darkcomet | 8e1d52e1b4781efea9d7d21db0ce836c98d13ae7201561fd3261da57203208ba

General

Target

9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
Size

7.3MB
MD5

7002220c99ce292ae1e868630955d252
SHA1

6a30dac7b111d836df034b61b0e1e75193685005
SHA256

9f17acc43acf52f99f6c858e14da84b6b4c67381687f8fedfd9b6a21b2ab37b4
SHA512

6e71732cc363e3277e42e7a06626dd0909bad6eca065d4f8278bd8c048bc56ec3de533ec2e83efda396d904cda39b4e955ed3ff0d33dd765b8864a3a018b7eee
SSDEEP

196608:BtonkRNZFa4GEQkyuU3ydnUOjYyO92A2U9:yeOhkpOydPXOb9

Score

10^/10

darkcomet wedthings discovery rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

WEDTHINGS

C2

cosrem.ddns.net:2301

cosrem.ddnsgeek.com:2301

cosrem.dyndns.org:2301

Mutex

DC_MUTEX-B22SA3T

Attributes

gencode
0TFfD5Hg0VlW
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 4 IoCs

pid	Process
1032	imageranger.exe
3612	dllhost.exe
1204	dllhost.exe
312	dllhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3612 set thread context of 312	3612	dllhost.exe	97

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\Uninstall.exe	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
File created	C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\Uninstall.ini	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
File opened for modification	C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\imageranger.exe	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3612	dllhost.exe
3612	dllhost.exe
3612	dllhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	dllhost.exe
Token: SeIncreaseQuotaPrivilege	312	dllhost.exe
Token: SeSecurityPrivilege	312	dllhost.exe
Token: SeTakeOwnershipPrivilege	312	dllhost.exe
Token: SeLoadDriverPrivilege	312	dllhost.exe
Token: SeSystemProfilePrivilege	312	dllhost.exe
Token: SeSystemtimePrivilege	312	dllhost.exe
Token: SeProfSingleProcessPrivilege	312	dllhost.exe
Token: SeIncBasePriorityPrivilege	312	dllhost.exe
Token: SeCreatePagefilePrivilege	312	dllhost.exe
Token: SeBackupPrivilege	312	dllhost.exe
Token: SeRestorePrivilege	312	dllhost.exe
Token: SeShutdownPrivilege	312	dllhost.exe
Token: SeDebugPrivilege	312	dllhost.exe
Token: SeSystemEnvironmentPrivilege	312	dllhost.exe
Token: SeChangeNotifyPrivilege	312	dllhost.exe
Token: SeRemoteShutdownPrivilege	312	dllhost.exe
Token: SeUndockPrivilege	312	dllhost.exe
Token: SeManageVolumePrivilege	312	dllhost.exe
Token: SeImpersonatePrivilege	312	dllhost.exe
Token: SeCreateGlobalPrivilege	312	dllhost.exe
Token: 33	312	dllhost.exe
Token: 34	312	dllhost.exe
Token: 35	312	dllhost.exe
Token: 36	312	dllhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
312	dllhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 1032	3132	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	82
PID 3132 wrote to memory of 1032	3132	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	82
PID 3132 wrote to memory of 3612	3132	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	91
PID 3132 wrote to memory of 3612	3132	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	91
PID 3132 wrote to memory of 3612	3132	9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe	91
PID 3612 wrote to memory of 2732	3612	dllhost.exe	94
PID 3612 wrote to memory of 2732	3612	dllhost.exe	94
PID 3612 wrote to memory of 2732	3612	dllhost.exe	94
PID 3612 wrote to memory of 1204	3612	dllhost.exe	96
PID 3612 wrote to memory of 1204	3612	dllhost.exe	96
PID 3612 wrote to memory of 1204	3612	dllhost.exe	96
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97
PID 3612 wrote to memory of 312	3612	dllhost.exe	97

C:\Users\Admin\AppData\Local\Temp\9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe
"C:\Users\Admin\AppData\Local\Temp\9F17ACC43ACF52F99F6C858E14DA84B6B4C67381687F8FEDFD9B6A21B2AB37B4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\imageranger.exe
  "C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\imageranger.exe"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Users\Admin\AppData\Roaming\dllhost.exe
  "C:\Users\Admin\AppData\Roaming\dllhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wpGwXkn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC474.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2732
- - C:\Users\Admin\AppData\Roaming\dllhost.exe
    "C:\Users\Admin\AppData\Roaming\dllhost.exe"
    3⤵
    - Executes dropped EXE
    PID:1204
- - C:\Users\Admin\AppData\Roaming\dllhost.exe
    "C:\Users\Admin\AppData\Roaming\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\XtSense GmbH\ImageRanger Pro\imageranger.exe

Filesize
10.8MB

MD5
f9371edfc29bcee9903c72c134b98eb8

SHA1
4456a1ee1a4778e25c4b979bd893040580dbee5f

SHA256
d195557ca5e46f0db1be687df1a9a9ea76449a2b5a8203deeccf4222b9adf0ff

SHA512
2703fe461349f570282b1b7cd269096e362036b7379414e6ccb8788ef7f6b44523d40ee4c54926c93168df918495645026f6d0566ee2eb381d3cd8bfae2c8068

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC474.tmp

Filesize
1KB

MD5
2c7a1a9005fdabb1fd4299cd13b017c5

SHA1
6e3048abfa9a0f49078a05d40e1b821558fa3174

SHA256
b761f0e585e3da1a77c5131d4080e525ebcffe2ac3432a29b94e997ddb80fbd6

SHA512
fe22b80a4e4b4f0d70e52c2fe864f86e5769d3a6822d77768c5277e1fc69081b9f9bb7b98e751ac5636b16d5d66c9beb6d0633699a10d03c20ca25f52964cc3c

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.4MB

MD5
de7df715cb2ec41376586f4ddc70c5cf

SHA1
1d22d3d3ed5f961778c03f0ce6c5ad59161c5d2f

SHA256
0e677f2ed4b7c5cd7e47d6738d645310635250271b6cade8ce4589bbde1e82bb

SHA512
d78428bc7ac819d3b569a8f12c6e0f790530b889447368e6966537a102a595f0d3ca2dc2c1ef08b0b1f3a7c165f4f5ca164c159e554c86f30d0ec1819fa7c966

Download Submit
memory/312-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/312-72-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/312-69-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/312-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/312-64-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3132-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-43-0x000000000ADD0000-0x000000000AE6C000-memory.dmp

Filesize
624KB

Download
memory/3612-49-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/3612-48-0x000000000B000000-0x000000000B056000-memory.dmp

Filesize
344KB

Download
memory/3612-56-0x000000000BD60000-0x000000000BE36000-memory.dmp

Filesize
856KB

Download
memory/3612-57-0x0000000005870000-0x0000000005926000-memory.dmp

Filesize
728KB

Download
memory/3612-47-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/3612-46-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/3612-45-0x000000000AE70000-0x000000000AF02000-memory.dmp

Filesize
584KB

Download
memory/3612-44-0x000000000B420000-0x000000000B9C4000-memory.dmp

Filesize
5.6MB

Download
memory/3612-71-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download
memory/3612-42-0x0000000007BD0000-0x0000000007D32000-memory.dmp

Filesize
1.4MB

Download
memory/3612-41-0x0000000000BF0000-0x0000000000D62000-memory.dmp

Filesize
1.4MB

Download
memory/3612-40-0x00007FFDFCD90000-0x00007FFDFCF85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads