darkcomet | 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694

Analysis

max time kernel
57s
max time network
55s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
Size

2.9MB
MD5

df7bf31aea132aca10366ae20dd0c350
SHA1

dba114d4074f3f338940bdb075bbda26172c53db
SHA256

8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
SHA512

e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
SSDEEP

49152:LMnXXFJkevVRBhRFGdPWgaqWMZYANAPc+N3MTrDOyD9Eh6kScQhACeHrIF:PSLTeZHrSgEh6krQKC08

Score

10^/10

darkcomet main evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Main

24.13.208.88:100

jaxxyisboss.zapto.org:100

Mutex

DC_MUTEX-C0UC4KU

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
w4i0rGCzp71f
install
true
offline_keylogger
true
persistence
true
reg_key
Microsoft Defender

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	cvtres.exe

Executes dropped EXE 3 IoCs

Processes:

msconfig.exeJAXXY SKYPE BOT.EXEmsdcsc.exe

pid process

864 msconfig.exe
1948 JAXXY SKYPE BOT.EXE
1928 msdcsc.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1336 attrib.exe
680 attrib.exe

pid	process
864	msconfig.exe
1948	JAXXY SKYPE BOT.EXE
1928	msdcsc.exe

pid	process
1336	attrib.exe
680	attrib.exe

Loads dropped DLL 4 IoCs

Processes:

8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.execvtres.exe

pid	process
1492	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
1492	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
1352	cvtres.exe
1352	cvtres.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msconfig.execvtres.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msconfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	msconfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	msconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	msconfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msconfig.exe

description pid process target process

PID 864 set thread context of 1352 864 msconfig.exe cvtres.exe

description	pid	process	target process
PID 864 set thread context of 1352	864	msconfig.exe	cvtres.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

cvtres.exeJAXXY SKYPE BOT.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	1352	cvtres.exe
Token: SeSecurityPrivilege	1352	cvtres.exe
Token: SeTakeOwnershipPrivilege	1352	cvtres.exe
Token: SeLoadDriverPrivilege	1352	cvtres.exe
Token: SeSystemProfilePrivilege	1352	cvtres.exe
Token: SeSystemtimePrivilege	1352	cvtres.exe
Token: SeProfSingleProcessPrivilege	1352	cvtres.exe
Token: SeIncBasePriorityPrivilege	1352	cvtres.exe
Token: SeCreatePagefilePrivilege	1352	cvtres.exe
Token: SeBackupPrivilege	1352	cvtres.exe
Token: SeRestorePrivilege	1352	cvtres.exe
Token: SeShutdownPrivilege	1352	cvtres.exe
Token: SeDebugPrivilege	1352	cvtres.exe
Token: SeSystemEnvironmentPrivilege	1352	cvtres.exe
Token: SeChangeNotifyPrivilege	1352	cvtres.exe
Token: SeRemoteShutdownPrivilege	1352	cvtres.exe
Token: SeUndockPrivilege	1352	cvtres.exe
Token: SeManageVolumePrivilege	1352	cvtres.exe
Token: SeImpersonatePrivilege	1352	cvtres.exe
Token: SeCreateGlobalPrivilege	1352	cvtres.exe
Token: 33	1352	cvtres.exe
Token: 34	1352	cvtres.exe
Token: 35	1352	cvtres.exe
Token: SeDebugPrivilege	1948	JAXXY SKYPE BOT.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exemsconfig.execvtres.execmd.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 864	1492	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe	msconfig.exe
PID 1492 wrote to memory of 864	1492	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe	msconfig.exe
PID 1492 wrote to memory of 864	1492	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe	msconfig.exe
PID 1492 wrote to memory of 864	1492	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe	msconfig.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 864 wrote to memory of 1352	864	msconfig.exe	cvtres.exe
PID 1352 wrote to memory of 2020	1352	cvtres.exe	cmd.exe
PID 1352 wrote to memory of 2020	1352	cvtres.exe	cmd.exe
PID 1352 wrote to memory of 2020	1352	cvtres.exe	cmd.exe
PID 1352 wrote to memory of 2020	1352	cvtres.exe	cmd.exe
PID 1352 wrote to memory of 1536	1352	cvtres.exe	cmd.exe
PID 1352 wrote to memory of 1536	1352	cvtres.exe	cmd.exe
PID 1352 wrote to memory of 1536	1352	cvtres.exe	cmd.exe
PID 1352 wrote to memory of 1536	1352	cvtres.exe	cmd.exe
PID 1352 wrote to memory of 1948	1352	cvtres.exe	JAXXY SKYPE BOT.EXE
PID 1352 wrote to memory of 1948	1352	cvtres.exe	JAXXY SKYPE BOT.EXE
PID 1352 wrote to memory of 1948	1352	cvtres.exe	JAXXY SKYPE BOT.EXE
PID 1352 wrote to memory of 1948	1352	cvtres.exe	JAXXY SKYPE BOT.EXE
PID 2020 wrote to memory of 1336	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 1336	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 1336	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 1336	2020	cmd.exe	attrib.exe
PID 1536 wrote to memory of 680	1536	cmd.exe	attrib.exe
PID 1536 wrote to memory of 680	1536	cmd.exe	attrib.exe
PID 1536 wrote to memory of 680	1536	cmd.exe	attrib.exe
PID 1536 wrote to memory of 680	1536	cmd.exe	attrib.exe
PID 1352 wrote to memory of 1928	1352	cvtres.exe	msdcsc.exe
PID 1352 wrote to memory of 1928	1352	cvtres.exe	msdcsc.exe
PID 1352 wrote to memory of 1928	1352	cvtres.exe	msdcsc.exe
PID 1352 wrote to memory of 1928	1352	cvtres.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1336 attrib.exe
680 attrib.exe

pid	process
1336	attrib.exe
680	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
"C:\Users\Admin\AppData\Local\Temp\8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Roaming\msconfig.exe
"C:\Users\Admin\AppData\Roaming\msconfig.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:680

C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE
"C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE
Filesize
1.8MB

MD5
4ba0b86113558f1a2056b81ebae2907f

SHA1
617b31d2ee0035f7124553a49cc4b296c5daa46a

SHA256
6dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36

SHA512
c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE
Filesize
1.8MB

MD5
4ba0b86113558f1a2056b81ebae2907f

SHA1
617b31d2ee0035f7124553a49cc4b296c5daa46a

SHA256
6dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36

SHA512
c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500

Download Submit
C:\Users\Admin\AppData\Roaming\msconfig.exe
Filesize
2.9MB

MD5
df7bf31aea132aca10366ae20dd0c350

SHA1
dba114d4074f3f338940bdb075bbda26172c53db

SHA256
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694

SHA512
e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3

Download Submit
C:\Users\Admin\AppData\Roaming\msconfig.exe
Filesize
2.9MB

MD5
df7bf31aea132aca10366ae20dd0c350

SHA1
dba114d4074f3f338940bdb075bbda26172c53db

SHA256
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694

SHA512
e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE
Filesize
1.8MB

MD5
4ba0b86113558f1a2056b81ebae2907f

SHA1
617b31d2ee0035f7124553a49cc4b296c5daa46a

SHA256
6dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36

SHA512
c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500

Download Submit
\Users\Admin\AppData\Roaming\msconfig.exe
Filesize
2.9MB

MD5
df7bf31aea132aca10366ae20dd0c350

SHA1
dba114d4074f3f338940bdb075bbda26172c53db

SHA256
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694

SHA512
e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3

Download Submit
\Users\Admin\AppData\Roaming\msconfig.exe
Filesize
2.9MB

MD5
df7bf31aea132aca10366ae20dd0c350

SHA1
dba114d4074f3f338940bdb075bbda26172c53db

SHA256
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694

SHA512
e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/680-92-0x0000000000000000-mapping.dmp

Download
memory/864-58-0x0000000000000000-mapping.dmp

Download
memory/864-62-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/864-81-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/1336-91-0x0000000000000000-mapping.dmp

Download
memory/1352-64-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-67-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-76-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-78-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-80-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-73-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-79-0x000000000048F888-mapping.dmp

Download
memory/1352-83-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-84-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-97-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-65-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-71-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-69-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1352-74-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/1492-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1492-63-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-55-0x00000000744C0000-0x0000000074A6B000-memory.dmp

Filesize
5.7MB

Download
memory/1536-86-0x0000000000000000-mapping.dmp

Download
memory/1928-95-0x0000000000000000-mapping.dmp

Download
memory/1948-88-0x0000000000000000-mapping.dmp

Download
memory/1948-93-0x0000000000380000-0x000000000055E000-memory.dmp

Filesize
1.9MB

Download
memory/1948-99-0x0000000005CE0000-0x0000000005EF2000-memory.dmp

Filesize
2.1MB

Download
memory/1948-100-0x0000000004C65000-0x0000000004C76000-memory.dmp

Filesize
68KB

Download
memory/1948-101-0x0000000004C65000-0x0000000004C76000-memory.dmp

Filesize
68KB

Download
memory/2020-85-0x0000000000000000-mapping.dmp

Download