darkcomet | 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07

Resubmissions

05/02/2025, 07:30

250205-jb9afaxrdl 10

05/02/2025, 07:08

250205-hx7s3axlak 10

01/10/2022, 23:07

221001-235ensceam 10

Analysis

max time kernel
120s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2025, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Size

582KB
MD5

6ee8965f23ab498defe80b79ab2ca52c
SHA1

0d74605007a81bf44052dcf43385b236d9401c66
SHA256

0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA512

9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
SSDEEP

12288:3w3BadD1/+wudvYWgktZiE0SJObe2HhcduQ6H6fI:GadVpupYWgktZigsS2Haub6

Score

10^/10

darkcomet dataprotector13.05.2013 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DataProtector13.05.2013

vierus330.no-ip.org:9751

Mutex

DCMIN_MUTEX-P9NPCV7

Attributes

gencode
Ch5FEfuRL0mp
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\cmiadapter.exe"	reg.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	cmiadapter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	PrintConfig.exe

Executes dropped EXE 3 IoCs

pid	Process
3880	cmiadapter.exe
1184	PrintConfig.exe
4272	cmiadapter.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 768 set thread context of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 1184 set thread context of 4852	1184	PrintConfig.exe	105

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
File created	C:\Windows\assembly\Desktop.ini	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1908	4368	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmiadapter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmiadapter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrintConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe
3880	cmiadapter.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Token: SeDebugPrivilege	3880	cmiadapter.exe
Token: SeDebugPrivilege	1184	PrintConfig.exe
Token: SeIncreaseQuotaPrivilege	4852	svchost.exe
Token: SeSecurityPrivilege	4852	svchost.exe
Token: SeTakeOwnershipPrivilege	4852	svchost.exe
Token: SeLoadDriverPrivilege	4852	svchost.exe
Token: SeSystemProfilePrivilege	4852	svchost.exe
Token: SeSystemtimePrivilege	4852	svchost.exe
Token: SeProfSingleProcessPrivilege	4852	svchost.exe
Token: SeIncBasePriorityPrivilege	4852	svchost.exe
Token: SeCreatePagefilePrivilege	4852	svchost.exe
Token: SeBackupPrivilege	4852	svchost.exe
Token: SeRestorePrivilege	4852	svchost.exe
Token: SeShutdownPrivilege	4852	svchost.exe
Token: SeDebugPrivilege	4852	svchost.exe
Token: SeSystemEnvironmentPrivilege	4852	svchost.exe
Token: SeChangeNotifyPrivilege	4852	svchost.exe
Token: SeRemoteShutdownPrivilege	4852	svchost.exe
Token: SeUndockPrivilege	4852	svchost.exe
Token: SeManageVolumePrivilege	4852	svchost.exe
Token: SeImpersonatePrivilege	4852	svchost.exe
Token: SeCreateGlobalPrivilege	4852	svchost.exe
Token: 33	4852	svchost.exe
Token: 34	4852	svchost.exe
Token: 35	4852	svchost.exe
Token: 36	4852	svchost.exe
Token: SeDebugPrivilege	4272	cmiadapter.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4852	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 4368	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	90
PID 768 wrote to memory of 3880	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	95
PID 768 wrote to memory of 3880	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	95
PID 768 wrote to memory of 3880	768	0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe	95
PID 3880 wrote to memory of 1636	3880	cmiadapter.exe	100
PID 3880 wrote to memory of 1636	3880	cmiadapter.exe	100
PID 3880 wrote to memory of 1636	3880	cmiadapter.exe	100
PID 1636 wrote to memory of 4640	1636	cmd.exe	102
PID 1636 wrote to memory of 4640	1636	cmd.exe	102
PID 1636 wrote to memory of 4640	1636	cmd.exe	102
PID 3880 wrote to memory of 1184	3880	cmiadapter.exe	103
PID 3880 wrote to memory of 1184	3880	cmiadapter.exe	103
PID 3880 wrote to memory of 1184	3880	cmiadapter.exe	103
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4852	1184	PrintConfig.exe	105
PID 1184 wrote to memory of 4272	1184	PrintConfig.exe	107
PID 1184 wrote to memory of 4272	1184	PrintConfig.exe	107
PID 1184 wrote to memory of 4272	1184	PrintConfig.exe	107

C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe dsrm -subtree -noprompt -c user"http://+:443"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 528
    3⤵
    - Program crash
    PID:1908
- C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe
  "C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f
      4⤵
      Modifies WinLogon for persistence
      System Location Discovery: System Language Discovery
      PID:4640
- - C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe
    "C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe
      "C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4368 -ip 4368
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cmiadapter.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe

Filesize
582KB

MD5
6ee8965f23ab498defe80b79ab2ca52c

SHA1
0d74605007a81bf44052dcf43385b236d9401c66

SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07

SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

Filesize
16KB

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
memory/768-1-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/768-2-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/768-5-0x00000000749D2000-0x00000000749D3000-memory.dmp

Filesize
4KB

Download
memory/768-6-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/768-41-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/768-0-0x00000000749D2000-0x00000000749D3000-memory.dmp

Filesize
4KB

Download
memory/3880-33-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/3880-34-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/3880-35-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/3880-39-0x00000000749D0000-0x0000000074F81000-memory.dmp

Filesize
5.7MB

Download
memory/4368-11-0x0000000000800000-0x00000000008B2000-memory.dmp

Filesize
712KB

Download
memory/4368-22-0x0000000000800000-0x00000000008B2000-memory.dmp

Filesize
712KB

Download
memory/4368-21-0x0000000000800000-0x00000000008B2000-memory.dmp

Filesize
712KB

Download
memory/4368-16-0x0000000000800000-0x00000000008B2000-memory.dmp

Filesize
712KB

Download
memory/4852-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4852-45-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4852-44-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download