darkcomet | 35b4a84324681a1000c14cf114b6f94ada34eb6c6ca38b9a4584b31e742aece3

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc619dc3b71bf6ddf8ab304990a4215b.exe
Size

852KB
MD5

cc619dc3b71bf6ddf8ab304990a4215b
SHA1

9d08d85b6594f112ff6812d667cd835ac81e305a
SHA256

35b4a84324681a1000c14cf114b6f94ada34eb6c6ca38b9a4584b31e742aece3
SHA512

068f6d394c0ac2c5c110209dfb2aba0051536aee3dddc41b7b867cc7b5a69e3cb5b697189ab8b00485969cd396295f4b0fc55347ce6c3f457397d8855850b4ee
SSDEEP

24576:bp/YH7l3kAWXz+EQ9Gak77eZpwQ1EaDSTd:147lkD7iGaWSZId

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe"	Idman.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Idman.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cc619dc3b71bf6ddf8ab304990a4215b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Idman.exe

Executes dropped EXE 2 IoCs

pid	Process
4588	Idman.exe
4344	winupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	Idman.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe"	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4588 set thread context of 4604	4588	Idman.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Idman.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Idman.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Idman.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Idman.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Idman.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Idman.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	cc619dc3b71bf6ddf8ab304990a4215b.exe
Token: 33	548	cc619dc3b71bf6ddf8ab304990a4215b.exe
Token: SeIncBasePriorityPrivilege	548	cc619dc3b71bf6ddf8ab304990a4215b.exe
Token: SeIncreaseQuotaPrivilege	4588	Idman.exe
Token: SeSecurityPrivilege	4588	Idman.exe
Token: SeTakeOwnershipPrivilege	4588	Idman.exe
Token: SeLoadDriverPrivilege	4588	Idman.exe
Token: SeSystemProfilePrivilege	4588	Idman.exe
Token: SeSystemtimePrivilege	4588	Idman.exe
Token: SeProfSingleProcessPrivilege	4588	Idman.exe
Token: SeIncBasePriorityPrivilege	4588	Idman.exe
Token: SeCreatePagefilePrivilege	4588	Idman.exe
Token: SeBackupPrivilege	4588	Idman.exe
Token: SeRestorePrivilege	4588	Idman.exe
Token: SeShutdownPrivilege	4588	Idman.exe
Token: SeDebugPrivilege	4588	Idman.exe
Token: SeSystemEnvironmentPrivilege	4588	Idman.exe
Token: SeChangeNotifyPrivilege	4588	Idman.exe
Token: SeRemoteShutdownPrivilege	4588	Idman.exe
Token: SeUndockPrivilege	4588	Idman.exe
Token: SeManageVolumePrivilege	4588	Idman.exe
Token: SeImpersonatePrivilege	4588	Idman.exe
Token: SeCreateGlobalPrivilege	4588	Idman.exe
Token: 33	4588	Idman.exe
Token: 34	4588	Idman.exe
Token: 35	4588	Idman.exe
Token: 36	4588	Idman.exe
Token: SeIncreaseQuotaPrivilege	4604	explorer.exe
Token: SeSecurityPrivilege	4604	explorer.exe
Token: SeTakeOwnershipPrivilege	4604	explorer.exe
Token: SeLoadDriverPrivilege	4604	explorer.exe
Token: SeSystemProfilePrivilege	4604	explorer.exe
Token: SeSystemtimePrivilege	4604	explorer.exe
Token: SeProfSingleProcessPrivilege	4604	explorer.exe
Token: SeIncBasePriorityPrivilege	4604	explorer.exe
Token: SeCreatePagefilePrivilege	4604	explorer.exe
Token: SeBackupPrivilege	4604	explorer.exe
Token: SeRestorePrivilege	4604	explorer.exe
Token: SeShutdownPrivilege	4604	explorer.exe
Token: SeDebugPrivilege	4604	explorer.exe
Token: SeSystemEnvironmentPrivilege	4604	explorer.exe
Token: SeChangeNotifyPrivilege	4604	explorer.exe
Token: SeRemoteShutdownPrivilege	4604	explorer.exe
Token: SeUndockPrivilege	4604	explorer.exe
Token: SeManageVolumePrivilege	4604	explorer.exe
Token: SeImpersonatePrivilege	4604	explorer.exe
Token: SeCreateGlobalPrivilege	4604	explorer.exe
Token: 33	4604	explorer.exe
Token: 34	4604	explorer.exe
Token: 35	4604	explorer.exe
Token: 36	4604	explorer.exe
Token: SeIncreaseQuotaPrivilege	4344	winupdate.exe
Token: SeSecurityPrivilege	4344	winupdate.exe
Token: SeTakeOwnershipPrivilege	4344	winupdate.exe
Token: SeLoadDriverPrivilege	4344	winupdate.exe
Token: SeSystemProfilePrivilege	4344	winupdate.exe
Token: SeSystemtimePrivilege	4344	winupdate.exe
Token: SeProfSingleProcessPrivilege	4344	winupdate.exe
Token: SeIncBasePriorityPrivilege	4344	winupdate.exe
Token: SeCreatePagefilePrivilege	4344	winupdate.exe
Token: SeBackupPrivilege	4344	winupdate.exe
Token: SeRestorePrivilege	4344	winupdate.exe
Token: SeShutdownPrivilege	4344	winupdate.exe
Token: SeDebugPrivilege	4344	winupdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4604	explorer.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 4588	548	cc619dc3b71bf6ddf8ab304990a4215b.exe	98
PID 548 wrote to memory of 4588	548	cc619dc3b71bf6ddf8ab304990a4215b.exe	98
PID 548 wrote to memory of 4588	548	cc619dc3b71bf6ddf8ab304990a4215b.exe	98
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 448	4588	Idman.exe	101
PID 4588 wrote to memory of 4604	4588	Idman.exe	102
PID 4588 wrote to memory of 4604	4588	Idman.exe	102
PID 4588 wrote to memory of 4604	4588	Idman.exe	102
PID 4588 wrote to memory of 4604	4588	Idman.exe	102
PID 4588 wrote to memory of 4604	4588	Idman.exe	102
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4604 wrote to memory of 2704	4604	explorer.exe	103
PID 4588 wrote to memory of 4344	4588	Idman.exe	104
PID 4588 wrote to memory of 4344	4588	Idman.exe	104
PID 4588 wrote to memory of 4344	4588	Idman.exe	104

C:\Users\Admin\AppData\Local\Temp\cc619dc3b71bf6ddf8ab304990a4215b.exe
"C:\Users\Admin\AppData\Local\Temp\cc619dc3b71bf6ddf8ab304990a4215b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\Idman.exe
  "C:\Users\Admin\AppData\Local\Temp\Idman.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - Adds Run key to start application
    PID:448
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      4⤵
      PID:2704
- - C:\Windupdt\winupdate.exe
    "C:\Windupdt\winupdate.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Idman.exe

Filesize
659KB

MD5
c20760ff71d5837f3cbf695ae5988527

SHA1
7ad133ed3ba7a87875ad69dc892b650090097732

SHA256
667a9886aed470a0ae3250161d4737b7d01c740d57c2b32193a2449304d6aa5a

SHA512
0f264ff8f87dc0719a98f58b025bd69a78ef105e5861cea718540d406ee78a9794eeca216fbe2bcad7c6895bc43d201322f04687166b7db8e9b4deab0439e808

Download Submit
C:\Windupdt\winupdate.exe

Filesize
636KB

MD5
6a011ee9f045262823883bd3a1bb13e9

SHA1
d9aa309bab869cf0251b32a3846899b22f41633b

SHA256
3c12e9593453ac1a63d21460d64e824e15fa891d7521558cdf8d9955ceaefb13

SHA512
673602a2898957d5a461415b16af751baed2d02646d677eb9a8a91e6be342abd0ff2e609b6a5ff468bd86306238f873f00432be4919ca01987870671a4d16d20

Download Submit
memory/448-25-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/548-21-0x00007FFE89EC0000-0x00007FFE8A861000-memory.dmp

Filesize
9.6MB

Download
memory/548-2-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/548-5-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/548-6-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/548-7-0x000000001C9C0000-0x000000001CA5C000-memory.dmp

Filesize
624KB

Download
memory/548-8-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/548-9-0x0000000001180000-0x0000000001188000-memory.dmp

Filesize
32KB

Download
memory/548-10-0x000000001CAE0000-0x000000001CB2C000-memory.dmp

Filesize
304KB

Download
memory/548-11-0x00007FFE89EC0000-0x00007FFE8A861000-memory.dmp

Filesize
9.6MB

Download
memory/548-15-0x00007FFE89EC0000-0x00007FFE8A861000-memory.dmp

Filesize
9.6MB

Download
memory/548-3-0x000000001C0F0000-0x000000001C5BE000-memory.dmp

Filesize
4.8MB

Download
memory/548-0-0x00007FFE89EC0000-0x00007FFE8A861000-memory.dmp

Filesize
9.6MB

Download
memory/548-1-0x00007FFE89EC0000-0x00007FFE8A861000-memory.dmp

Filesize
9.6MB

Download
memory/548-4-0x000000001BA50000-0x000000001BAF6000-memory.dmp

Filesize
664KB

Download
memory/2704-32-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/4344-70-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4344-68-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4588-36-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4588-23-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4604-33-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4604-35-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4604-34-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4604-31-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/4604-27-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4604-28-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4604-30-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4604-29-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download
memory/4604-72-0x0000000013140000-0x00000000131F6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads