darkcomet | 3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc

General

Target

3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe
Size

946KB
MD5

a1bb58919f47a163fdc90fdfc2ba800e
SHA1

b394bf81d72da6b359997e0c2584dfc1c28e8769
SHA256

3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc
SHA512

7cc907e6ca1e5b0b49fecf0b64c0e0cbfb044b09a88dcd5456db080d7af105bfb09aae396c0cbeb3c28793a21d24c513bdbbd72b868937a9f7c9cf00aada8125
SSDEEP

12288:TJ2AsSLPMimCfwKxjctgIiFoaY+Ez7alWQQuvVTpP9gX5yGA:TwAs0MTMx84EzWWVIJTT

Score

10^/10

darkcomet crypt defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Extracted

Family

darkcomet

Botnet

Crypt

C2

dcserv1603.zapto.org:999

192.168.1.4:999

Mutex

DC_MUTEX-CYSHT90

Attributes

gencode
BxRLSy9sb7uW
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe ,C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\serv0.exe"	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	serv0.exe

Executes dropped EXE 2 IoCs

pid	Process
4920	serv0.exe
932	notepad.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 4284	4920	serv0.exe	86

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serv0.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	serv0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	serv0.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serv0.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	serv0.exe
Token: SeIncreaseQuotaPrivilege	4284	svchost.exe
Token: SeSecurityPrivilege	4284	svchost.exe
Token: SeTakeOwnershipPrivilege	4284	svchost.exe
Token: SeLoadDriverPrivilege	4284	svchost.exe
Token: SeSystemProfilePrivilege	4284	svchost.exe
Token: SeSystemtimePrivilege	4284	svchost.exe
Token: SeProfSingleProcessPrivilege	4284	svchost.exe
Token: SeIncBasePriorityPrivilege	4284	svchost.exe
Token: SeCreatePagefilePrivilege	4284	svchost.exe
Token: SeBackupPrivilege	4284	svchost.exe
Token: SeRestorePrivilege	4284	svchost.exe
Token: SeShutdownPrivilege	4284	svchost.exe
Token: SeDebugPrivilege	4284	svchost.exe
Token: SeSystemEnvironmentPrivilege	4284	svchost.exe
Token: SeChangeNotifyPrivilege	4284	svchost.exe
Token: SeRemoteShutdownPrivilege	4284	svchost.exe
Token: SeUndockPrivilege	4284	svchost.exe
Token: SeManageVolumePrivilege	4284	svchost.exe
Token: SeImpersonatePrivilege	4284	svchost.exe
Token: SeCreateGlobalPrivilege	4284	svchost.exe
Token: 33	4284	svchost.exe
Token: 34	4284	svchost.exe
Token: 35	4284	svchost.exe
Token: 36	4284	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4284	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 4920	4808	3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe	83
PID 4808 wrote to memory of 4920	4808	3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe	83
PID 4808 wrote to memory of 4920	4808	3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe	83
PID 4920 wrote to memory of 1588	4920	serv0.exe	84
PID 4920 wrote to memory of 1588	4920	serv0.exe	84
PID 4920 wrote to memory of 1588	4920	serv0.exe	84
PID 4920 wrote to memory of 4284	4920	serv0.exe	86
PID 4920 wrote to memory of 4284	4920	serv0.exe	86
PID 4920 wrote to memory of 4284	4920	serv0.exe	86
PID 4920 wrote to memory of 4284	4920	serv0.exe	86
PID 4920 wrote to memory of 4284	4920	serv0.exe	86
PID 4920 wrote to memory of 4284	4920	serv0.exe	86
PID 4920 wrote to memory of 4284	4920	serv0.exe	86
PID 4920 wrote to memory of 4284	4920	serv0.exe	86
PID 4920 wrote to memory of 4036	4920	serv0.exe	87
PID 4920 wrote to memory of 4036	4920	serv0.exe	87
PID 4920 wrote to memory of 4036	4920	serv0.exe	87
PID 4808 wrote to memory of 932	4808	3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe	88
PID 4808 wrote to memory of 932	4808	3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe	88
PID 4808 wrote to memory of 932	4808	3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe	88

C:\Users\Admin\AppData\Local\Temp\3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe
"C:\Users\Admin\AppData\Local\Temp\3354ce430600c001c1ee92a63614288237a1d6fc69ceb3036ccf86ee4c9b61dc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serv0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serv0.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    "cmd"
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    PID:1588
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4284
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mic.vbs"
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:4036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\notepad.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\notepad.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\notepad.exe

Filesize
564KB

MD5
e8b24d5b0691883c2e80e742a2bdfb01

SHA1
8e19196fcf9c70613cd025f6d9dc3f9e6390af3d

SHA256
ca7b5bc22a3e7a463fec85a245ce07edf5d91c0eed6f0c45e43ade1fe48b1daa

SHA512
706b52b935b576241c7ca87fe614021db7eebc68fa07458624f6086d9eb95e9c7b102b73cbde52937279d3f8b1ad9ddf4f7a668df087ccc2750c591ab00ddd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\serv0.exe

Filesize
455KB

MD5
277d7d4d8caead8bf37ca69b4a62e34a

SHA1
0f2c446de26110dd693f75d81856f5288ffb07fc

SHA256
d094791abc782ef4125a3dc17ef101b62b3d1f38942b315181cae615cd88e2ab

SHA512
974daaa28ab323600078a783576d227b82fbd5d970958961db6384c1063be0a41c22b15e59b1986527a7c288555930da72886607b5a5046ebbf01ffe70597c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mic.vbs

Filesize
382B

MD5
0352c1ce317cfcfe8287beb24b08e969

SHA1
293c0ff564226980bc4a2ca00810cca548e159d0

SHA256
5e1de462f90b94c8df8d7d7292bf84a41ce9d1dd61b51d41c3a5533f196fb77d

SHA512
07f448ab5b282036993a974f3239bdbab88d9c39e6d2a1d22f3eebd316c383641febd22c9f1e78cd105efe632dce5dbf537ebd6bc0148c8d193915723fcbc186

Download Submit
memory/4284-18-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4284-11-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4284-13-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4284-15-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4284-14-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4284-19-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4284-28-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/4920-9-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4920-23-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4920-8-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/4920-7-0x00000000746B2000-0x00000000746B3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads