darkcomet | 9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697

General

Target

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Size

341KB
MD5

6229ca5be4d9928440b3d842950f5346
SHA1

f3653d00a8a870a0437d18f3a4441ede275cbbf0
SHA256

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697
SHA512

4607bac5b368fbe660ed6e3d3f572951f0d16b6401ba1dd791244ccf73ab15f169b073cdeb70f8bcbc289208bbde17ce96506195683a2566646dcbef498e91bc
SSDEEP

6144:Q8XdZ0iRwHoMg8HuRLp5RdHCmP2nwoQKnsv1ieNlBF:bfwIYuRLplCmPswo/sv1ieNlBF

Score

10^/10

darkcomet csrss evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

csrss

C2

armyk.no-ip.org:82

Mutex

DC_MUTEX-VS1TED3

Attributes

InstallPath
wuauclt.exe
gencode
MKcgY6l5UWgn
install
true
offline_keylogger
true
persistence
true
reg_key
Windows Update

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\wuauclt.exe"	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

wuauclt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	wuauclt.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	wuauclt.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	wuauclt.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

wuauclt.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" wuauclt.exe
Executes dropped EXE 2 IoCs

Processes:

wuauclt.exewuauclt.exe

pid process

2676 wuauclt.exe
5072 wuauclt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	wuauclt.exe

pid	process
2676	wuauclt.exe
5072	wuauclt.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4916-134-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4916-135-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4916-136-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4916-137-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4916-139-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4916-140-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5072-152-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4916-153-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5072-154-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exewuauclt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuauclt.exe"	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuauclt.exe"	wuauclt.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exewuauclt.exe

description	pid	process	target process
PID 4704 set thread context of 4916	4704	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
PID 2676 set thread context of 5072	2676	wuauclt.exe	wuauclt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exewuauclt.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeSecurityPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeTakeOwnershipPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeLoadDriverPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeSystemProfilePrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeSystemtimePrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeProfSingleProcessPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeIncBasePriorityPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeCreatePagefilePrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeBackupPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeRestorePrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeShutdownPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeDebugPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeSystemEnvironmentPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeChangeNotifyPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeRemoteShutdownPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeUndockPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeManageVolumePrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeImpersonatePrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeCreateGlobalPrivilege	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: 33	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: 34	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: 35	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: 36	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
Token: SeIncreaseQuotaPrivilege	5072	wuauclt.exe
Token: SeSecurityPrivilege	5072	wuauclt.exe
Token: SeTakeOwnershipPrivilege	5072	wuauclt.exe
Token: SeLoadDriverPrivilege	5072	wuauclt.exe
Token: SeSystemProfilePrivilege	5072	wuauclt.exe
Token: SeSystemtimePrivilege	5072	wuauclt.exe
Token: SeProfSingleProcessPrivilege	5072	wuauclt.exe
Token: SeIncBasePriorityPrivilege	5072	wuauclt.exe
Token: SeCreatePagefilePrivilege	5072	wuauclt.exe
Token: SeBackupPrivilege	5072	wuauclt.exe
Token: SeRestorePrivilege	5072	wuauclt.exe
Token: SeShutdownPrivilege	5072	wuauclt.exe
Token: SeDebugPrivilege	5072	wuauclt.exe
Token: SeSystemEnvironmentPrivilege	5072	wuauclt.exe
Token: SeChangeNotifyPrivilege	5072	wuauclt.exe
Token: SeRemoteShutdownPrivilege	5072	wuauclt.exe
Token: SeUndockPrivilege	5072	wuauclt.exe
Token: SeManageVolumePrivilege	5072	wuauclt.exe
Token: SeImpersonatePrivilege	5072	wuauclt.exe
Token: SeCreateGlobalPrivilege	5072	wuauclt.exe
Token: 33	5072	wuauclt.exe
Token: 34	5072	wuauclt.exe
Token: 35	5072	wuauclt.exe
Token: 36	5072	wuauclt.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wuauclt.exe

pid process

5072 wuauclt.exe

pid	process
5072	wuauclt.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exewuauclt.exewuauclt.exe

description	pid	process	target process
PID 4704 wrote to memory of 4916	4704	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
PID 4704 wrote to memory of 4916	4704	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
PID 4704 wrote to memory of 4916	4704	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
PID 4704 wrote to memory of 4916	4704	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
PID 4704 wrote to memory of 4916	4704	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
PID 4704 wrote to memory of 4916	4704	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
PID 4704 wrote to memory of 4916	4704	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
PID 4916 wrote to memory of 2676	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	wuauclt.exe
PID 4916 wrote to memory of 2676	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	wuauclt.exe
PID 4916 wrote to memory of 2676	4916	9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe	wuauclt.exe
PID 2676 wrote to memory of 5072	2676	wuauclt.exe	wuauclt.exe
PID 2676 wrote to memory of 5072	2676	wuauclt.exe	wuauclt.exe
PID 2676 wrote to memory of 5072	2676	wuauclt.exe	wuauclt.exe
PID 2676 wrote to memory of 5072	2676	wuauclt.exe	wuauclt.exe
PID 2676 wrote to memory of 5072	2676	wuauclt.exe	wuauclt.exe
PID 2676 wrote to memory of 5072	2676	wuauclt.exe	wuauclt.exe
PID 2676 wrote to memory of 5072	2676	wuauclt.exe	wuauclt.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe
PID 5072 wrote to memory of 2068	5072	wuauclt.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
"C:\Users\Admin\AppData\Local\Temp\9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe
"C:\Users\Admin\AppData\Local\Temp\9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\wuauclt.exe
"C:\Users\Admin\AppData\Local\Temp\wuauclt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\wuauclt.exe
"C:\Users\Admin\AppData\Local\Temp\wuauclt.exe"
4⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wuauclt.exe
Filesize
341KB

MD5
6229ca5be4d9928440b3d842950f5346

SHA1
f3653d00a8a870a0437d18f3a4441ede275cbbf0

SHA256
9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697

SHA512
4607bac5b368fbe660ed6e3d3f572951f0d16b6401ba1dd791244ccf73ab15f169b073cdeb70f8bcbc289208bbde17ce96506195683a2566646dcbef498e91bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuauclt.exe
Filesize
341KB

MD5
6229ca5be4d9928440b3d842950f5346

SHA1
f3653d00a8a870a0437d18f3a4441ede275cbbf0

SHA256
9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697

SHA512
4607bac5b368fbe660ed6e3d3f572951f0d16b6401ba1dd791244ccf73ab15f169b073cdeb70f8bcbc289208bbde17ce96506195683a2566646dcbef498e91bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuauclt.exe
Filesize
341KB

MD5
6229ca5be4d9928440b3d842950f5346

SHA1
f3653d00a8a870a0437d18f3a4441ede275cbbf0

SHA256
9315cd0bb5ff6c94749b70d3f29df3f770c4508987e0c09e7e5b61b9896ea697

SHA512
4607bac5b368fbe660ed6e3d3f572951f0d16b6401ba1dd791244ccf73ab15f169b073cdeb70f8bcbc289208bbde17ce96506195683a2566646dcbef498e91bc

Download Submit
memory/2068-151-0x0000000000000000-mapping.dmp

Download
memory/2676-149-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2676-141-0x0000000000000000-mapping.dmp

Download
memory/4704-132-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4704-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4916-140-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4916-139-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4916-137-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4916-136-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4916-135-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4916-134-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4916-133-0x0000000000000000-mapping.dmp

Download
memory/4916-153-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5072-144-0x0000000000000000-mapping.dmp

Download
memory/5072-152-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5072-154-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads