darkcomet | e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06

General

Target

e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe
Size

535KB
MD5

252d4d4997d37d0ad7b88a3ebfdb96f0
SHA1

c51f3776b453a0a57595b321310540c205065b4d
SHA256

e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06
SHA512

73b8b03f6f518bdd8cc455c99bf5a0fc38859fdba71a4909a2d3eb74ab41560413ee3586a7ffaeb1f7e7b847a21b9580d60acaff73b275a3989c6458d1781a8a
SSDEEP

12288:3Xll+0/DI4Ke9bCNHbYrbv2U7HN/uySx3mciAdBiJR4eOv:Hf+OlCa3+68r3kAdBm4eO

Score

10^/10

darkcomet system rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

system

C2

24.136.28.66:1604

192.168.1.131:1604

Mutex

DC_MUTEX-NQ4XPAZ

Attributes

gencode
PF8aTL5ndieB
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3260 svchost.exe

pid	process
3260	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe

description	pid	process	target process
PID 5068 set thread context of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe

pid	process
5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe
5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe
5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe
5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe
5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe
5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe
5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe
Token: SeIncreaseQuotaPrivilege	3260	svchost.exe
Token: SeSecurityPrivilege	3260	svchost.exe
Token: SeTakeOwnershipPrivilege	3260	svchost.exe
Token: SeLoadDriverPrivilege	3260	svchost.exe
Token: SeSystemProfilePrivilege	3260	svchost.exe
Token: SeSystemtimePrivilege	3260	svchost.exe
Token: SeProfSingleProcessPrivilege	3260	svchost.exe
Token: SeIncBasePriorityPrivilege	3260	svchost.exe
Token: SeCreatePagefilePrivilege	3260	svchost.exe
Token: SeBackupPrivilege	3260	svchost.exe
Token: SeRestorePrivilege	3260	svchost.exe
Token: SeShutdownPrivilege	3260	svchost.exe
Token: SeDebugPrivilege	3260	svchost.exe
Token: SeSystemEnvironmentPrivilege	3260	svchost.exe
Token: SeChangeNotifyPrivilege	3260	svchost.exe
Token: SeRemoteShutdownPrivilege	3260	svchost.exe
Token: SeUndockPrivilege	3260	svchost.exe
Token: SeManageVolumePrivilege	3260	svchost.exe
Token: SeImpersonatePrivilege	3260	svchost.exe
Token: SeCreateGlobalPrivilege	3260	svchost.exe
Token: 33	3260	svchost.exe
Token: 34	3260	svchost.exe
Token: 35	3260	svchost.exe
Token: 36	3260	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3260 svchost.exe

pid	process
3260	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe

description	pid	process	target process
PID 5068 wrote to memory of 4348	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	WScript.exe
PID 5068 wrote to memory of 4348	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	WScript.exe
PID 5068 wrote to memory of 4348	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	WScript.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe
PID 5068 wrote to memory of 3260	5068	e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe
"C:\Users\Admin\AppData\Local\Temp\e4820efe07e3cdb32280ba121334c486bc5d12f39d3f7de2db3d700f6f36ad06.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc.vbs"
2⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cc.vbs
Filesize
358B

MD5
2e89a57d44b8f3db3b4e18e4e8784d0e

SHA1
3d26feaa41679a5e6db22a957790232ea3f08728

SHA256
31a5d6b7508843ffa98459a03cfb4d72c728068a6e62aa1cd41d4ed052eceac7

SHA512
63c4cfa5e3d05a7d02c719a364bdfd8110ed062f6177e25d359da098a2a88182d286f72d9bbd3c144fbf7a2ce41172c9c67784a622c0a7d354fe4b984f1fe387

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/3260-140-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3260-137-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3260-136-0x0000000000000000-mapping.dmp

Download
memory/3260-142-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3260-145-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3260-146-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3260-147-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4348-135-0x0000000000000000-mapping.dmp

Download
memory/5068-133-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-134-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-144-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads