darkcomet | 1cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92

General

Target

6eab736495f914d3adffd4cf0a923d36.exe
Size

658KB
MD5

6eab736495f914d3adffd4cf0a923d36
SHA1

96134248a09a77b7960bac38a441538a76ca5a7c
SHA256

1cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92
SHA512

ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20

Score

10^/10

darkcomet mitakacska persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

mitakacska

C2

127.0.0.1:1122

Mutex

DCMIN_MUTEX-X9BQVDS

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
m0YbYRxzGMkb
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

6eab736495f914d3adffd4cf0a923d36.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	6eab736495f914d3adffd4cf0a923d36.exe

Executes dropped EXE 1 IoCs

Processes:

IMDCSC.exe

pid process

1728 IMDCSC.exe
Loads dropped DLL 2 IoCs

Processes:

6eab736495f914d3adffd4cf0a923d36.exe

pid process

1068 6eab736495f914d3adffd4cf0a923d36.exe
1068 6eab736495f914d3adffd4cf0a923d36.exe

pid	process
1728	IMDCSC.exe

pid	process
1068	6eab736495f914d3adffd4cf0a923d36.exe
1068	6eab736495f914d3adffd4cf0a923d36.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6eab736495f914d3adffd4cf0a923d36.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	6eab736495f914d3adffd4cf0a923d36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

6eab736495f914d3adffd4cf0a923d36.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeSecurityPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeTakeOwnershipPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeLoadDriverPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeSystemProfilePrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeSystemtimePrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeProfSingleProcessPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeIncBasePriorityPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeCreatePagefilePrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeBackupPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeRestorePrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeShutdownPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeDebugPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeSystemEnvironmentPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeChangeNotifyPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeRemoteShutdownPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeUndockPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeManageVolumePrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeImpersonatePrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeCreateGlobalPrivilege	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: 33	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: 34	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: 35	1068	6eab736495f914d3adffd4cf0a923d36.exe
Token: SeIncreaseQuotaPrivilege	1728	IMDCSC.exe
Token: SeSecurityPrivilege	1728	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	1728	IMDCSC.exe
Token: SeLoadDriverPrivilege	1728	IMDCSC.exe
Token: SeSystemProfilePrivilege	1728	IMDCSC.exe
Token: SeSystemtimePrivilege	1728	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	1728	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	1728	IMDCSC.exe
Token: SeCreatePagefilePrivilege	1728	IMDCSC.exe
Token: SeBackupPrivilege	1728	IMDCSC.exe
Token: SeRestorePrivilege	1728	IMDCSC.exe
Token: SeShutdownPrivilege	1728	IMDCSC.exe
Token: SeDebugPrivilege	1728	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	1728	IMDCSC.exe
Token: SeChangeNotifyPrivilege	1728	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	1728	IMDCSC.exe
Token: SeUndockPrivilege	1728	IMDCSC.exe
Token: SeManageVolumePrivilege	1728	IMDCSC.exe
Token: SeImpersonatePrivilege	1728	IMDCSC.exe
Token: SeCreateGlobalPrivilege	1728	IMDCSC.exe
Token: 33	1728	IMDCSC.exe
Token: 34	1728	IMDCSC.exe
Token: 35	1728	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

1728 IMDCSC.exe

pid	process
1728	IMDCSC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6eab736495f914d3adffd4cf0a923d36.exe

description	pid	process	target process
PID 1068 wrote to memory of 1728	1068	6eab736495f914d3adffd4cf0a923d36.exe	IMDCSC.exe
PID 1068 wrote to memory of 1728	1068	6eab736495f914d3adffd4cf0a923d36.exe	IMDCSC.exe
PID 1068 wrote to memory of 1728	1068	6eab736495f914d3adffd4cf0a923d36.exe	IMDCSC.exe
PID 1068 wrote to memory of 1728	1068	6eab736495f914d3adffd4cf0a923d36.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\6eab736495f914d3adffd4cf0a923d36.exe
"C:\Users\Admin\AppData\Local\Temp\6eab736495f914d3adffd4cf0a923d36.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
6eab736495f914d3adffd4cf0a923d36

SHA1
96134248a09a77b7960bac38a441538a76ca5a7c

SHA256
1cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92

SHA512
ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
6eab736495f914d3adffd4cf0a923d36

SHA1
96134248a09a77b7960bac38a441538a76ca5a7c

SHA256
1cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92

SHA512
ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
6eab736495f914d3adffd4cf0a923d36

SHA1
96134248a09a77b7960bac38a441538a76ca5a7c

SHA256
1cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92

SHA512
ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
6eab736495f914d3adffd4cf0a923d36

SHA1
96134248a09a77b7960bac38a441538a76ca5a7c

SHA256
1cdca2d78597458423dae50d4c693e5d6fed8bd2ef0cc83f08e3dce36225bd92

SHA512
ac783fc437db544c6407da4e6bbf4619c5ad917bb1165ca2064305b015f292dba8edbf96ac298246cee3fe86f4b07a87c9808141a0a9e8d007d1d4483f872e20

Download Submit
memory/1728-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads