darkcomet | fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d

General

Target

fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe
Size

2.6MB
MD5

10c0e1e14e177d1486d99c3a91d84969
SHA1

c0b90a929ff7a8c1c14ee554f2cc55a39605217e
SHA256

fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d
SHA512

2d83e9fd63d40c2ee020c63878e2c5e421944a458f516741cfefa539de3649f59e3c64dfeab3496dd8c291a4f9756cc37cc3fe5f59d2e861e5a8553f417d3237
SSDEEP

49152:Txjs/ylV/q8f7NHOiCR577tOReeel4+GnBdJFEwks51SjaU7/fMP0:TxcylVyABa5PgdFZnBtE+10

Score

10^/10

darkcomet ±ö¿í16 bootkit evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

±ö¿Í16

C2

heiseyinmou.gnway.net:2012

Mutex

DC_MUTEX-F4ZWV0U

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
czMVsH3hot1Q
install
true
offline_keylogger
true
persistence
true
reg_key
΢�͸��

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

okko1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	okko1.exe

Executes dropped EXE 3 IoCs

Processes:

maqi1.exeokko1.exemsdcsc.exe

pid process

4128 maqi1.exe
4512 okko1.exe
4716 msdcsc.exe

pid	process
4128	maqi1.exe
4512	okko1.exe
4716	msdcsc.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exeWScript.exeokko1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	okko1.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

okko1.exemsdcsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	okko1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

okko1.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Î¢ÐÍ¸üÐÂ = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	okko1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Î¢ÐÍ¸üÐÂ = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

okko1.exemsdcsc.exe

description ioc process

File opened for modification \??\PhysicalDrive0 okko1.exe
File opened for modification \??\PhysicalDrive0 msdcsc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

okko1.exemsdcsc.exe

pid process

4512 okko1.exe
4716 msdcsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	okko1.exe
File opened for modification	\??\PhysicalDrive0	msdcsc.exe

pid	process
4512	okko1.exe
4716	msdcsc.exe

Modifies registry class 2 IoCs

Processes:

fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exeokko1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	okko1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

okko1.exemsdcsc.exe

pid process

4512 okko1.exe
4512 okko1.exe
4716 msdcsc.exe
4716 msdcsc.exe

pid	process
4512	okko1.exe
4512	okko1.exe
4716	msdcsc.exe
4716	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

okko1.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4512	okko1.exe
Token: SeSecurityPrivilege	4512	okko1.exe
Token: SeTakeOwnershipPrivilege	4512	okko1.exe
Token: SeLoadDriverPrivilege	4512	okko1.exe
Token: SeSystemProfilePrivilege	4512	okko1.exe
Token: SeSystemtimePrivilege	4512	okko1.exe
Token: SeProfSingleProcessPrivilege	4512	okko1.exe
Token: SeIncBasePriorityPrivilege	4512	okko1.exe
Token: SeCreatePagefilePrivilege	4512	okko1.exe
Token: SeBackupPrivilege	4512	okko1.exe
Token: SeRestorePrivilege	4512	okko1.exe
Token: SeShutdownPrivilege	4512	okko1.exe
Token: SeDebugPrivilege	4512	okko1.exe
Token: SeSystemEnvironmentPrivilege	4512	okko1.exe
Token: SeChangeNotifyPrivilege	4512	okko1.exe
Token: SeRemoteShutdownPrivilege	4512	okko1.exe
Token: SeUndockPrivilege	4512	okko1.exe
Token: SeManageVolumePrivilege	4512	okko1.exe
Token: SeImpersonatePrivilege	4512	okko1.exe
Token: SeCreateGlobalPrivilege	4512	okko1.exe
Token: 33	4512	okko1.exe
Token: 34	4512	okko1.exe
Token: 35	4512	okko1.exe
Token: 36	4512	okko1.exe
Token: SeIncreaseQuotaPrivilege	4716	msdcsc.exe
Token: SeSecurityPrivilege	4716	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4716	msdcsc.exe
Token: SeLoadDriverPrivilege	4716	msdcsc.exe
Token: SeSystemProfilePrivilege	4716	msdcsc.exe
Token: SeSystemtimePrivilege	4716	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4716	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4716	msdcsc.exe
Token: SeCreatePagefilePrivilege	4716	msdcsc.exe
Token: SeBackupPrivilege	4716	msdcsc.exe
Token: SeRestorePrivilege	4716	msdcsc.exe
Token: SeShutdownPrivilege	4716	msdcsc.exe
Token: SeDebugPrivilege	4716	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4716	msdcsc.exe
Token: SeChangeNotifyPrivilege	4716	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4716	msdcsc.exe
Token: SeUndockPrivilege	4716	msdcsc.exe
Token: SeManageVolumePrivilege	4716	msdcsc.exe
Token: SeImpersonatePrivilege	4716	msdcsc.exe
Token: SeCreateGlobalPrivilege	4716	msdcsc.exe
Token: 33	4716	msdcsc.exe
Token: 34	4716	msdcsc.exe
Token: 35	4716	msdcsc.exe
Token: 36	4716	msdcsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

maqi1.exemsdcsc.exe

pid process

4128 maqi1.exe
4128 maqi1.exe
4716 msdcsc.exe

pid	process
4128	maqi1.exe
4128	maqi1.exe
4716	msdcsc.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exeWScript.execmd.execmd.exeokko1.exe

description	pid	process	target process
PID 748 wrote to memory of 4956	748	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 748 wrote to memory of 4956	748	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 748 wrote to memory of 4956	748	fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe	WScript.exe
PID 4956 wrote to memory of 3360	4956	WScript.exe	cmd.exe
PID 4956 wrote to memory of 3360	4956	WScript.exe	cmd.exe
PID 4956 wrote to memory of 3360	4956	WScript.exe	cmd.exe
PID 4956 wrote to memory of 2968	4956	WScript.exe	cmd.exe
PID 4956 wrote to memory of 2968	4956	WScript.exe	cmd.exe
PID 4956 wrote to memory of 2968	4956	WScript.exe	cmd.exe
PID 3360 wrote to memory of 4128	3360	cmd.exe	maqi1.exe
PID 3360 wrote to memory of 4128	3360	cmd.exe	maqi1.exe
PID 3360 wrote to memory of 4128	3360	cmd.exe	maqi1.exe
PID 2968 wrote to memory of 4512	2968	cmd.exe	okko1.exe
PID 2968 wrote to memory of 4512	2968	cmd.exe	okko1.exe
PID 2968 wrote to memory of 4512	2968	cmd.exe	okko1.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4848	4512	okko1.exe	notepad.exe
PID 4512 wrote to memory of 4716	4512	okko1.exe	msdcsc.exe
PID 4512 wrote to memory of 4716	4512	okko1.exe	msdcsc.exe
PID 4512 wrote to memory of 4716	4512	okko1.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe
"C:\Users\Admin\AppData\Local\Temp\fff04b5cd9e1a52c1f5c7c99367f7bd9b3a7d681740f4e53bb353879d598ca0d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c maqi1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exe
maqi1.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c okko1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exe
okko1.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Identifies Wine through registry keys
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:4848

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.vbs
Filesize
106B

MD5
e747a0e254ab7f22c2b8ee54df6e5bb8

SHA1
92a5caa16fd59ddebdf587ba4a63ac51803180a6

SHA256
27748d903993b59f21a8d6ed85a0c20be4a5eabb87812c084a72354386146cd3

SHA512
a9e2759db18734c0ef1dadee1fa98d459f6efbdf37197f3df76671e22da11440062dc06108529d6c7272f9a875c51b1a78c635a72c3c87ebca3940ce763d8fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exe
Filesize
20KB

MD5
5eff78e5cca75e6c30fc246d788a6ab2

SHA1
8b09f99a3304afa60ef0559efbc94162de09ca39

SHA256
01960035d76685f023298fd55d5ff2da022ca531673e517eed5c28bb7f8e4e33

SHA512
ce6b16cbe6f4633f0f19c1de496f8a67e47dfb7db7e4dd4b3bb6c36ae8908b34c4ffd6a3e2552ef634ab9f296b2075c476cff257f72692cb9bd0458bc41c8d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\maqi1.exe
Filesize
20KB

MD5
5eff78e5cca75e6c30fc246d788a6ab2

SHA1
8b09f99a3304afa60ef0559efbc94162de09ca39

SHA256
01960035d76685f023298fd55d5ff2da022ca531673e517eed5c28bb7f8e4e33

SHA512
ce6b16cbe6f4633f0f19c1de496f8a67e47dfb7db7e4dd4b3bb6c36ae8908b34c4ffd6a3e2552ef634ab9f296b2075c476cff257f72692cb9bd0458bc41c8d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\okko1.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
2.6MB

MD5
31cf3cc235759304d54b64e35356baa0

SHA1
ea2d45d27e152341d0b9a4a3302f93b71ac9234d

SHA256
a277106c79599bf4fea2a16a04ee9836ce032b1a2b919a75591b3bb8dd84dc27

SHA512
da13df4f95585d73db363d7978bf836178a483781ade674b7b21b01cc2dcfd591fff7a10002a9fb1057945816f835076bd66c5a7a1afff4a4a724fa7749641c4

Download Submit
memory/2968-135-0x0000000000000000-mapping.dmp

Download
memory/3360-134-0x0000000000000000-mapping.dmp

Download
memory/4128-136-0x0000000000000000-mapping.dmp

Download
memory/4512-142-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/4512-144-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/4512-139-0x0000000000000000-mapping.dmp

Download
memory/4512-150-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/4716-145-0x0000000000000000-mapping.dmp

Download
memory/4716-148-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/4716-149-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/4716-151-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/4716-152-0x0000000000400000-0x000000000096E000-memory.dmp

Filesize
5.4MB

Download
memory/4848-143-0x0000000000000000-mapping.dmp

Download
memory/4956-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads