darkcomet | 4bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884

General

Target

153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Size

1.7MB
MD5

b73ddd5b666ee096c73d5dccee18b54b
SHA1

60483bb7bb5f6aea52b4afbc60b3d4cbe1bb9a00
SHA256

4bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884
SHA512

ad7d8bcdf85eddc1412a6196392bec46ba3aaf8d9f1e48b399289e2225c42f43a5a4305840595ff96abf4f67eccf9e64669a77e8b2e6fabe8b84fbb533e893e2

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:82

Mutex

DCMIN_MUTEX-U2EW3CZ

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
vzqTZlD6owu2
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe

Executes dropped EXE 2 IoCs

Processes:

IMDCSC.exeIMDCSC.exe

pid process

1712 IMDCSC.exe
1016 IMDCSC.exe
Loads dropped DLL 1 IoCs

Processes:

153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe

pid process

320 153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe

pid	process
1712	IMDCSC.exe
1016	IMDCSC.exe

pid	process
320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exeIMDCSC.exe

description	pid	process	target process
PID 1916 set thread context of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1712 set thread context of 1016	1712	IMDCSC.exe	IMDCSC.exe

autoit_exe 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeSecurityPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeTakeOwnershipPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeLoadDriverPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeSystemProfilePrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeSystemtimePrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeProfSingleProcessPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeIncBasePriorityPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeCreatePagefilePrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeBackupPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeRestorePrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeShutdownPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeDebugPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeSystemEnvironmentPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeChangeNotifyPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeRemoteShutdownPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeUndockPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeManageVolumePrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeImpersonatePrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeCreateGlobalPrivilege	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: 33	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: 34	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: 35	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
Token: SeIncreaseQuotaPrivilege	1016	IMDCSC.exe
Token: SeSecurityPrivilege	1016	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	1016	IMDCSC.exe
Token: SeLoadDriverPrivilege	1016	IMDCSC.exe
Token: SeSystemProfilePrivilege	1016	IMDCSC.exe
Token: SeSystemtimePrivilege	1016	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	1016	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	1016	IMDCSC.exe
Token: SeCreatePagefilePrivilege	1016	IMDCSC.exe
Token: SeBackupPrivilege	1016	IMDCSC.exe
Token: SeRestorePrivilege	1016	IMDCSC.exe
Token: SeShutdownPrivilege	1016	IMDCSC.exe
Token: SeDebugPrivilege	1016	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	1016	IMDCSC.exe
Token: SeChangeNotifyPrivilege	1016	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	1016	IMDCSC.exe
Token: SeUndockPrivilege	1016	IMDCSC.exe
Token: SeManageVolumePrivilege	1016	IMDCSC.exe
Token: SeImpersonatePrivilege	1016	IMDCSC.exe
Token: SeCreateGlobalPrivilege	1016	IMDCSC.exe
Token: 33	1016	IMDCSC.exe
Token: 34	1016	IMDCSC.exe
Token: 35	1016	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

1016 IMDCSC.exe

pid	process
1016	IMDCSC.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exeIMDCSC.exe

description	pid	process	target process
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 1916 wrote to memory of 320	1916	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
PID 320 wrote to memory of 1712	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	IMDCSC.exe
PID 320 wrote to memory of 1712	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	IMDCSC.exe
PID 320 wrote to memory of 1712	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	IMDCSC.exe
PID 320 wrote to memory of 1712	320	153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe
PID 1712 wrote to memory of 1016	1712	IMDCSC.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
"C:\Users\Admin\AppData\Local\Temp\153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe
"C:\Users\Admin\AppData\Local\Temp\153adafeef04097d2f2dde2fce6d0105a3893c88e7722f930fa1979c112f877c.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
b73ddd5b666ee096c73d5dccee18b54b

SHA1
60483bb7bb5f6aea52b4afbc60b3d4cbe1bb9a00

SHA256
4bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884

SHA512
ad7d8bcdf85eddc1412a6196392bec46ba3aaf8d9f1e48b399289e2225c42f43a5a4305840595ff96abf4f67eccf9e64669a77e8b2e6fabe8b84fbb533e893e2

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
b73ddd5b666ee096c73d5dccee18b54b

SHA1
60483bb7bb5f6aea52b4afbc60b3d4cbe1bb9a00

SHA256
4bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884

SHA512
ad7d8bcdf85eddc1412a6196392bec46ba3aaf8d9f1e48b399289e2225c42f43a5a4305840595ff96abf4f67eccf9e64669a77e8b2e6fabe8b84fbb533e893e2

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
b73ddd5b666ee096c73d5dccee18b54b

SHA1
60483bb7bb5f6aea52b4afbc60b3d4cbe1bb9a00

SHA256
4bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884

SHA512
ad7d8bcdf85eddc1412a6196392bec46ba3aaf8d9f1e48b399289e2225c42f43a5a4305840595ff96abf4f67eccf9e64669a77e8b2e6fabe8b84fbb533e893e2

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
b73ddd5b666ee096c73d5dccee18b54b

SHA1
60483bb7bb5f6aea52b4afbc60b3d4cbe1bb9a00

SHA256
4bf25d8f561fa3bf452d87b82bbb051d074b2ae8bcebec1dc421d1e653902884

SHA512
ad7d8bcdf85eddc1412a6196392bec46ba3aaf8d9f1e48b399289e2225c42f43a5a4305840595ff96abf4f67eccf9e64669a77e8b2e6fabe8b84fbb533e893e2

Download Submit
memory/320-1-0x000000000048F888-mapping.dmp

Download
memory/320-0-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/320-2-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1016-8-0x000000000048F888-mapping.dmp

Download
memory/1712-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads