
Token: SeLoadDriverPrivilege	5028	vbc.exe
Token: SeSystemProfilePrivilege	5028	vbc.exe
Token: SeSystemtimePrivilege	5028	vbc.exe
Token: SeProfSingleProcessPrivilege	5028	vbc.exe
Token: SeIncBasePriorityPrivilege	5028	vbc.exe
Token: SeCreatePagefilePrivilege	5028	vbc.exe
Token: SeBackupPrivilege	5028	vbc.exe
Token: SeRestorePrivilege	5028	vbc.exe
Token: SeShutdownPrivilege	5028	vbc.exe
Token: SeDebugPrivilege	5028	vbc.exe
Token: SeSystemEnvironmentPrivilege	5028	vbc.exe
Token: SeChangeNotifyPrivilege	5028	vbc.exe
Token: SeRemoteShutdownPrivilege	5028	vbc.exe
Token: SeUndockPrivilege	5028	vbc.exe
Token: SeManageVolumePrivilege	5028	vbc.exe
Token: SeImpersonatePrivilege	5028	vbc.exe
Token: SeCreateGlobalPrivilege	5028	vbc.exe
Token: 33	5028	vbc.exe
Token: 34	5028	vbc.exe
Token: 35	5028	vbc.exe
Token: 36	5028	vbc.exe
Token: SeDebugPrivilege	3276	winlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5028	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2000	1932	223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe	83
PID 1932 wrote to memory of 2000	1932	223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe	83
PID 1932 wrote to memory of 3276	1932	223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe	85
PID 1932 wrote to memory of 3276	1932	223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe	85
PID 3276 wrote to memory of 4596	3276	winlogon.exe	86
PID 3276 wrote to memory of 4596	3276	winlogon.exe	86
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88
PID 3276 wrote to memory of 5028	3276	winlogon.exe	88

C:\Users\Admin\AppData\Local\Temp\223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe
"C:\Users\Admin\AppData\Local\Temp\223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe"
1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Local\Temp\223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe":ZONE.identifier & exit
  2⤵
  - NTFS ADS
  PID:2000
- C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe":ZONE.identifier & exit
    3⤵
    - NTFS ADS
    PID:4596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b.exe

Filesize
860KB

MD5
96c40928f2da30340d1a6a1c5854f8cd

SHA1
b33efb2af4a8a682a839e297e9a8b9de17b0ee30

SHA256
223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b

SHA512
6326c8989c5440a6b407ec43fdc59674747691ccee6aa6497167f5dd3cf05d37510ed08272e318d83b784ecee4386b8f23bc665b3a2aa7887549305833fbc0cd

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
860KB

MD5
96c40928f2da30340d1a6a1c5854f8cd

SHA1
b33efb2af4a8a682a839e297e9a8b9de17b0ee30

SHA256
223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b

SHA512
6326c8989c5440a6b407ec43fdc59674747691ccee6aa6497167f5dd3cf05d37510ed08272e318d83b784ecee4386b8f23bc665b3a2aa7887549305833fbc0cd

Download Submit
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe

Filesize
860KB

MD5
96c40928f2da30340d1a6a1c5854f8cd

SHA1
b33efb2af4a8a682a839e297e9a8b9de17b0ee30

SHA256
223a301aa146975a819da9b89ffb94619c9d78555ff5177c1d96f9fbbd70eb5b

SHA512
6326c8989c5440a6b407ec43fdc59674747691ccee6aa6497167f5dd3cf05d37510ed08272e318d83b784ecee4386b8f23bc665b3a2aa7887549305833fbc0cd

Download Submit
memory/1932-132-0x00007FF80D930000-0x00007FF80E366000-memory.dmp

Filesize
10.2MB

Download
memory/3276-138-0x00007FF80D930000-0x00007FF80E366000-memory.dmp

Filesize
10.2MB

Download
memory/5028-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-144-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-147-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-146-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-148-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-151-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-152-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-153-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5028-154-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing