darkcomet | d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4

General

Target

d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Size

658KB
MD5

c6e98794d2a7a96b58e6931af36bb2a5
SHA1

ee15ac66f20a5ffab46bcfbffcd6348514385970
SHA256

d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4
SHA512

a83da52e17d87fa840ad2f9fbabd21127262de18e8a799986078ca7c3355a55e8fa93c750b0795b547c15c4ce7724d3539869e91e4f4e91104970cf808503ada

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

192.168.137.154:1604

Mutex

DCMIN_MUTEX-2UDD0SF

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
wRAmEt6SW9Sa
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe

Executes dropped EXE 1 IoCs

Processes:

IMDCSC.exe

pid process

2276 IMDCSC.exe

pid	process
2276	IMDCSC.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeSecurityPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeTakeOwnershipPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeLoadDriverPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeSystemProfilePrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeSystemtimePrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeProfSingleProcessPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeIncBasePriorityPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeCreatePagefilePrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeBackupPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeRestorePrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeShutdownPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeDebugPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeSystemEnvironmentPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeChangeNotifyPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeRemoteShutdownPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeUndockPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeManageVolumePrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeImpersonatePrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeCreateGlobalPrivilege	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: 33	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: 34	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: 35	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: 36	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
Token: SeIncreaseQuotaPrivilege	2276	IMDCSC.exe
Token: SeSecurityPrivilege	2276	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	2276	IMDCSC.exe
Token: SeLoadDriverPrivilege	2276	IMDCSC.exe
Token: SeSystemProfilePrivilege	2276	IMDCSC.exe
Token: SeSystemtimePrivilege	2276	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	2276	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	2276	IMDCSC.exe
Token: SeCreatePagefilePrivilege	2276	IMDCSC.exe
Token: SeBackupPrivilege	2276	IMDCSC.exe
Token: SeRestorePrivilege	2276	IMDCSC.exe
Token: SeShutdownPrivilege	2276	IMDCSC.exe
Token: SeDebugPrivilege	2276	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	2276	IMDCSC.exe
Token: SeChangeNotifyPrivilege	2276	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	2276	IMDCSC.exe
Token: SeUndockPrivilege	2276	IMDCSC.exe
Token: SeManageVolumePrivilege	2276	IMDCSC.exe
Token: SeImpersonatePrivilege	2276	IMDCSC.exe
Token: SeCreateGlobalPrivilege	2276	IMDCSC.exe
Token: 33	2276	IMDCSC.exe
Token: 34	2276	IMDCSC.exe
Token: 35	2276	IMDCSC.exe
Token: 36	2276	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

2276 IMDCSC.exe

pid	process
2276	IMDCSC.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe

description	pid	process	target process
PID 4328 wrote to memory of 2276	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe	IMDCSC.exe
PID 4328 wrote to memory of 2276	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe	IMDCSC.exe
PID 4328 wrote to memory of 2276	4328	d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe
"C:\Users\Admin\AppData\Local\Temp\d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
658KB

MD5
c6e98794d2a7a96b58e6931af36bb2a5

SHA1
ee15ac66f20a5ffab46bcfbffcd6348514385970

SHA256
d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4

SHA512
a83da52e17d87fa840ad2f9fbabd21127262de18e8a799986078ca7c3355a55e8fa93c750b0795b547c15c4ce7724d3539869e91e4f4e91104970cf808503ada

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
658KB

MD5
c6e98794d2a7a96b58e6931af36bb2a5

SHA1
ee15ac66f20a5ffab46bcfbffcd6348514385970

SHA256
d7d1c3306e39345ffbc2139666f1ad2493c5f44a2013568651a5a0b8794fdca4

SHA512
a83da52e17d87fa840ad2f9fbabd21127262de18e8a799986078ca7c3355a55e8fa93c750b0795b547c15c4ce7724d3539869e91e4f4e91104970cf808503ada

Download Submit
memory/2276-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads