darkcomet | adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5

Resubmissions

05/02/2025, 07:31

250205-jchtwaxrdr 10

05/02/2025, 07:08

250205-hypnwaxlbn 10

01/10/2022, 22:21

221001-194laabben 10

Analysis

max time kernel
132s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Size

912KB
MD5

76646fd5ea2d2751ac7b511e779a2bb0
SHA1

6fe54343774059ecd1514f64244ef1c716226764
SHA256

adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5
SHA512

0a680679f345f26e7054a28561043e882a94d4abaff107a129ea3650d241def6ace3e10f8f5743b653ed82582960ca5529c55949cc4684f1a5ac26b2ea305b19
SSDEEP

12288:YFWvfST6ZtZJYSgkNyevrtJNt4wShikgfEYq4wWz0hanJ8/75uKgu8QUjgmN:YKfSTwoSbMivwRhVtuAf8gmN

Score

10^/10

darkcomet opa persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

opa

192.168.178.12:1604

Mutex

DCMIN_MUTEX-210APDH

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
SDmbN4svJlrR
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe

Executes dropped EXE 3 IoCs

pid	Process
4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
4620	IMDCSC.exe
1092	IMDCSC.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3188 set thread context of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 4620 set thread context of 1092	4620	IMDCSC.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
4620	IMDCSC.exe
4620	IMDCSC.exe
4620	IMDCSC.exe
4620	IMDCSC.exe
4620	IMDCSC.exe
4620	IMDCSC.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeSecurityPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeTakeOwnershipPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeLoadDriverPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeSystemProfilePrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeSystemtimePrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeProfSingleProcessPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeIncBasePriorityPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeCreatePagefilePrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeBackupPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeRestorePrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeShutdownPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeDebugPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeSystemEnvironmentPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeChangeNotifyPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeRemoteShutdownPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeUndockPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeManageVolumePrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeImpersonatePrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeCreateGlobalPrivilege	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: 33	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: 34	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: 35	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: 36	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
Token: SeIncreaseQuotaPrivilege	1092	IMDCSC.exe
Token: SeSecurityPrivilege	1092	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	1092	IMDCSC.exe
Token: SeLoadDriverPrivilege	1092	IMDCSC.exe
Token: SeSystemProfilePrivilege	1092	IMDCSC.exe
Token: SeSystemtimePrivilege	1092	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	1092	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	1092	IMDCSC.exe
Token: SeCreatePagefilePrivilege	1092	IMDCSC.exe
Token: SeBackupPrivilege	1092	IMDCSC.exe
Token: SeRestorePrivilege	1092	IMDCSC.exe
Token: SeShutdownPrivilege	1092	IMDCSC.exe
Token: SeDebugPrivilege	1092	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	1092	IMDCSC.exe
Token: SeChangeNotifyPrivilege	1092	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	1092	IMDCSC.exe
Token: SeUndockPrivilege	1092	IMDCSC.exe
Token: SeManageVolumePrivilege	1092	IMDCSC.exe
Token: SeImpersonatePrivilege	1092	IMDCSC.exe
Token: SeCreateGlobalPrivilege	1092	IMDCSC.exe
Token: 33	1092	IMDCSC.exe
Token: 34	1092	IMDCSC.exe
Token: 35	1092	IMDCSC.exe
Token: 36	1092	IMDCSC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
4620	IMDCSC.exe
4620	IMDCSC.exe
1092	IMDCSC.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 2172	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	82
PID 3188 wrote to memory of 2172	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	82
PID 3188 wrote to memory of 2172	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	82
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 3188 wrote to memory of 4980	3188	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	83
PID 2172 wrote to memory of 552	2172	cmd.exe	85
PID 2172 wrote to memory of 552	2172	cmd.exe	85
PID 2172 wrote to memory of 552	2172	cmd.exe	85
PID 552 wrote to memory of 2064	552	net.exe	86
PID 552 wrote to memory of 2064	552	net.exe	86
PID 552 wrote to memory of 2064	552	net.exe	86
PID 4980 wrote to memory of 4620	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	88
PID 4980 wrote to memory of 4620	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	88
PID 4980 wrote to memory of 4620	4980	adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe	88
PID 4620 wrote to memory of 740	4620	IMDCSC.exe	89
PID 4620 wrote to memory of 740	4620	IMDCSC.exe	89
PID 4620 wrote to memory of 740	4620	IMDCSC.exe	89
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 4620 wrote to memory of 1092	4620	IMDCSC.exe	90
PID 740 wrote to memory of 2284	740	cmd.exe	92
PID 740 wrote to memory of 2284	740	cmd.exe	92
PID 740 wrote to memory of 2284	740	cmd.exe	92
PID 2284 wrote to memory of 3148	2284	net.exe	93
PID 2284 wrote to memory of 3148	2284	net.exe	93
PID 2284 wrote to memory of 3148	2284	net.exe	93

C:\Users\Admin\AppData\Local\Temp\adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
"C:\Users\Admin\AppData\Local\Temp\adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\cmd.exe
  /c net stop MpsSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:2064
- C:\Users\Admin\AppData\Local\Temp\adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
  C:\Users\Admin\AppData\Local\Temp\adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
    "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      /c net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SysWOW64\net.exe
        
        net stop MpsSvc
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        6⤵
        
        PID:3148
  - - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
      C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5.exe

Filesize
912KB

MD5
76646fd5ea2d2751ac7b511e779a2bb0

SHA1
6fe54343774059ecd1514f64244ef1c716226764

SHA256
adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5

SHA512
0a680679f345f26e7054a28561043e882a94d4abaff107a129ea3650d241def6ace3e10f8f5743b653ed82582960ca5529c55949cc4684f1a5ac26b2ea305b19

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
912KB

MD5
76646fd5ea2d2751ac7b511e779a2bb0

SHA1
6fe54343774059ecd1514f64244ef1c716226764

SHA256
adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5

SHA512
0a680679f345f26e7054a28561043e882a94d4abaff107a129ea3650d241def6ace3e10f8f5743b653ed82582960ca5529c55949cc4684f1a5ac26b2ea305b19

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
912KB

MD5
76646fd5ea2d2751ac7b511e779a2bb0

SHA1
6fe54343774059ecd1514f64244ef1c716226764

SHA256
adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5

SHA512
0a680679f345f26e7054a28561043e882a94d4abaff107a129ea3650d241def6ace3e10f8f5743b653ed82582960ca5529c55949cc4684f1a5ac26b2ea305b19

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
912KB

MD5
76646fd5ea2d2751ac7b511e779a2bb0

SHA1
6fe54343774059ecd1514f64244ef1c716226764

SHA256
adca00db81cc70ecc929abd536fcf42b151ae31262161b0d45ccb1fe086efdc5

SHA512
0a680679f345f26e7054a28561043e882a94d4abaff107a129ea3650d241def6ace3e10f8f5743b653ed82582960ca5529c55949cc4684f1a5ac26b2ea305b19

Download Submit
memory/1092-153-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1092-150-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/3188-137-0x0000000000C50000-0x0000000000C54000-memory.dmp

Filesize
16KB

Download
memory/4980-134-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4980-141-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4980-138-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4980-136-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download