darkcomet | 172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86

General

Target

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe
Size

338KB
MD5

27aed8242c89f5a513c097dcc36c5bef
SHA1

9a53be98d594fabed2fc567e65b7b16d73b69300
SHA256

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86
SHA512

8f81c85b4653096ccaca23a706527130eecd2a226c111db44138577efcd5446415fe5ebadf12e71361bd5e267f5436bd2f1dc4255e20e1fc55974f630e80b478
SSDEEP

6144:wC4W+NSe7/mE5WAGb/msFw13ocRGQqrDsZOZ3ZpWoM7+aaTaaaHbiXJEdpC8bQ:w/W+cHEIAGb/msFwxocgQq3sZOZIbuq

Score

10^/10

darkcomet slave evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

gotcha1337.no-ip.biz:1604

Mutex

DC_MUTEX-YL1K3PD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
KFeuKKdTKtY3
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	cvtres.exe

UPX dump on OEP (original entry point) 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4984-5-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/4984-9-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/4984-11-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/4984-13-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/4984-15-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/4984-16-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral2/memory/4984-51-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
388	attrib.exe
2280	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cvtres.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	cvtres.exe

Executes dropped EXE 2 IoCs

Processes:

cvtres.exemsdcsc.exe

pid	Process
4984	cvtres.exe
4920	msdcsc.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4984-5-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4984-9-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4984-11-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4984-13-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4984-15-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4984-16-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4984-51-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe

description	pid	Process	procid_target
PID 2944 set thread context of 4984	2944	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

cvtres.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cvtres.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

cvtres.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4984	cvtres.exe
Token: SeSecurityPrivilege	4984	cvtres.exe
Token: SeTakeOwnershipPrivilege	4984	cvtres.exe
Token: SeLoadDriverPrivilege	4984	cvtres.exe
Token: SeSystemProfilePrivilege	4984	cvtres.exe
Token: SeSystemtimePrivilege	4984	cvtres.exe
Token: SeProfSingleProcessPrivilege	4984	cvtres.exe
Token: SeIncBasePriorityPrivilege	4984	cvtres.exe
Token: SeCreatePagefilePrivilege	4984	cvtres.exe
Token: SeBackupPrivilege	4984	cvtres.exe
Token: SeRestorePrivilege	4984	cvtres.exe
Token: SeShutdownPrivilege	4984	cvtres.exe
Token: SeDebugPrivilege	4984	cvtres.exe
Token: SeSystemEnvironmentPrivilege	4984	cvtres.exe
Token: SeChangeNotifyPrivilege	4984	cvtres.exe
Token: SeRemoteShutdownPrivilege	4984	cvtres.exe
Token: SeUndockPrivilege	4984	cvtres.exe
Token: SeManageVolumePrivilege	4984	cvtres.exe
Token: SeImpersonatePrivilege	4984	cvtres.exe
Token: SeCreateGlobalPrivilege	4984	cvtres.exe
Token: 33	4984	cvtres.exe
Token: 34	4984	cvtres.exe
Token: 35	4984	cvtres.exe
Token: 36	4984	cvtres.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.execvtres.execmd.execmd.exe

description	pid	Process	procid_target
PID 2944 wrote to memory of 4984	2944	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	88
PID 2944 wrote to memory of 4984	2944	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	88
PID 2944 wrote to memory of 4984	2944	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	88
PID 2944 wrote to memory of 4984	2944	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	88
PID 2944 wrote to memory of 4984	2944	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	88
PID 2944 wrote to memory of 4984	2944	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	88
PID 2944 wrote to memory of 4984	2944	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	88
PID 4984 wrote to memory of 1716	4984	cvtres.exe	90
PID 4984 wrote to memory of 1716	4984	cvtres.exe	90
PID 4984 wrote to memory of 1716	4984	cvtres.exe	90
PID 4984 wrote to memory of 1172	4984	cvtres.exe	92
PID 4984 wrote to memory of 1172	4984	cvtres.exe	92
PID 4984 wrote to memory of 1172	4984	cvtres.exe	92
PID 1716 wrote to memory of 388	1716	cmd.exe	94
PID 1716 wrote to memory of 388	1716	cmd.exe	94
PID 1716 wrote to memory of 388	1716	cmd.exe	94
PID 1172 wrote to memory of 2280	1172	cmd.exe	95
PID 1172 wrote to memory of 2280	1172	cmd.exe	95
PID 1172 wrote to memory of 2280	1172	cmd.exe	95
PID 4984 wrote to memory of 4920	4984	cvtres.exe	96
PID 4984 wrote to memory of 4920	4984	cvtres.exe	96
PID 4984 wrote to memory of 4920	4984	cvtres.exe	96

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
388	attrib.exe
2280	attrib.exe

C:\Users\Admin\AppData\Local\Temp\172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe
"C:\Users\Admin\AppData\Local\Temp\172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\cvtres.exe
  "C:\Users\Admin\AppData\Local\Temp\cvtres.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2280
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
1024B

MD5
54b1c45da8980b32759042e2c3c78dfb

SHA1
11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

SHA256
9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

SHA512
73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

Download Submit
memory/2944-0-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/2944-1-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/2944-2-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/2944-14-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4984-9-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4984-13-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4984-5-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4984-15-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4984-16-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4984-17-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4984-51-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads