darkcomet | f0991ff0c9379130adfc31152ec55c1925872f0c664ab34df90cb2d730c0bf63

Analysis

max time kernel
24s
max time network
29s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virs1.exe
Size

1.4MB
MD5

272ce51163d36007d848281cb03e5fc7
SHA1

2f9b35209bf3d91cf14ca23aee64e31d684e9d26
SHA256

f0991ff0c9379130adfc31152ec55c1925872f0c664ab34df90cb2d730c0bf63
SHA512

955087c98ae98e51351b5c41cc83f39dc23c9f60658791bb3f83c5ba65b82fd601fe457c514dea73aa422f59b1806a55f576c66d52e4b5fec29fefd0f260fe1f
SSDEEP

24576:iZ1xuVVjfFoynPaVBUR8f+kN10EBJw5vgHWjTwAlocaKjyyItHDzY:iQDgok30JrLocaKjGq

Score

10^/10

darkcomet sazan discovery evasion rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

tm6bqni.localto.net:1511

Mutex

DC_MUTEX-8K1U6CF

Attributes

gencode
phCnNGEAkXoi
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2760	attrib.exe
2776	attrib.exe

Executes dropped EXE 2 IoCs

pid	Process
2672	BOOTSTRAPPERV1.22.EXE
1236	Process not Found

Loads dropped DLL 7 IoCs

pid	Process
2656	Virs1.exe
2920	Process not Found
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe
1952	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2656 set thread context of 2440	2656	Virs1.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virs1.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2816	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2656	Virs1.exe
Token: SeSecurityPrivilege	2656	Virs1.exe
Token: SeTakeOwnershipPrivilege	2656	Virs1.exe
Token: SeLoadDriverPrivilege	2656	Virs1.exe
Token: SeSystemProfilePrivilege	2656	Virs1.exe
Token: SeSystemtimePrivilege	2656	Virs1.exe
Token: SeProfSingleProcessPrivilege	2656	Virs1.exe
Token: SeIncBasePriorityPrivilege	2656	Virs1.exe
Token: SeCreatePagefilePrivilege	2656	Virs1.exe
Token: SeBackupPrivilege	2656	Virs1.exe
Token: SeRestorePrivilege	2656	Virs1.exe
Token: SeShutdownPrivilege	2656	Virs1.exe
Token: SeDebugPrivilege	2656	Virs1.exe
Token: SeSystemEnvironmentPrivilege	2656	Virs1.exe
Token: SeChangeNotifyPrivilege	2656	Virs1.exe
Token: SeRemoteShutdownPrivilege	2656	Virs1.exe
Token: SeUndockPrivilege	2656	Virs1.exe
Token: SeManageVolumePrivilege	2656	Virs1.exe
Token: SeImpersonatePrivilege	2656	Virs1.exe
Token: SeCreateGlobalPrivilege	2656	Virs1.exe
Token: 33	2656	Virs1.exe
Token: 34	2656	Virs1.exe
Token: 35	2656	Virs1.exe
Token: SeIncreaseQuotaPrivilege	2440	iexplore.exe
Token: SeSecurityPrivilege	2440	iexplore.exe
Token: SeTakeOwnershipPrivilege	2440	iexplore.exe
Token: SeLoadDriverPrivilege	2440	iexplore.exe
Token: SeSystemProfilePrivilege	2440	iexplore.exe
Token: SeSystemtimePrivilege	2440	iexplore.exe
Token: SeProfSingleProcessPrivilege	2440	iexplore.exe
Token: SeIncBasePriorityPrivilege	2440	iexplore.exe
Token: SeCreatePagefilePrivilege	2440	iexplore.exe
Token: SeBackupPrivilege	2440	iexplore.exe
Token: SeRestorePrivilege	2440	iexplore.exe
Token: SeShutdownPrivilege	2440	iexplore.exe
Token: SeDebugPrivilege	2440	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2440	iexplore.exe
Token: SeChangeNotifyPrivilege	2440	iexplore.exe
Token: SeRemoteShutdownPrivilege	2440	iexplore.exe
Token: SeUndockPrivilege	2440	iexplore.exe
Token: SeManageVolumePrivilege	2440	iexplore.exe
Token: SeImpersonatePrivilege	2440	iexplore.exe
Token: SeCreateGlobalPrivilege	2440	iexplore.exe
Token: 33	2440	iexplore.exe
Token: 34	2440	iexplore.exe
Token: 35	2440	iexplore.exe
Token: SeIncreaseQuotaPrivilege	2728	WMIC.exe
Token: SeSecurityPrivilege	2728	WMIC.exe
Token: SeTakeOwnershipPrivilege	2728	WMIC.exe
Token: SeLoadDriverPrivilege	2728	WMIC.exe
Token: SeSystemProfilePrivilege	2728	WMIC.exe
Token: SeSystemtimePrivilege	2728	WMIC.exe
Token: SeProfSingleProcessPrivilege	2728	WMIC.exe
Token: SeIncBasePriorityPrivilege	2728	WMIC.exe
Token: SeCreatePagefilePrivilege	2728	WMIC.exe
Token: SeBackupPrivilege	2728	WMIC.exe
Token: SeRestorePrivilege	2728	WMIC.exe
Token: SeShutdownPrivilege	2728	WMIC.exe
Token: SeDebugPrivilege	2728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2728	WMIC.exe
Token: SeRemoteShutdownPrivilege	2728	WMIC.exe
Token: SeUndockPrivilege	2728	WMIC.exe
Token: SeManageVolumePrivilege	2728	WMIC.exe
Token: 33	2728	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2440	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2792	2656	Virs1.exe	30
PID 2656 wrote to memory of 2792	2656	Virs1.exe	30
PID 2656 wrote to memory of 2792	2656	Virs1.exe	30
PID 2656 wrote to memory of 2792	2656	Virs1.exe	30
PID 2656 wrote to memory of 2796	2656	Virs1.exe	31
PID 2656 wrote to memory of 2796	2656	Virs1.exe	31
PID 2656 wrote to memory of 2796	2656	Virs1.exe	31
PID 2656 wrote to memory of 2796	2656	Virs1.exe	31
PID 2792 wrote to memory of 2760	2792	cmd.exe	34
PID 2792 wrote to memory of 2760	2792	cmd.exe	34
PID 2792 wrote to memory of 2760	2792	cmd.exe	34
PID 2792 wrote to memory of 2760	2792	cmd.exe	34
PID 2796 wrote to memory of 2776	2796	cmd.exe	35
PID 2796 wrote to memory of 2776	2796	cmd.exe	35
PID 2796 wrote to memory of 2776	2796	cmd.exe	35
PID 2796 wrote to memory of 2776	2796	cmd.exe	35
PID 2656 wrote to memory of 2672	2656	Virs1.exe	36
PID 2656 wrote to memory of 2672	2656	Virs1.exe	36
PID 2656 wrote to memory of 2672	2656	Virs1.exe	36
PID 2656 wrote to memory of 2672	2656	Virs1.exe	36
PID 2672 wrote to memory of 2820	2672	BOOTSTRAPPERV1.22.EXE	38
PID 2672 wrote to memory of 2820	2672	BOOTSTRAPPERV1.22.EXE	38
PID 2672 wrote to memory of 2820	2672	BOOTSTRAPPERV1.22.EXE	38
PID 2656 wrote to memory of 2440	2656	Virs1.exe	40
PID 2656 wrote to memory of 2440	2656	Virs1.exe	40
PID 2656 wrote to memory of 2440	2656	Virs1.exe	40
PID 2656 wrote to memory of 2440	2656	Virs1.exe	40
PID 2656 wrote to memory of 2440	2656	Virs1.exe	40
PID 2656 wrote to memory of 2440	2656	Virs1.exe	40
PID 2820 wrote to memory of 2816	2820	cmd.exe	41
PID 2820 wrote to memory of 2816	2820	cmd.exe	41
PID 2820 wrote to memory of 2816	2820	cmd.exe	41
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2440 wrote to memory of 2588	2440	iexplore.exe	42
PID 2672 wrote to memory of 2532	2672	BOOTSTRAPPERV1.22.EXE	43
PID 2672 wrote to memory of 2532	2672	BOOTSTRAPPERV1.22.EXE	43
PID 2672 wrote to memory of 2532	2672	BOOTSTRAPPERV1.22.EXE	43
PID 2532 wrote to memory of 2728	2532	cmd.exe	45
PID 2532 wrote to memory of 2728	2532	cmd.exe	45
PID 2532 wrote to memory of 2728	2532	cmd.exe	45
PID 2672 wrote to memory of 1952	2672	BOOTSTRAPPERV1.22.EXE	47
PID 2672 wrote to memory of 1952	2672	BOOTSTRAPPERV1.22.EXE	47
PID 2672 wrote to memory of 1952	2672	BOOTSTRAPPERV1.22.EXE	47

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2760	attrib.exe
2776	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Virs1.exe
"C:\Users\Admin\AppData\Local\Temp\Virs1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Virs1.exe" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\Virs1.exe" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2776
- C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.22.EXE
  "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.22.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2816
- - C:\Windows\system32\cmd.exe
    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2672 -s 1124
    3⤵
    - Loads dropped DLL
    PID:1952
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.22.EXE

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
memory/2440-9-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2588-49-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2588-11-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2656-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2656-10-0x0000000000400000-0x000000000057A000-memory.dmp

Filesize
1.5MB

Download
memory/2672-8-0x0000000000FF0000-0x00000000010BE000-memory.dmp

Filesize
824KB

Download