darkcomet | 5537299b16dea72f79f1700864a97cfc12bc7a1cf02faeb083fb8cf76a1beaaf

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7v20201028
submitted
16-12-2020 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lenovo_sistem_bilgileri.sfx.exe
Size

690KB
MD5

46c1ca9ea33fc2ea90f6b9fee8a6dd76
SHA1

db41c5acb4e44895176d2e1f844d5b400592a1bc
SHA256

5537299b16dea72f79f1700864a97cfc12bc7a1cf02faeb083fb8cf76a1beaaf
SHA512

046ee4fea95cfed7b4f2f392e50122f376b7505603aaf0345c8f843dfd4eaa8c742382d9220a0a422ea8091f4b6318cb8e16ae5d00d6beb3e508fccfba867ebe

Score

10^/10

darkcomet �lk kurban persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

�LK KURBAN

erenbey.duckdns.org:1604

Mutex

DCMIN_MUTEX-TDLEW50

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
CkJypkKdCu96
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

lenovo_sistem_bilgileri.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	lenovo_sistem_bilgileri.exe

Executes dropped EXE 2 IoCs

Processes:

lenovo_sistem_bilgileri.exeIMDCSC.exe

pid process

1268 lenovo_sistem_bilgileri.exe
1616 IMDCSC.exe

pid	process
1268	lenovo_sistem_bilgileri.exe
1616	IMDCSC.exe

Loads dropped DLL 7 IoCs

Processes:

lenovo_sistem_bilgileri.sfx.exelenovo_sistem_bilgileri.exe

pid	process
1640	lenovo_sistem_bilgileri.sfx.exe
1640	lenovo_sistem_bilgileri.sfx.exe
1640	lenovo_sistem_bilgileri.sfx.exe
1640	lenovo_sistem_bilgileri.sfx.exe
1640	lenovo_sistem_bilgileri.sfx.exe
1268	lenovo_sistem_bilgileri.exe
1268	lenovo_sistem_bilgileri.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lenovo_sistem_bilgileri.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	lenovo_sistem_bilgileri.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

lenovo_sistem_bilgileri.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeSecurityPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeTakeOwnershipPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeLoadDriverPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeSystemProfilePrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeSystemtimePrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeProfSingleProcessPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeIncBasePriorityPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeCreatePagefilePrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeBackupPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeRestorePrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeShutdownPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeDebugPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeSystemEnvironmentPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeChangeNotifyPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeRemoteShutdownPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeUndockPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeManageVolumePrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeImpersonatePrivilege	1268	lenovo_sistem_bilgileri.exe
Token: SeCreateGlobalPrivilege	1268	lenovo_sistem_bilgileri.exe
Token: 33	1268	lenovo_sistem_bilgileri.exe
Token: 34	1268	lenovo_sistem_bilgileri.exe
Token: 35	1268	lenovo_sistem_bilgileri.exe
Token: SeIncreaseQuotaPrivilege	1616	IMDCSC.exe
Token: SeSecurityPrivilege	1616	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	1616	IMDCSC.exe
Token: SeLoadDriverPrivilege	1616	IMDCSC.exe
Token: SeSystemProfilePrivilege	1616	IMDCSC.exe
Token: SeSystemtimePrivilege	1616	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	1616	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	1616	IMDCSC.exe
Token: SeCreatePagefilePrivilege	1616	IMDCSC.exe
Token: SeBackupPrivilege	1616	IMDCSC.exe
Token: SeRestorePrivilege	1616	IMDCSC.exe
Token: SeShutdownPrivilege	1616	IMDCSC.exe
Token: SeDebugPrivilege	1616	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	1616	IMDCSC.exe
Token: SeChangeNotifyPrivilege	1616	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	1616	IMDCSC.exe
Token: SeUndockPrivilege	1616	IMDCSC.exe
Token: SeManageVolumePrivilege	1616	IMDCSC.exe
Token: SeImpersonatePrivilege	1616	IMDCSC.exe
Token: SeCreateGlobalPrivilege	1616	IMDCSC.exe
Token: 33	1616	IMDCSC.exe
Token: 34	1616	IMDCSC.exe
Token: 35	1616	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

1616 IMDCSC.exe

pid	process
1616	IMDCSC.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

lenovo_sistem_bilgileri.sfx.exelenovo_sistem_bilgileri.exe

description	pid	process	target process
PID 1640 wrote to memory of 1268	1640	lenovo_sistem_bilgileri.sfx.exe	lenovo_sistem_bilgileri.exe
PID 1640 wrote to memory of 1268	1640	lenovo_sistem_bilgileri.sfx.exe	lenovo_sistem_bilgileri.exe
PID 1640 wrote to memory of 1268	1640	lenovo_sistem_bilgileri.sfx.exe	lenovo_sistem_bilgileri.exe
PID 1640 wrote to memory of 1268	1640	lenovo_sistem_bilgileri.sfx.exe	lenovo_sistem_bilgileri.exe
PID 1640 wrote to memory of 1268	1640	lenovo_sistem_bilgileri.sfx.exe	lenovo_sistem_bilgileri.exe
PID 1640 wrote to memory of 1268	1640	lenovo_sistem_bilgileri.sfx.exe	lenovo_sistem_bilgileri.exe
PID 1640 wrote to memory of 1268	1640	lenovo_sistem_bilgileri.sfx.exe	lenovo_sistem_bilgileri.exe
PID 1268 wrote to memory of 1616	1268	lenovo_sistem_bilgileri.exe	IMDCSC.exe
PID 1268 wrote to memory of 1616	1268	lenovo_sistem_bilgileri.exe	IMDCSC.exe
PID 1268 wrote to memory of 1616	1268	lenovo_sistem_bilgileri.exe	IMDCSC.exe
PID 1268 wrote to memory of 1616	1268	lenovo_sistem_bilgileri.exe	IMDCSC.exe
PID 1268 wrote to memory of 1616	1268	lenovo_sistem_bilgileri.exe	IMDCSC.exe
PID 1268 wrote to memory of 1616	1268	lenovo_sistem_bilgileri.exe	IMDCSC.exe
PID 1268 wrote to memory of 1616	1268	lenovo_sistem_bilgileri.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.sfx.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe
"C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
\Users\Admin\AppData\Local\Temp\lenovo_sistem_bilgileri.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
MD5
6aa20f1b32d6f6739c8ac9cf065aca06

SHA1
d5616dbe1f62bf13a7be036660b6bfcfd0208841

SHA256
01ed164e4173d301e3cbc2573f158473560f48e88f728e21b17f123aac67186f

SHA512
3bfdb7d4945eb07183ccb329cce50fd73006e0614e2deec52e845c58835f1e8d0813a843be077704bb56f4afbc682c86484b2d047c92a677c3d30dae0d9adcfb

Download Submit
memory/1268-7-0x0000000000000000-mapping.dmp

Download
memory/1616-12-0x0000000000000000-mapping.dmp

Download