darkcomet | b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733

General

Target

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Size

659KB
MD5

ab9f0ba9e9a9f560b1a751753bbda072
SHA1

ab74ddcb47d0f2380f8d6f7033946a0efb57ef05
SHA256

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733
SHA512

86468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

dark666.ddns.net:4404

Mutex

DC_MUTEX-JEQGQ39

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
sfuC1uourBRa
install
true
offline_keylogger
true
persistence
false
reg_key
svchost

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\svchost.exe"	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	svchost.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1820 svchost.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1640 attrib.exe
1304 attrib.exe

pid	process
1820	svchost.exe

pid	process
1640	attrib.exe
1304	attrib.exe

Loads dropped DLL 2 IoCs

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

pid	process
1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\svchost.exe"	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

1820 svchost.exe

pid	process
1820	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeSecurityPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeTakeOwnershipPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeLoadDriverPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeSystemProfilePrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeSystemtimePrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeProfSingleProcessPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeIncBasePriorityPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeCreatePagefilePrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeBackupPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeRestorePrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeShutdownPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeDebugPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeSystemEnvironmentPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeChangeNotifyPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeRemoteShutdownPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeUndockPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeManageVolumePrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeImpersonatePrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeCreateGlobalPrivilege	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: 33	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: 34	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: 35	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
Token: SeIncreaseQuotaPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeTakeOwnershipPrivilege	1820	svchost.exe
Token: SeLoadDriverPrivilege	1820	svchost.exe
Token: SeSystemProfilePrivilege	1820	svchost.exe
Token: SeSystemtimePrivilege	1820	svchost.exe
Token: SeProfSingleProcessPrivilege	1820	svchost.exe
Token: SeIncBasePriorityPrivilege	1820	svchost.exe
Token: SeCreatePagefilePrivilege	1820	svchost.exe
Token: SeBackupPrivilege	1820	svchost.exe
Token: SeRestorePrivilege	1820	svchost.exe
Token: SeShutdownPrivilege	1820	svchost.exe
Token: SeDebugPrivilege	1820	svchost.exe
Token: SeSystemEnvironmentPrivilege	1820	svchost.exe
Token: SeChangeNotifyPrivilege	1820	svchost.exe
Token: SeRemoteShutdownPrivilege	1820	svchost.exe
Token: SeUndockPrivilege	1820	svchost.exe
Token: SeManageVolumePrivilege	1820	svchost.exe
Token: SeImpersonatePrivilege	1820	svchost.exe
Token: SeCreateGlobalPrivilege	1820	svchost.exe
Token: 33	1820	svchost.exe
Token: 34	1820	svchost.exe
Token: 35	1820	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1820 svchost.exe

pid	process
1820	svchost.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 1480 wrote to memory of 1736	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 1480 wrote to memory of 1736	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 1480 wrote to memory of 1736	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 1480 wrote to memory of 1736	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 1480 wrote to memory of 900	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 1480 wrote to memory of 900	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 1480 wrote to memory of 900	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 1480 wrote to memory of 900	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	cmd.exe
PID 900 wrote to memory of 1304	900	cmd.exe	attrib.exe
PID 900 wrote to memory of 1304	900	cmd.exe	attrib.exe
PID 900 wrote to memory of 1304	900	cmd.exe	attrib.exe
PID 900 wrote to memory of 1304	900	cmd.exe	attrib.exe
PID 1736 wrote to memory of 1640	1736	cmd.exe	attrib.exe
PID 1736 wrote to memory of 1640	1736	cmd.exe	attrib.exe
PID 1736 wrote to memory of 1640	1736	cmd.exe	attrib.exe
PID 1736 wrote to memory of 1640	1736	cmd.exe	attrib.exe
PID 1480 wrote to memory of 1820	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	svchost.exe
PID 1480 wrote to memory of 1820	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	svchost.exe
PID 1480 wrote to memory of 1820	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	svchost.exe
PID 1480 wrote to memory of 1820	1480	b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe	svchost.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe
PID 1820 wrote to memory of 1828	1820	svchost.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1304 attrib.exe
1640 attrib.exe

pid	process
1304	attrib.exe
1640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe
"C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1304

C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe"
2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe
Filesize
659KB

MD5
ab9f0ba9e9a9f560b1a751753bbda072

SHA1
ab74ddcb47d0f2380f8d6f7033946a0efb57ef05

SHA256
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733

SHA512
86468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe
Filesize
659KB

MD5
ab9f0ba9e9a9f560b1a751753bbda072

SHA1
ab74ddcb47d0f2380f8d6f7033946a0efb57ef05

SHA256
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733

SHA512
86468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe
Filesize
659KB

MD5
ab9f0ba9e9a9f560b1a751753bbda072

SHA1
ab74ddcb47d0f2380f8d6f7033946a0efb57ef05

SHA256
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733

SHA512
86468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe
Filesize
659KB

MD5
ab9f0ba9e9a9f560b1a751753bbda072

SHA1
ab74ddcb47d0f2380f8d6f7033946a0efb57ef05

SHA256
b237e465f6be6ae68fb25474d514718ef29b59601651b19897370ce72ea0d733

SHA512
86468ae3ea2011aa41ee195e4e3afb5775ddaf346987a9c799e61d5efbc9eea31aab442310417bbbbd1a31fe7cf93d49397ec8f85c732b920c110ad64556114c

Download Submit
memory/900-56-0x0000000000000000-mapping.dmp

Download
memory/1304-57-0x0000000000000000-mapping.dmp

Download
memory/1480-54-0x0000000076311000-0x0000000076313000-memory.dmp

Filesize
8KB

Download
memory/1640-58-0x0000000000000000-mapping.dmp

Download
memory/1736-55-0x0000000000000000-mapping.dmp

Download
memory/1820-61-0x0000000000000000-mapping.dmp

Download
memory/1828-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads