darkcomet | 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9

General

Target

5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Size

782KB
MD5

80b7945f8e8fcdd55b75e1473ea4427b
SHA1

7b233834a7fd5a1263fc354f7e8c2258f5a75e66
SHA256

5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9
SHA512

0f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c

Score

10^/10

darkcomet hacked persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hacked

C2

185.24.233.5:2014

Mutex

DCMIN_MUTEX-FQ792JQ

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
z0xXl46NUTbS
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe

Executes dropped EXE 2 IoCs

Processes:

IMDCSC.exeIMDCSC.exe

pid process

1972 IMDCSC.exe
268 IMDCSC.exe

pid	process
1972	IMDCSC.exe
268	IMDCSC.exe

Loads dropped DLL 2 IoCs

Processes:

5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe

pid	process
2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exeIMDCSC.exe

description	pid	process	target process
PID 1652 set thread context of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1972 set thread context of 268	1972	IMDCSC.exe	IMDCSC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeSecurityPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeTakeOwnershipPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeLoadDriverPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeSystemProfilePrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeSystemtimePrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeProfSingleProcessPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeIncBasePriorityPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeCreatePagefilePrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeBackupPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeRestorePrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeShutdownPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeDebugPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeSystemEnvironmentPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeChangeNotifyPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeRemoteShutdownPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeUndockPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeManageVolumePrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeImpersonatePrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeCreateGlobalPrivilege	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: 33	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: 34	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: 35	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
Token: SeIncreaseQuotaPrivilege	268	IMDCSC.exe
Token: SeSecurityPrivilege	268	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	268	IMDCSC.exe
Token: SeLoadDriverPrivilege	268	IMDCSC.exe
Token: SeSystemProfilePrivilege	268	IMDCSC.exe
Token: SeSystemtimePrivilege	268	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	268	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	268	IMDCSC.exe
Token: SeCreatePagefilePrivilege	268	IMDCSC.exe
Token: SeBackupPrivilege	268	IMDCSC.exe
Token: SeRestorePrivilege	268	IMDCSC.exe
Token: SeShutdownPrivilege	268	IMDCSC.exe
Token: SeDebugPrivilege	268	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	268	IMDCSC.exe
Token: SeChangeNotifyPrivilege	268	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	268	IMDCSC.exe
Token: SeUndockPrivilege	268	IMDCSC.exe
Token: SeManageVolumePrivilege	268	IMDCSC.exe
Token: SeImpersonatePrivilege	268	IMDCSC.exe
Token: SeCreateGlobalPrivilege	268	IMDCSC.exe
Token: 33	268	IMDCSC.exe
Token: 34	268	IMDCSC.exe
Token: 35	268	IMDCSC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exeIMDCSC.exeIMDCSC.exe

pid process

1652 5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
1972 IMDCSC.exe
268 IMDCSC.exe

pid	process
1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
1972	IMDCSC.exe
268	IMDCSC.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exeIMDCSC.exe

description	pid	process	target process
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 1652 wrote to memory of 2032	1652	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
PID 2032 wrote to memory of 1972	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	IMDCSC.exe
PID 2032 wrote to memory of 1972	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	IMDCSC.exe
PID 2032 wrote to memory of 1972	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	IMDCSC.exe
PID 2032 wrote to memory of 1972	2032	5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe
PID 1972 wrote to memory of 268	1972	IMDCSC.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
"C:\Users\Admin\AppData\Local\Temp\5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe
"C:\Users\Admin\AppData\Local\Temp\5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
782KB

MD5
80b7945f8e8fcdd55b75e1473ea4427b

SHA1
7b233834a7fd5a1263fc354f7e8c2258f5a75e66

SHA256
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9

SHA512
0f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
782KB

MD5
80b7945f8e8fcdd55b75e1473ea4427b

SHA1
7b233834a7fd5a1263fc354f7e8c2258f5a75e66

SHA256
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9

SHA512
0f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
782KB

MD5
80b7945f8e8fcdd55b75e1473ea4427b

SHA1
7b233834a7fd5a1263fc354f7e8c2258f5a75e66

SHA256
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9

SHA512
0f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
782KB

MD5
80b7945f8e8fcdd55b75e1473ea4427b

SHA1
7b233834a7fd5a1263fc354f7e8c2258f5a75e66

SHA256
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9

SHA512
0f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
782KB

MD5
80b7945f8e8fcdd55b75e1473ea4427b

SHA1
7b233834a7fd5a1263fc354f7e8c2258f5a75e66

SHA256
5d9c62bdcbf7ef67f96af6286601d2a37c04912e7461cc3e00522c1c812e24d9

SHA512
0f25181af50d9e7ddfcc734ed876447eeea0f5be4c1dc6fdcd097784673915ce3fb6830ba22a87fc50bff2711af1d3f03d56d2eb1c8c6b78cec5e4291671bc6c

Download Submit
memory/268-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/268-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/268-73-0x000000000048F888-mapping.dmp

Download
memory/1652-61-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1652-56-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1972-66-0x0000000000000000-mapping.dmp

Download
memory/1972-70-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1972-76-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2032-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2032-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2032-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2032-60-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/2032-58-0x000000000048F888-mapping.dmp

Download
memory/2032-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads