darkcomet | 8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4

General

Target

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
Size

991KB
MD5

11e3b2761607342d846c806d3751449d
SHA1

bfe6ed2330a60bd526b5d8539ad2b42234eaf485
SHA256

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4
SHA512

3da48d314f4ef8ae143269316b675f45ab33bca167ea38f9b2842480e240598144e4c742320d73c9c0aed78b8de5667426c79cb08ce33b4122db3b743aab80b1
SSDEEP

24576:dysHFwrLe9O5VqIuJo9j9GzqlQ5VqIuJ:wslwLe97IuJo9j9BZIuJ

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

titus.no-ip.biz:1604

Mutex

DC_MUTEX-ZHXEX9Y

Attributes

gencode
2gyJ6nSw7VhP
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

TOKPIC.scrMsCtfMonitor.exertscom.exe

pid process

2752 TOKPIC.scr
4444 MsCtfMonitor.exe
4712 rtscom.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3664-140-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3664-141-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3664-142-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3664-144-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/3664-143-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exeTOKPIC.scrMsCtfMonitor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	TOKPIC.scr
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	MsCtfMonitor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsCtfMonitor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Activex Application Updater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\MsCtfMonitor.exe"	MsCtfMonitor.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

TOKPIC.scrrtscom.exe

description	pid	process	target process
PID 2752 set thread context of 3664	2752	TOKPIC.scr	AppLaunch.exe
PID 4712 set thread context of 856	4712	rtscom.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

TOKPIC.scrMsCtfMonitor.exe

pid	process
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
4444	MsCtfMonitor.exe
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr
2752	TOKPIC.scr

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exeTOKPIC.scrAppLaunch.exeMsCtfMonitor.exertscom.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4812	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
Token: SeDebugPrivilege	2752	TOKPIC.scr
Token: SeIncreaseQuotaPrivilege	3664	AppLaunch.exe
Token: SeSecurityPrivilege	3664	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	3664	AppLaunch.exe
Token: SeLoadDriverPrivilege	3664	AppLaunch.exe
Token: SeSystemProfilePrivilege	3664	AppLaunch.exe
Token: SeSystemtimePrivilege	3664	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	3664	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	3664	AppLaunch.exe
Token: SeCreatePagefilePrivilege	3664	AppLaunch.exe
Token: SeBackupPrivilege	3664	AppLaunch.exe
Token: SeRestorePrivilege	3664	AppLaunch.exe
Token: SeShutdownPrivilege	3664	AppLaunch.exe
Token: SeDebugPrivilege	3664	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	3664	AppLaunch.exe
Token: SeChangeNotifyPrivilege	3664	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	3664	AppLaunch.exe
Token: SeUndockPrivilege	3664	AppLaunch.exe
Token: SeManageVolumePrivilege	3664	AppLaunch.exe
Token: SeImpersonatePrivilege	3664	AppLaunch.exe
Token: SeCreateGlobalPrivilege	3664	AppLaunch.exe
Token: 33	3664	AppLaunch.exe
Token: 34	3664	AppLaunch.exe
Token: 35	3664	AppLaunch.exe
Token: 36	3664	AppLaunch.exe
Token: SeDebugPrivilege	4444	MsCtfMonitor.exe
Token: SeDebugPrivilege	4712	rtscom.exe
Token: SeIncreaseQuotaPrivilege	856	AppLaunch.exe
Token: SeSecurityPrivilege	856	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	856	AppLaunch.exe
Token: SeLoadDriverPrivilege	856	AppLaunch.exe
Token: SeSystemProfilePrivilege	856	AppLaunch.exe
Token: SeSystemtimePrivilege	856	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	856	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	856	AppLaunch.exe
Token: SeCreatePagefilePrivilege	856	AppLaunch.exe
Token: SeBackupPrivilege	856	AppLaunch.exe
Token: SeRestorePrivilege	856	AppLaunch.exe
Token: SeShutdownPrivilege	856	AppLaunch.exe
Token: SeDebugPrivilege	856	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	856	AppLaunch.exe
Token: SeChangeNotifyPrivilege	856	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	856	AppLaunch.exe
Token: SeUndockPrivilege	856	AppLaunch.exe
Token: SeManageVolumePrivilege	856	AppLaunch.exe
Token: SeImpersonatePrivilege	856	AppLaunch.exe
Token: SeCreateGlobalPrivilege	856	AppLaunch.exe
Token: 33	856	AppLaunch.exe
Token: 34	856	AppLaunch.exe
Token: 35	856	AppLaunch.exe
Token: 36	856	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

3664 AppLaunch.exe

pid	process
3664	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exeTOKPIC.scrMsCtfMonitor.exertscom.exe

description	pid	process	target process
PID 4812 wrote to memory of 2752	4812	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe	TOKPIC.scr
PID 4812 wrote to memory of 2752	4812	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe	TOKPIC.scr
PID 4812 wrote to memory of 2752	4812	8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe	TOKPIC.scr
PID 2752 wrote to memory of 3664	2752	TOKPIC.scr	AppLaunch.exe
PID 2752 wrote to memory of 3664	2752	TOKPIC.scr	AppLaunch.exe
PID 2752 wrote to memory of 3664	2752	TOKPIC.scr	AppLaunch.exe
PID 2752 wrote to memory of 3664	2752	TOKPIC.scr	AppLaunch.exe
PID 2752 wrote to memory of 3664	2752	TOKPIC.scr	AppLaunch.exe
PID 2752 wrote to memory of 3664	2752	TOKPIC.scr	AppLaunch.exe
PID 2752 wrote to memory of 3664	2752	TOKPIC.scr	AppLaunch.exe
PID 2752 wrote to memory of 3664	2752	TOKPIC.scr	AppLaunch.exe
PID 2752 wrote to memory of 4444	2752	TOKPIC.scr	MsCtfMonitor.exe
PID 2752 wrote to memory of 4444	2752	TOKPIC.scr	MsCtfMonitor.exe
PID 2752 wrote to memory of 4444	2752	TOKPIC.scr	MsCtfMonitor.exe
PID 4444 wrote to memory of 4712	4444	MsCtfMonitor.exe	rtscom.exe
PID 4444 wrote to memory of 4712	4444	MsCtfMonitor.exe	rtscom.exe
PID 4444 wrote to memory of 4712	4444	MsCtfMonitor.exe	rtscom.exe
PID 4712 wrote to memory of 856	4712	rtscom.exe	AppLaunch.exe
PID 4712 wrote to memory of 856	4712	rtscom.exe	AppLaunch.exe
PID 4712 wrote to memory of 856	4712	rtscom.exe	AppLaunch.exe
PID 4712 wrote to memory of 856	4712	rtscom.exe	AppLaunch.exe
PID 4712 wrote to memory of 856	4712	rtscom.exe	AppLaunch.exe
PID 4712 wrote to memory of 856	4712	rtscom.exe	AppLaunch.exe
PID 4712 wrote to memory of 856	4712	rtscom.exe	AppLaunch.exe
PID 4712 wrote to memory of 856	4712	rtscom.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe
"C:\Users\Admin\AppData\Local\Temp\8bc6821671b23e2332dbc053994a9730f8ba1223d3ada55c6862819a834dadf4.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812

C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr
"C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr" /S
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\rtscom.exe
"C:\Users\Admin\AppData\Local\Temp\rtscom.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Software\TOKPIC.scr
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtscom.exe
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtscom.exe
Filesize
657KB

MD5
62c2c86b953dd04cf32e9fee22d76230

SHA1
ffbd19d2258626e428fde9d2bd0ef1490c51dc27

SHA256
1d2c4a3a598236deb6f734232e5b7b488af4cdf1e2fb3e8140723f6ddb4a0482

SHA512
6021dc679b6467467a5b552e6a8ea2aa76dbd077cd98f4def606b81cee521d48d217cfb81cd7150b68edd6024284db23be68bc4f794169bc4672dc4251c44c52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe
Filesize
8KB

MD5
893651b0ac929b3280f1345e1b5e0133

SHA1
363d729f2474a0f71d30a790d90f36e69def86bf

SHA256
f103179a7579ac464240ff1bc31be932d50eabe2df0bbe4f8b5c85e43415ffc9

SHA512
a76e0a6f47d6c1ebe847d5bf650ba60c5bc9c2e33988db7e626affd0e8534882e9367448bb3215bd4515e9159c616d5202456992bce7bcdb3dd19070fc7ab606

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MsCtfMonitor.exe
Filesize
8KB

MD5
893651b0ac929b3280f1345e1b5e0133

SHA1
363d729f2474a0f71d30a790d90f36e69def86bf

SHA256
f103179a7579ac464240ff1bc31be932d50eabe2df0bbe4f8b5c85e43415ffc9

SHA512
a76e0a6f47d6c1ebe847d5bf650ba60c5bc9c2e33988db7e626affd0e8534882e9367448bb3215bd4515e9159c616d5202456992bce7bcdb3dd19070fc7ab606

Download Submit
memory/856-155-0x0000000000000000-mapping.dmp

Download
memory/2752-138-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/2752-137-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/2752-133-0x0000000000000000-mapping.dmp

Download
memory/3664-143-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3664-140-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3664-139-0x0000000000000000-mapping.dmp

Download
memory/3664-141-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3664-142-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3664-144-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4444-151-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4444-145-0x0000000000000000-mapping.dmp

Download
memory/4444-153-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4712-149-0x0000000000000000-mapping.dmp

Download
memory/4712-152-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4712-154-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4812-136-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4812-132-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads