darkcomet | cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe
Size

3.2MB
MD5

f2395e55fc1ed3d2eda2a3bdd13d8af6
SHA1

bf5fa44a16a1ba7d772b6722552ed9525a965ee1
SHA256

cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88
SHA512

69334c6ee8df715b3373eb65f2aba85c4fbcf9fa9e6548b1b1910b646335cad97dfb36e553061aa756cc6dd881f63acff351464a515323227aa164342bb9724f
SSDEEP

49152:9gYvvhIIP0qkE+ZZPhrXXi3kmPlfD34C7/tcHk3oFughjfqKw07txr18zoTC:9gYv55j43H+9k21cu6ughTqKw07tx2f

Score

10^/10

darkcomet rolleo discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

ROLLEO

127.0.0.1:1607

109.226.126.84:1607

Mutex

DC_MUTEX-SR7HAR4

Attributes

InstallPath
WindowsDefencer\Update.exe
gencode
TeJuc1dkNHmJ
install
true
offline_keylogger
false
persistence
true
reg_key
Windows Defencer

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	file.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4068	attrib.exe
3980	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe

Executes dropped EXE 3 IoCs

pid	Process
388	borodacraft.exe
3884	file.exe
4732	Update.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HHPKMKDMJJNGAOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defencer = "C:\\Windows\\system32\\WindowsDefencer\\Update.exe"	iexplore.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsDefencer\Update.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\WindowsDefencer\Update.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\WindowsDefencer\	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4732 set thread context of 1464	4732	Update.exe	93

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca0-22.dat	upx
behavioral2/memory/3884-24-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4732-87-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1464-89-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4732-91-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3884-94-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	borodacraft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	file.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3884	file.exe
Token: SeSecurityPrivilege	3884	file.exe
Token: SeTakeOwnershipPrivilege	3884	file.exe
Token: SeLoadDriverPrivilege	3884	file.exe
Token: SeSystemProfilePrivilege	3884	file.exe
Token: SeSystemtimePrivilege	3884	file.exe
Token: SeProfSingleProcessPrivilege	3884	file.exe
Token: SeIncBasePriorityPrivilege	3884	file.exe
Token: SeCreatePagefilePrivilege	3884	file.exe
Token: SeBackupPrivilege	3884	file.exe
Token: SeRestorePrivilege	3884	file.exe
Token: SeShutdownPrivilege	3884	file.exe
Token: SeDebugPrivilege	3884	file.exe
Token: SeSystemEnvironmentPrivilege	3884	file.exe
Token: SeChangeNotifyPrivilege	3884	file.exe
Token: SeRemoteShutdownPrivilege	3884	file.exe
Token: SeUndockPrivilege	3884	file.exe
Token: SeManageVolumePrivilege	3884	file.exe
Token: SeImpersonatePrivilege	3884	file.exe
Token: SeCreateGlobalPrivilege	3884	file.exe
Token: 33	3884	file.exe
Token: 34	3884	file.exe
Token: 35	3884	file.exe
Token: 36	3884	file.exe
Token: SeIncreaseQuotaPrivilege	4732	Update.exe
Token: SeSecurityPrivilege	4732	Update.exe
Token: SeTakeOwnershipPrivilege	4732	Update.exe
Token: SeLoadDriverPrivilege	4732	Update.exe
Token: SeSystemProfilePrivilege	4732	Update.exe
Token: SeSystemtimePrivilege	4732	Update.exe
Token: SeProfSingleProcessPrivilege	4732	Update.exe
Token: SeIncBasePriorityPrivilege	4732	Update.exe
Token: SeCreatePagefilePrivilege	4732	Update.exe
Token: SeBackupPrivilege	4732	Update.exe
Token: SeRestorePrivilege	4732	Update.exe
Token: SeShutdownPrivilege	4732	Update.exe
Token: SeDebugPrivilege	4732	Update.exe
Token: SeSystemEnvironmentPrivilege	4732	Update.exe
Token: SeChangeNotifyPrivilege	4732	Update.exe
Token: SeRemoteShutdownPrivilege	4732	Update.exe
Token: SeUndockPrivilege	4732	Update.exe
Token: SeManageVolumePrivilege	4732	Update.exe
Token: SeImpersonatePrivilege	4732	Update.exe
Token: SeCreateGlobalPrivilege	4732	Update.exe
Token: 33	4732	Update.exe
Token: 34	4732	Update.exe
Token: 35	4732	Update.exe
Token: 36	4732	Update.exe
Token: SeIncreaseQuotaPrivilege	1464	iexplore.exe
Token: SeSecurityPrivilege	1464	iexplore.exe
Token: SeTakeOwnershipPrivilege	1464	iexplore.exe
Token: SeLoadDriverPrivilege	1464	iexplore.exe
Token: SeSystemProfilePrivilege	1464	iexplore.exe
Token: SeSystemtimePrivilege	1464	iexplore.exe
Token: SeProfSingleProcessPrivilege	1464	iexplore.exe
Token: SeIncBasePriorityPrivilege	1464	iexplore.exe
Token: SeCreatePagefilePrivilege	1464	iexplore.exe
Token: SeBackupPrivilege	1464	iexplore.exe
Token: SeRestorePrivilege	1464	iexplore.exe
Token: SeShutdownPrivilege	1464	iexplore.exe
Token: SeDebugPrivilege	1464	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1464	iexplore.exe
Token: SeChangeNotifyPrivilege	1464	iexplore.exe
Token: SeRemoteShutdownPrivilege	1464	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 388	1716	cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe	82
PID 1716 wrote to memory of 388	1716	cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe	82
PID 1716 wrote to memory of 388	1716	cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe	82
PID 1716 wrote to memory of 3884	1716	cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe	83
PID 1716 wrote to memory of 3884	1716	cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe	83
PID 1716 wrote to memory of 3884	1716	cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe	83
PID 3884 wrote to memory of 2024	3884	file.exe	84
PID 3884 wrote to memory of 2024	3884	file.exe	84
PID 3884 wrote to memory of 2024	3884	file.exe	84
PID 3884 wrote to memory of 2756	3884	file.exe	86
PID 3884 wrote to memory of 2756	3884	file.exe	86
PID 3884 wrote to memory of 2756	3884	file.exe	86
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 3884 wrote to memory of 1776	3884	file.exe	87
PID 2024 wrote to memory of 4068	2024	cmd.exe	89
PID 2024 wrote to memory of 4068	2024	cmd.exe	89
PID 2024 wrote to memory of 4068	2024	cmd.exe	89
PID 2756 wrote to memory of 3980	2756	cmd.exe	90
PID 2756 wrote to memory of 3980	2756	cmd.exe	90
PID 2756 wrote to memory of 3980	2756	cmd.exe	90
PID 3884 wrote to memory of 4732	3884	file.exe	91
PID 3884 wrote to memory of 4732	3884	file.exe	91
PID 3884 wrote to memory of 4732	3884	file.exe	91
PID 4732 wrote to memory of 1464	4732	Update.exe	93
PID 4732 wrote to memory of 1464	4732	Update.exe	93
PID 4732 wrote to memory of 1464	4732	Update.exe	93
PID 4732 wrote to memory of 1464	4732	Update.exe	93
PID 4732 wrote to memory of 1464	4732	Update.exe	93
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94
PID 1464 wrote to memory of 1468	1464	iexplore.exe	94

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4068	attrib.exe
3980	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe
"C:\Users\Admin\AppData\Local\Temp\cd94d37811fae47b63dd11e2e8a0e2ac328b8b8664d530c41c615af9285a8a88.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\borodacraft.exe
  "C:\Users\Admin\AppData\Local\Temp\borodacraft.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:388
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\file.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3980
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776
- - C:\Windows\SysWOW64\WindowsDefencer\Update.exe
    "C:\Windows\system32\WindowsDefencer\Update.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Disables RegEdit via registry modification
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\borodacraft.exe

Filesize
3.0MB

MD5
e01dfbe76c690a070ec522d0091a9b3a

SHA1
3233ef818c3cc27e07612b7db236b74798eca8f7

SHA256
f4d4b2be4cfc692bf9e3a48a93b038280d6dca1dc69956bcae3707abf97d1686

SHA512
ace329d994a6bc7317401e31d7f2e830e9bb17488891c3fc56c14e03b2a2e72b599b7b4f41cc2f59b781c22478e69461791e1a7ba14c27cd845567b3d5f8b406

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe

Filesize
252KB

MD5
49e04125173bdb0f292b0abb13db301d

SHA1
00bce84c8a0b6b71d03fa032aff71eb3500b2147

SHA256
f0bbed6d47a04063aa467df02a87991e25bf744ee0eec4e31cff20f1ac110a29

SHA512
af083f3620e1401f619314014405ed8ffe3a938e15c6a04fdf204c32d348f52d21ff36ed084ba6fcf0a6f292c3d12becee08c229fc4c9ac14b234f594a2bbeb9

Download Submit
memory/1464-89-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1468-92-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/1776-29-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3884-24-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3884-25-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/3884-94-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4732-87-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4732-91-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads