darkcomet | 8e1d52e1b4781efea9d7d21db0ce836c98d13ae7201561fd3261da57203208ba

Analysis

max time kernel
135s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
Size

7.3MB
MD5

7002220c99ce292ae1e868630955d252
SHA1

6a30dac7b111d836df034b61b0e1e75193685005
SHA256

9f17acc43acf52f99f6c858e14da84b6b4c67381687f8fedfd9b6a21b2ab37b4
SHA512

6e71732cc363e3277e42e7a06626dd0909bad6eca065d4f8278bd8c048bc56ec3de533ec2e83efda396d904cda39b4e955ed3ff0d33dd765b8864a3a018b7eee
SSDEEP

196608:BtonkRNZFa4GEQkyuU3ydnUOjYyO92A2U9:yeOhkpOydPXOb9

Score

10^/10

darkcomet wedthings discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

WEDTHINGS

cosrem.ddns.net:2301

cosrem.ddnsgeek.com:2301

cosrem.dyndns.org:2301

Mutex

DC_MUTEX-B22SA3T

Attributes

gencode
0TFfD5Hg0VlW
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 4 IoCs

pid	Process
1712	imageranger.exe
2192	dllhost.exe
2788	dllhost.exe
320	dllhost.exe

Loads dropped DLL 5 IoCs

pid	Process
3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 320	2192	dllhost.exe	36

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\imageranger.exe	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
File opened for modification	C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\Uninstall.exe	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
File created	C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\Uninstall.ini	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2192	dllhost.exe
2192	dllhost.exe
2192	dllhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	dllhost.exe
Token: SeIncreaseQuotaPrivilege	320	dllhost.exe
Token: SeSecurityPrivilege	320	dllhost.exe
Token: SeTakeOwnershipPrivilege	320	dllhost.exe
Token: SeLoadDriverPrivilege	320	dllhost.exe
Token: SeSystemProfilePrivilege	320	dllhost.exe
Token: SeSystemtimePrivilege	320	dllhost.exe
Token: SeProfSingleProcessPrivilege	320	dllhost.exe
Token: SeIncBasePriorityPrivilege	320	dllhost.exe
Token: SeCreatePagefilePrivilege	320	dllhost.exe
Token: SeBackupPrivilege	320	dllhost.exe
Token: SeRestorePrivilege	320	dllhost.exe
Token: SeShutdownPrivilege	320	dllhost.exe
Token: SeDebugPrivilege	320	dllhost.exe
Token: SeSystemEnvironmentPrivilege	320	dllhost.exe
Token: SeChangeNotifyPrivilege	320	dllhost.exe
Token: SeRemoteShutdownPrivilege	320	dllhost.exe
Token: SeUndockPrivilege	320	dllhost.exe
Token: SeManageVolumePrivilege	320	dllhost.exe
Token: SeImpersonatePrivilege	320	dllhost.exe
Token: SeCreateGlobalPrivilege	320	dllhost.exe
Token: 33	320	dllhost.exe
Token: 34	320	dllhost.exe
Token: 35	320	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
320	dllhost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1712	3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	30
PID 3000 wrote to memory of 1712	3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	30
PID 3000 wrote to memory of 1712	3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	30
PID 3000 wrote to memory of 1712	3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	30
PID 3000 wrote to memory of 2192	3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	31
PID 3000 wrote to memory of 2192	3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	31
PID 3000 wrote to memory of 2192	3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	31
PID 3000 wrote to memory of 2192	3000	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	31
PID 2192 wrote to memory of 304	2192	dllhost.exe	33
PID 2192 wrote to memory of 304	2192	dllhost.exe	33
PID 2192 wrote to memory of 304	2192	dllhost.exe	33
PID 2192 wrote to memory of 304	2192	dllhost.exe	33
PID 2192 wrote to memory of 2788	2192	dllhost.exe	35
PID 2192 wrote to memory of 2788	2192	dllhost.exe	35
PID 2192 wrote to memory of 2788	2192	dllhost.exe	35
PID 2192 wrote to memory of 2788	2192	dllhost.exe	35
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36
PID 2192 wrote to memory of 320	2192	dllhost.exe	36

C:\Users\Admin\AppData\Local\Temp\9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
"C:\Users\Admin\AppData\Local\Temp\9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\imageranger.exe
  "C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\imageranger.exe"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  "C:\Users\Admin\AppData\Roaming\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wpGwXkn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8871.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:304
- - C:\Users\Admin\AppData\Roaming\dllhost.exe
    "C:\Users\Admin\AppData\Roaming\dllhost.exe"
    3⤵
    - Executes dropped EXE
    PID:2788
- - C:\Users\Admin\AppData\Roaming\dllhost.exe
    "C:\Users\Admin\AppData\Roaming\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\imageranger.exe

Filesize
10.8MB

MD5
f9371edfc29bcee9903c72c134b98eb8

SHA1
4456a1ee1a4778e25c4b979bd893040580dbee5f

SHA256
d195557ca5e46f0db1be687df1a9a9ea76449a2b5a8203deeccf4222b9adf0ff

SHA512
2703fe461349f570282b1b7cd269096e362036b7379414e6ccb8788ef7f6b44523d40ee4c54926c93168df918495645026f6d0566ee2eb381d3cd8bfae2c8068

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8871.tmp

Filesize
1KB

MD5
6f4b00e2bdef8f0f1b364ac4b3396a99

SHA1
68358e82e289de1d73b13d5ac6736897a86775b5

SHA256
fb484c72b1aa88b50821857c3afba312a45a0d8a4a7b21a10bc7491e665dcdc3

SHA512
54f78694ab235d654bef7b7232f544801100e5a4012e8be381c366f4a3b3f7a0750d07e837bcfe482dc4fda0296cdf1ca3c7d0b606a5d01545f3f57cc7e38ce9

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.4MB

MD5
de7df715cb2ec41376586f4ddc70c5cf

SHA1
1d22d3d3ed5f961778c03f0ce6c5ad59161c5d2f

SHA256
0e677f2ed4b7c5cd7e47d6738d645310635250271b6cade8ce4589bbde1e82bb

SHA512
d78428bc7ac819d3b569a8f12c6e0f790530b889447368e6966537a102a595f0d3ca2dc2c1ef08b0b1f3a7c165f4f5ca164c159e554c86f30d0ec1819fa7c966

Download Submit
memory/320-78-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-71-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-79-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-61-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-57-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-63-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-65-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/320-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-76-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2192-77-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-50-0x0000000004D30000-0x0000000004DE6000-memory.dmp

Filesize
728KB

Download
memory/2192-49-0x000000000AD50000-0x000000000AE26000-memory.dmp

Filesize
856KB

Download
memory/2192-44-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-43-0x0000000073A5E000-0x0000000073A5F000-memory.dmp

Filesize
4KB

Download
memory/2192-41-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-40-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2192-39-0x0000000006F90000-0x00000000070F2000-memory.dmp

Filesize
1.4MB

Download
memory/2192-38-0x0000000000A90000-0x0000000000C02000-memory.dmp

Filesize
1.4MB

Download
memory/2192-37-0x0000000073A5E000-0x0000000073A5F000-memory.dmp

Filesize
4KB

Download
memory/3000-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download