darkcomet | 582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e.exe
Size

809KB
MD5

10c608c2c1c01446e0b42519f0a08d00
SHA1

f5202815045a395aff805d517eb1fe2f8f7b4331
SHA256

582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e
SHA512

43a885ff331d3fe0f917ccdac4e06eec02a074c458ae8642c0cc2e2085bc6c069b7ee81bf458c265f4bf3b64ceae53a9ca59a95e13bd68168709a562ab856def
SSDEEP

12288:V4O9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hi:VDZ1xuVVjfFoynPaVBUR8f+kN10EB

Score

10^/10

darkcomet victime rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

victime

127.0.0.1:1604

Mutex

DC_MUTEX-XFK45XG

Attributes

gencode
zbWPFqA7rV0v
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 1 IoCs

Processes:

MINI JEUX.EXE

pid process

4248 MINI JEUX.EXE

pid	process
4248	MINI JEUX.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

MINI JEUX.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	4248	MINI JEUX.EXE
Token: SeSecurityPrivilege	4248	MINI JEUX.EXE
Token: SeTakeOwnershipPrivilege	4248	MINI JEUX.EXE
Token: SeLoadDriverPrivilege	4248	MINI JEUX.EXE
Token: SeSystemProfilePrivilege	4248	MINI JEUX.EXE
Token: SeSystemtimePrivilege	4248	MINI JEUX.EXE
Token: SeProfSingleProcessPrivilege	4248	MINI JEUX.EXE
Token: SeIncBasePriorityPrivilege	4248	MINI JEUX.EXE
Token: SeCreatePagefilePrivilege	4248	MINI JEUX.EXE
Token: SeBackupPrivilege	4248	MINI JEUX.EXE
Token: SeRestorePrivilege	4248	MINI JEUX.EXE
Token: SeShutdownPrivilege	4248	MINI JEUX.EXE
Token: SeDebugPrivilege	4248	MINI JEUX.EXE
Token: SeSystemEnvironmentPrivilege	4248	MINI JEUX.EXE
Token: SeChangeNotifyPrivilege	4248	MINI JEUX.EXE
Token: SeRemoteShutdownPrivilege	4248	MINI JEUX.EXE
Token: SeUndockPrivilege	4248	MINI JEUX.EXE
Token: SeManageVolumePrivilege	4248	MINI JEUX.EXE
Token: SeImpersonatePrivilege	4248	MINI JEUX.EXE
Token: SeCreateGlobalPrivilege	4248	MINI JEUX.EXE
Token: 33	4248	MINI JEUX.EXE
Token: 34	4248	MINI JEUX.EXE
Token: 35	4248	MINI JEUX.EXE
Token: 36	4248	MINI JEUX.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MINI JEUX.EXE

pid process

4248 MINI JEUX.EXE

pid	process
4248	MINI JEUX.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e.exe

description	pid	process	target process
PID 3460 wrote to memory of 4248	3460	582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e.exe	MINI JEUX.EXE
PID 3460 wrote to memory of 4248	3460	582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e.exe	MINI JEUX.EXE
PID 3460 wrote to memory of 4248	3460	582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e.exe	MINI JEUX.EXE

C:\Users\Admin\AppData\Local\Temp\582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e.exe
"C:\Users\Admin\AppData\Local\Temp\582c956eca4b7c50142ee2858111282f734007b5ab9f795759550b4de637256e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3460

C:\Users\Admin\AppData\Local\Temp\MINI JEUX.EXE
"C:\Users\Admin\AppData\Local\Temp\MINI JEUX.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MINI JEUX.EXE
Filesize
756KB

MD5
71802f7fc05b69ff39426a2ae0f6f6af

SHA1
17ff2ff8815e4139ed0bec3a94a6cfec515021b9

SHA256
5bb818f463bb027e288e15a3ac7ef9e51ba2528b3b941f9384ad874f81fa34ad

SHA512
f2960514f9df0abffc13f7ec188416057e31d2a38be940f02f24223e3e36a28710429925c13f2958bfe139b1cf2519a0ece67b015ffe83aba7d52f7359c251c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MINI JEUX.EXE
Filesize
756KB

MD5
71802f7fc05b69ff39426a2ae0f6f6af

SHA1
17ff2ff8815e4139ed0bec3a94a6cfec515021b9

SHA256
5bb818f463bb027e288e15a3ac7ef9e51ba2528b3b941f9384ad874f81fa34ad

SHA512
f2960514f9df0abffc13f7ec188416057e31d2a38be940f02f24223e3e36a28710429925c13f2958bfe139b1cf2519a0ece67b015ffe83aba7d52f7359c251c2

Download Submit
memory/4248-132-0x0000000000000000-mapping.dmp

Download