darkcomet | bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54

General

Target

bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe
Size

1.4MB
MD5

9dd38615196e4992a915698ed23d2aff
SHA1

67b50b4aa1b9e738b1c7d902e10dc66b6ab52681
SHA256

bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54
SHA512

1d4e280a002dd09ac102b1790f27fb68a28b0d1b1c6f73c7c25ca1f20971a5d09ed172888fe8317803600826d1a7cf4ae4f808652999bab418c1c52ceb1fdaf8
SSDEEP

24576:/SY34IXoDdLgzm1mvPJvVp9q8x2OVdtX95rZBlKsKEw2RTISmO:/NITovPJvHn28R/bLRTI

Score

10^/10

darkcomet minecraftgett0111 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

minecraftgett0111

C2

qwertyfuck.no-ip.biz:1604

Mutex

DC_MUTEX-GNGL16E

Attributes

gencode
EbPKlSTAN5A7
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

Minecraft Launcher by AnjoCaido.exe

pid process

4124 Minecraft Launcher by AnjoCaido.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1608 attrib.exe
2492 attrib.exe

pid	process
4124	Minecraft Launcher by AnjoCaido.exe

pid	process
1608	attrib.exe
2492	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefender = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinDefender.Exe"	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe

description	pid	process	target process
PID 2128 set thread context of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

4136 vbc.exe

pid	process
4136	vbc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4136	vbc.exe
Token: SeSecurityPrivilege	4136	vbc.exe
Token: SeTakeOwnershipPrivilege	4136	vbc.exe
Token: SeLoadDriverPrivilege	4136	vbc.exe
Token: SeSystemProfilePrivilege	4136	vbc.exe
Token: SeSystemtimePrivilege	4136	vbc.exe
Token: SeProfSingleProcessPrivilege	4136	vbc.exe
Token: SeIncBasePriorityPrivilege	4136	vbc.exe
Token: SeCreatePagefilePrivilege	4136	vbc.exe
Token: SeBackupPrivilege	4136	vbc.exe
Token: SeRestorePrivilege	4136	vbc.exe
Token: SeShutdownPrivilege	4136	vbc.exe
Token: SeDebugPrivilege	4136	vbc.exe
Token: SeSystemEnvironmentPrivilege	4136	vbc.exe
Token: SeChangeNotifyPrivilege	4136	vbc.exe
Token: SeRemoteShutdownPrivilege	4136	vbc.exe
Token: SeUndockPrivilege	4136	vbc.exe
Token: SeManageVolumePrivilege	4136	vbc.exe
Token: SeImpersonatePrivilege	4136	vbc.exe
Token: SeCreateGlobalPrivilege	4136	vbc.exe
Token: 33	4136	vbc.exe
Token: 34	4136	vbc.exe
Token: 35	4136	vbc.exe
Token: 36	4136	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

4136 vbc.exe

pid	process
4136	vbc.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exevbc.execmd.execmd.exe

description	pid	process	target process
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 2128 wrote to memory of 4136	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	vbc.exe
PID 4136 wrote to memory of 2704	4136	vbc.exe	cmd.exe
PID 4136 wrote to memory of 2704	4136	vbc.exe	cmd.exe
PID 4136 wrote to memory of 2704	4136	vbc.exe	cmd.exe
PID 2128 wrote to memory of 4124	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	Minecraft Launcher by AnjoCaido.exe
PID 2128 wrote to memory of 4124	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	Minecraft Launcher by AnjoCaido.exe
PID 2128 wrote to memory of 4124	2128	bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe	Minecraft Launcher by AnjoCaido.exe
PID 4136 wrote to memory of 4188	4136	vbc.exe	cmd.exe
PID 4136 wrote to memory of 4188	4136	vbc.exe	cmd.exe
PID 4136 wrote to memory of 4188	4136	vbc.exe	cmd.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 4136 wrote to memory of 224	4136	vbc.exe	notepad.exe
PID 2704 wrote to memory of 1608	2704	cmd.exe	attrib.exe
PID 2704 wrote to memory of 1608	2704	cmd.exe	attrib.exe
PID 2704 wrote to memory of 1608	2704	cmd.exe	attrib.exe
PID 4188 wrote to memory of 2492	4188	cmd.exe	attrib.exe
PID 4188 wrote to memory of 2492	4188	cmd.exe	attrib.exe
PID 4188 wrote to memory of 2492	4188	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1608 attrib.exe
2492 attrib.exe

pid	process
1608	attrib.exe
2492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe
"C:\Users\Admin\AppData\Local\Temp\bed5f13fa6b1bc97b45f51896de414678f3b844d43613196dbe477dc26b36b54.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1608

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2492

C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exe"
2⤵
- Executes dropped EXE
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exe
Filesize
679KB

MD5
605a171c61a0607bdcf6be80ed07cf95

SHA1
477d4391b0d84406127e43ead289a3596ac1e5e5

SHA256
09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9

SHA512
3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minecraft Launcher by AnjoCaido.exe
Filesize
679KB

MD5
605a171c61a0607bdcf6be80ed07cf95

SHA1
477d4391b0d84406127e43ead289a3596ac1e5e5

SHA256
09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9

SHA512
3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

Download Submit
memory/224-143-0x0000000000000000-mapping.dmp

Download
memory/1608-145-0x0000000000000000-mapping.dmp

Download
memory/2128-142-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2128-132-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2492-146-0x0000000000000000-mapping.dmp

Download
memory/2704-137-0x0000000000000000-mapping.dmp

Download
memory/4124-138-0x0000000000000000-mapping.dmp

Download
memory/4136-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4136-135-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4136-144-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4136-134-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4136-133-0x0000000000000000-mapping.dmp

Download
memory/4136-147-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4188-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads