darkcomet | c9b37efc16b190f11f7607ace2a8f5b60639b716a72321fc3aada925c53aa7ed

General

Target

cdca6cf1adac7a1b0e924e6588b9e096.exe
Size

699KB
MD5

cdca6cf1adac7a1b0e924e6588b9e096
SHA1

1f0be53bbda5739eea99a8bce2f7602e17ff269e
SHA256

c9b37efc16b190f11f7607ace2a8f5b60639b716a72321fc3aada925c53aa7ed
SHA512

cfccc676c2808c4461846253fc44dd6cc46a7358357822863f967e5e1b1badb51052e4aefa2f9f371d92661be9de01739a33d3da5eae556f66feb1ad79f5a0a3
SSDEEP

12288:vsOW6Q4OWz9h8T+t7bzyHew18LpuVKxTlQrrq+3r5VuGBBNjZfRzV:hW6VXRhVbzyfyR0qMXNjBRZ

Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

185.113.208.205:1604

Mutex

DC_MUTEX-UCGJZEA

Attributes

InstallPath
NvidiaGraphicSys.exe
gencode
Hdnr2tMwrvAj
install
true
offline_keylogger
true
persistence
true
reg_key
Nvidia Graphics

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

XtuService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\NvidiaGraphicSys.exe"	XtuService.exe

Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

NvidiaGraphicSys.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NvidiaGraphicSys.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2472 attrib.exe
2464 attrib.exe
Executes dropped EXE 3 IoCs

Processes:

XtuService.sfx.exeXtuService.exeNvidiaGraphicSys.exe

pid process

2648 XtuService.sfx.exe
2656 XtuService.exe
572 NvidiaGraphicSys.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	NvidiaGraphicSys.exe

pid	process
2472	attrib.exe
2464	attrib.exe

Loads dropped DLL 7 IoCs

Processes:

XtuService.sfx.exeXtuService.exe

pid	process
2648	XtuService.sfx.exe
2648	XtuService.sfx.exe
2648	XtuService.sfx.exe
2648	XtuService.sfx.exe
2648	XtuService.sfx.exe
2656	XtuService.exe
2656	XtuService.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\XtuService.exe	upx
behavioral1/memory/2656-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2656-53-0x0000000003A90000-0x0000000003B47000-memory.dmp	upx
behavioral1/memory/572-56-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2656-83-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/572-84-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/572-86-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/572-90-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/572-92-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/572-94-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/572-96-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

NvidiaGraphicSys.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" NvidiaGraphicSys.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	NvidiaGraphicSys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NvidiaGraphicSys.exeXtuService.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvidia Graphics = "C:\\Windows\\system32\\NvidiaGraphicSys.exe"	NvidiaGraphicSys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nvidia Graphics = "C:\\Windows\\system32\\NvidiaGraphicSys.exe"	XtuService.exe

Drops file in System32 directory 3 IoCs

Processes:

XtuService.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\	XtuService.exe
File created	C:\Windows\SysWOW64\NvidiaGraphicSys.exe	XtuService.exe
File opened for modification	C:\Windows\SysWOW64\NvidiaGraphicSys.exe	XtuService.exe

Drops file in Windows directory 5 IoCs

Processes:

cdca6cf1adac7a1b0e924e6588b9e096.exe

description	ioc	process
File created	C:\Windows\XtuService.bat	cdca6cf1adac7a1b0e924e6588b9e096.exe
File opened for modification	C:\Windows\XtuService.bat	cdca6cf1adac7a1b0e924e6588b9e096.exe
File created	C:\Windows\XtuService.sfx.exe	cdca6cf1adac7a1b0e924e6588b9e096.exe
File opened for modification	C:\Windows\XtuService.sfx.exe	cdca6cf1adac7a1b0e924e6588b9e096.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259425076	cdca6cf1adac7a1b0e924e6588b9e096.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NvidiaGraphicSys.exe

pid process

572 NvidiaGraphicSys.exe

pid	process
572	NvidiaGraphicSys.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

XtuService.exeNvidiaGraphicSys.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2656	XtuService.exe
Token: SeSecurityPrivilege	2656	XtuService.exe
Token: SeTakeOwnershipPrivilege	2656	XtuService.exe
Token: SeLoadDriverPrivilege	2656	XtuService.exe
Token: SeSystemProfilePrivilege	2656	XtuService.exe
Token: SeSystemtimePrivilege	2656	XtuService.exe
Token: SeProfSingleProcessPrivilege	2656	XtuService.exe
Token: SeIncBasePriorityPrivilege	2656	XtuService.exe
Token: SeCreatePagefilePrivilege	2656	XtuService.exe
Token: SeBackupPrivilege	2656	XtuService.exe
Token: SeRestorePrivilege	2656	XtuService.exe
Token: SeShutdownPrivilege	2656	XtuService.exe
Token: SeDebugPrivilege	2656	XtuService.exe
Token: SeSystemEnvironmentPrivilege	2656	XtuService.exe
Token: SeChangeNotifyPrivilege	2656	XtuService.exe
Token: SeRemoteShutdownPrivilege	2656	XtuService.exe
Token: SeUndockPrivilege	2656	XtuService.exe
Token: SeManageVolumePrivilege	2656	XtuService.exe
Token: SeImpersonatePrivilege	2656	XtuService.exe
Token: SeCreateGlobalPrivilege	2656	XtuService.exe
Token: 33	2656	XtuService.exe
Token: 34	2656	XtuService.exe
Token: 35	2656	XtuService.exe
Token: SeIncreaseQuotaPrivilege	572	NvidiaGraphicSys.exe
Token: SeSecurityPrivilege	572	NvidiaGraphicSys.exe
Token: SeTakeOwnershipPrivilege	572	NvidiaGraphicSys.exe
Token: SeLoadDriverPrivilege	572	NvidiaGraphicSys.exe
Token: SeSystemProfilePrivilege	572	NvidiaGraphicSys.exe
Token: SeSystemtimePrivilege	572	NvidiaGraphicSys.exe
Token: SeProfSingleProcessPrivilege	572	NvidiaGraphicSys.exe
Token: SeIncBasePriorityPrivilege	572	NvidiaGraphicSys.exe
Token: SeCreatePagefilePrivilege	572	NvidiaGraphicSys.exe
Token: SeBackupPrivilege	572	NvidiaGraphicSys.exe
Token: SeRestorePrivilege	572	NvidiaGraphicSys.exe
Token: SeShutdownPrivilege	572	NvidiaGraphicSys.exe
Token: SeDebugPrivilege	572	NvidiaGraphicSys.exe
Token: SeSystemEnvironmentPrivilege	572	NvidiaGraphicSys.exe
Token: SeChangeNotifyPrivilege	572	NvidiaGraphicSys.exe
Token: SeRemoteShutdownPrivilege	572	NvidiaGraphicSys.exe
Token: SeUndockPrivilege	572	NvidiaGraphicSys.exe
Token: SeManageVolumePrivilege	572	NvidiaGraphicSys.exe
Token: SeImpersonatePrivilege	572	NvidiaGraphicSys.exe
Token: SeCreateGlobalPrivilege	572	NvidiaGraphicSys.exe
Token: 33	572	NvidiaGraphicSys.exe
Token: 34	572	NvidiaGraphicSys.exe
Token: 35	572	NvidiaGraphicSys.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

NvidiaGraphicSys.exe

pid process

572 NvidiaGraphicSys.exe

pid	process
572	NvidiaGraphicSys.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

cdca6cf1adac7a1b0e924e6588b9e096.execmd.exeXtuService.sfx.exeXtuService.execmd.execmd.exeNvidiaGraphicSys.exe

description	pid	process	target process
PID 2484 wrote to memory of 3056	2484	cdca6cf1adac7a1b0e924e6588b9e096.exe	cmd.exe
PID 2484 wrote to memory of 3056	2484	cdca6cf1adac7a1b0e924e6588b9e096.exe	cmd.exe
PID 2484 wrote to memory of 3056	2484	cdca6cf1adac7a1b0e924e6588b9e096.exe	cmd.exe
PID 2484 wrote to memory of 3056	2484	cdca6cf1adac7a1b0e924e6588b9e096.exe	cmd.exe
PID 3056 wrote to memory of 2648	3056	cmd.exe	XtuService.sfx.exe
PID 3056 wrote to memory of 2648	3056	cmd.exe	XtuService.sfx.exe
PID 3056 wrote to memory of 2648	3056	cmd.exe	XtuService.sfx.exe
PID 3056 wrote to memory of 2648	3056	cmd.exe	XtuService.sfx.exe
PID 2648 wrote to memory of 2656	2648	XtuService.sfx.exe	XtuService.exe
PID 2648 wrote to memory of 2656	2648	XtuService.sfx.exe	XtuService.exe
PID 2648 wrote to memory of 2656	2648	XtuService.sfx.exe	XtuService.exe
PID 2648 wrote to memory of 2656	2648	XtuService.sfx.exe	XtuService.exe
PID 2656 wrote to memory of 2452	2656	XtuService.exe	cmd.exe
PID 2656 wrote to memory of 2452	2656	XtuService.exe	cmd.exe
PID 2656 wrote to memory of 2452	2656	XtuService.exe	cmd.exe
PID 2656 wrote to memory of 2452	2656	XtuService.exe	cmd.exe
PID 2656 wrote to memory of 2620	2656	XtuService.exe	cmd.exe
PID 2656 wrote to memory of 2620	2656	XtuService.exe	cmd.exe
PID 2656 wrote to memory of 2620	2656	XtuService.exe	cmd.exe
PID 2656 wrote to memory of 2620	2656	XtuService.exe	cmd.exe
PID 2452 wrote to memory of 2464	2452	cmd.exe	attrib.exe
PID 2452 wrote to memory of 2464	2452	cmd.exe	attrib.exe
PID 2452 wrote to memory of 2464	2452	cmd.exe	attrib.exe
PID 2452 wrote to memory of 2464	2452	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2472	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2472	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2472	2620	cmd.exe	attrib.exe
PID 2620 wrote to memory of 2472	2620	cmd.exe	attrib.exe
PID 2656 wrote to memory of 572	2656	XtuService.exe	NvidiaGraphicSys.exe
PID 2656 wrote to memory of 572	2656	XtuService.exe	NvidiaGraphicSys.exe
PID 2656 wrote to memory of 572	2656	XtuService.exe	NvidiaGraphicSys.exe
PID 2656 wrote to memory of 572	2656	XtuService.exe	NvidiaGraphicSys.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe
PID 572 wrote to memory of 1552	572	NvidiaGraphicSys.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2464 attrib.exe
2472 attrib.exe

pid	process
2464	attrib.exe
2472	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cdca6cf1adac7a1b0e924e6588b9e096.exe
"C:\Users\Admin\AppData\Local\Temp\cdca6cf1adac7a1b0e924e6588b9e096.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\XtuService.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\XtuService.sfx.exe
XtuService.sfx.exe -p12345 dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\XtuService.exe
"C:\Users\Admin\AppData\Local\Temp\XtuService.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\XtuService.exe" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\XtuService.exe" +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2472

C:\Windows\SysWOW64\NvidiaGraphicSys.exe
"C:\Windows\system32\NvidiaGraphicSys.exe"
5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\XtuService.bat
Filesize
34B

MD5
1c74a86919d0e2ffc46439d9479f15dd

SHA1
9c3cf4a8b012282bfee734c27441b6b1ebe74cd3

SHA256
3e996691c8a3613d15dbe231a115a204abac909bf7d169d569a289499e8a92c3

SHA512
7296ed7b5a8d06ddb1aec91cb326a5fc9478727ff84a6279fcb074a9897b5634db461b1ef6df216e191b26c59aeadd3f849c0a264b9c8130082dcab583b84db0

Download Submit
C:\Windows\XtuService.sfx.exe
Filesize
448KB

MD5
8a771052fa399c5276cf1fd9f31894fc

SHA1
4b3d57bd00836bf72654da64eece700977ccb412

SHA256
fd2916efa699a88734d58ed4f9b202f026c5b269b5c864ff86396a96d0cf8f70

SHA512
3af9e1e9eaa634ff2df4c825b1b24200df47393e3ceca6cd6e5d987d81025f78538eb35757781b8bea63113b4ee4f5c520270e06c8e6328373305ccf8a3ff241

Download Submit
C:\Windows\XtuService.sfx.exe
Filesize
517KB

MD5
389a440d3646f55b2e1710eac0ee0dc4

SHA1
9b686a5347367c634c0e153d010f8c985ed3595d

SHA256
375cbbced8fdd09a7afeecac6fd842e3e0fbe7f1f91ed6be33f395aa4f756fb6

SHA512
4a204d0f82b989a829d4915d11552c8128e54db47aba4dacad68bb83249fac65e10c039a9b9eaf7b1348bbaa6665db44652829e73f235dbbcf10a08b039c18c8

Download Submit
\Users\Admin\AppData\Local\Temp\XtuService.exe
Filesize
252KB

MD5
a991a315e9e2cf61f714fa115850e0b5

SHA1
869eab5b7ad365b143f32ee09c4ac4f0a7c13239

SHA256
fb6749c7f90f62ea4f9f23256e0c99b530d33d17cfcb8706c8e196ac5c876e73

SHA512
692884aa9c13600a48bac3219ed91afdd55f269422a6d9f8780106e79f2649c979ed470e5a6a8a3fbb72df4f6c60c2a4b7aecaec475b937055a815baf06bf703

Download Submit
memory/572-86-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/572-84-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/572-96-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/572-94-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/572-92-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/572-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/572-58-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/572-90-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1552-57-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1552-82-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

Filesize
4KB

Download
memory/2648-37-0x00000000034B0000-0x0000000003567000-memory.dmp

Filesize
732KB

Download
memory/2648-38-0x00000000034B0000-0x0000000003567000-memory.dmp

Filesize
732KB

Download
memory/2656-83-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2656-53-0x0000000003A90000-0x0000000003B47000-memory.dmp

Filesize
732KB

Download
memory/2656-41-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2656-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads