darkcomet | 8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694

General

Target

8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
Size

2.9MB
MD5

df7bf31aea132aca10366ae20dd0c350
SHA1

dba114d4074f3f338940bdb075bbda26172c53db
SHA256

8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694
SHA512

e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3
SSDEEP

49152:LMnXXFJkevVRBhRFGdPWgaqWMZYANAPc+N3MTrDOyD9Eh6kScQhACeHrIF:PSLTeZHrSgEh6krQKC08

Score

10^/10

darkcomet main evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Main

C2

24.13.208.88:100

jaxxyisboss.zapto.org:100

Mutex

DC_MUTEX-C0UC4KU

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
w4i0rGCzp71f
install
true
offline_keylogger
true
persistence
true
reg_key
Microsoft Defender

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	cvtres.exe

Executes dropped EXE 3 IoCs

Processes:

msconfig.exeJAXXY SKYPE BOT.EXEmsdcsc.exe

pid process

3068 msconfig.exe
3636 JAXXY SKYPE BOT.EXE
2736 msdcsc.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4368 attrib.exe
4904 attrib.exe

pid	process
3068	msconfig.exe
3636	JAXXY SKYPE BOT.EXE
2736	msdcsc.exe

pid	process
4368	attrib.exe
4904	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msconfig.execvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	msconfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	msconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe"	msconfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Defender = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	cvtres.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msconfig.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msconfig.exe

description pid process target process

PID 3068 set thread context of 372 3068 msconfig.exe cvtres.exe

description	pid	process	target process
PID 3068 set thread context of 372	3068	msconfig.exe	cvtres.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cvtres.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cvtres.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cvtres.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

cvtres.exeJAXXY SKYPE BOT.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	372	cvtres.exe
Token: SeSecurityPrivilege	372	cvtres.exe
Token: SeTakeOwnershipPrivilege	372	cvtres.exe
Token: SeLoadDriverPrivilege	372	cvtres.exe
Token: SeSystemProfilePrivilege	372	cvtres.exe
Token: SeSystemtimePrivilege	372	cvtres.exe
Token: SeProfSingleProcessPrivilege	372	cvtres.exe
Token: SeIncBasePriorityPrivilege	372	cvtres.exe
Token: SeCreatePagefilePrivilege	372	cvtres.exe
Token: SeBackupPrivilege	372	cvtres.exe
Token: SeRestorePrivilege	372	cvtres.exe
Token: SeShutdownPrivilege	372	cvtres.exe
Token: SeDebugPrivilege	372	cvtres.exe
Token: SeSystemEnvironmentPrivilege	372	cvtres.exe
Token: SeChangeNotifyPrivilege	372	cvtres.exe
Token: SeRemoteShutdownPrivilege	372	cvtres.exe
Token: SeUndockPrivilege	372	cvtres.exe
Token: SeManageVolumePrivilege	372	cvtres.exe
Token: SeImpersonatePrivilege	372	cvtres.exe
Token: SeCreateGlobalPrivilege	372	cvtres.exe
Token: 33	372	cvtres.exe
Token: 34	372	cvtres.exe
Token: 35	372	cvtres.exe
Token: 36	372	cvtres.exe
Token: SeDebugPrivilege	3636	JAXXY SKYPE BOT.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exemsconfig.execvtres.execmd.execmd.exe

description	pid	process	target process
PID 2448 wrote to memory of 3068	2448	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe	msconfig.exe
PID 2448 wrote to memory of 3068	2448	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe	msconfig.exe
PID 2448 wrote to memory of 3068	2448	8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe	msconfig.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 3068 wrote to memory of 372	3068	msconfig.exe	cvtres.exe
PID 372 wrote to memory of 4524	372	cvtres.exe	cmd.exe
PID 372 wrote to memory of 4524	372	cvtres.exe	cmd.exe
PID 372 wrote to memory of 4524	372	cvtres.exe	cmd.exe
PID 372 wrote to memory of 2148	372	cvtres.exe	cmd.exe
PID 372 wrote to memory of 2148	372	cvtres.exe	cmd.exe
PID 372 wrote to memory of 2148	372	cvtres.exe	cmd.exe
PID 4524 wrote to memory of 4368	4524	cmd.exe	attrib.exe
PID 4524 wrote to memory of 4368	4524	cmd.exe	attrib.exe
PID 4524 wrote to memory of 4368	4524	cmd.exe	attrib.exe
PID 372 wrote to memory of 3636	372	cvtres.exe	JAXXY SKYPE BOT.EXE
PID 372 wrote to memory of 3636	372	cvtres.exe	JAXXY SKYPE BOT.EXE
PID 372 wrote to memory of 3636	372	cvtres.exe	JAXXY SKYPE BOT.EXE
PID 2148 wrote to memory of 4904	2148	cmd.exe	attrib.exe
PID 2148 wrote to memory of 4904	2148	cmd.exe	attrib.exe
PID 2148 wrote to memory of 4904	2148	cmd.exe	attrib.exe
PID 372 wrote to memory of 2736	372	cvtres.exe	msdcsc.exe
PID 372 wrote to memory of 2736	372	cvtres.exe	msdcsc.exe
PID 372 wrote to memory of 2736	372	cvtres.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4368 attrib.exe
4904 attrib.exe

pid	process
4368	attrib.exe
4904	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe
"C:\Users\Admin\AppData\Local\Temp\8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Roaming\msconfig.exe
"C:\Users\Admin\AppData\Roaming\msconfig.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4904

C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE
"C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
PID:2736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE
Filesize
1.8MB

MD5
4ba0b86113558f1a2056b81ebae2907f

SHA1
617b31d2ee0035f7124553a49cc4b296c5daa46a

SHA256
6dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36

SHA512
c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500

Download Submit
C:\Users\Admin\AppData\Local\Temp\JAXXY SKYPE BOT.EXE
Filesize
1.8MB

MD5
4ba0b86113558f1a2056b81ebae2907f

SHA1
617b31d2ee0035f7124553a49cc4b296c5daa46a

SHA256
6dde2bdb73e20b0054ec960a581129598b643d54159204c6cd8868a038eaab36

SHA512
c1056fcaf32d6098706dca9a3fae74b3c045db991434252f7e4f91cf8daa4078b8f0ab9408ce1b9b6821321d31a0d00377b40920ccee2ff7a9f1a9fe57842500

Download Submit
C:\Users\Admin\AppData\Roaming\msconfig.exe
Filesize
2.9MB

MD5
df7bf31aea132aca10366ae20dd0c350

SHA1
dba114d4074f3f338940bdb075bbda26172c53db

SHA256
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694

SHA512
e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3

Download Submit
C:\Users\Admin\AppData\Roaming\msconfig.exe
Filesize
2.9MB

MD5
df7bf31aea132aca10366ae20dd0c350

SHA1
dba114d4074f3f338940bdb075bbda26172c53db

SHA256
8cf942d0ffc44688130c91a7fd76a72cfa5345f0a8aefd3adc7e68ed70340694

SHA512
e86224122b1faaba9ec590eae700b435ad7cd8881d141c8ba0d9ec07b179bd7fd1418d4024fc2b3c05ec08ed8463d84f132dc250be4d4a3c59301424af6c1cb3

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/372-160-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/372-139-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/372-140-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/372-141-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/372-143-0x0000000000400000-0x00000000006BE000-memory.dmp

Filesize
2.7MB

Download
memory/372-138-0x0000000000000000-mapping.dmp

Download
memory/2148-145-0x0000000000000000-mapping.dmp

Download
memory/2448-132-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2448-137-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/2736-155-0x0000000000000000-mapping.dmp

Download
memory/3068-142-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3068-136-0x00000000749B0000-0x0000000074F61000-memory.dmp

Filesize
5.7MB

Download
memory/3068-133-0x0000000000000000-mapping.dmp

Download
memory/3636-153-0x0000000006090000-0x0000000006634000-memory.dmp

Filesize
5.6MB

Download
memory/3636-152-0x0000000005890000-0x000000000592C000-memory.dmp

Filesize
624KB

Download
memory/3636-151-0x0000000000D70000-0x0000000000F4E000-memory.dmp

Filesize
1.9MB

Download
memory/3636-154-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/3636-147-0x0000000000000000-mapping.dmp

Download
memory/3636-157-0x0000000005990000-0x000000000599A000-memory.dmp

Filesize
40KB

Download
memory/3636-158-0x0000000005BD0000-0x0000000005C26000-memory.dmp

Filesize
344KB

Download
memory/3636-161-0x0000000009A70000-0x0000000009AD6000-memory.dmp

Filesize
408KB

Download
memory/4368-146-0x0000000000000000-mapping.dmp

Download
memory/4524-144-0x0000000000000000-mapping.dmp

Download
memory/4904-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads