darkcomet | 1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63

General

Target

1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Size

602KB
MD5

52a4476a5e7378b7895f5bdfbdac6420
SHA1

89118b16270a4b2c492864a0f4094bbfb31b9c31
SHA256

1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63
SHA512

ef77cb5a774446fddc51109878539503be221025ce0e8cbb6558fe5e49abebc72df5a540b3cee1f061f0a5e668b0f075d52582fe31982d4f5cf6472cd9097528
SSDEEP

12288:cmVhP7JEbYEb1n4VjBokBoNliMyhwCXbnbqCkRxz3SaV/w:NhFaYEb1n4nPsliMyhwCfdkRJCa

Score

10^/10

darkcomet baby persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

baby

C2

msnworld.no-ip.biz:1604

Mutex

DC_MUTEX-NR5ATBE

Attributes

gencode
BdxrkC5bgRwY
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rX4Z04nM\\DvslGD3.exe,explorer.exe"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1752-62-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1752-64-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1752-65-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1752-68-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1752-70-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1752-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1752-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1752-76-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 1752	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeIncreaseQuotaPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeSecurityPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeTakeOwnershipPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeLoadDriverPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeSystemProfilePrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeSystemtimePrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeProfSingleProcessPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeIncBasePriorityPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeCreatePagefilePrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeBackupPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeRestorePrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeShutdownPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeDebugPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeSystemEnvironmentPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeChangeNotifyPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeRemoteShutdownPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeUndockPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeManageVolumePrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeImpersonatePrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: SeCreateGlobalPrivilege	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: 33	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: 34	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
Token: 35	1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1964	AcroRd32.exe
1752	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
1964	AcroRd32.exe
1964	AcroRd32.exe
1964	AcroRd32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1796	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	26
PID 1096 wrote to memory of 1796	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	26
PID 1096 wrote to memory of 1796	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	26
PID 1096 wrote to memory of 1796	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	26
PID 1796 wrote to memory of 1620	1796	cmd.exe	28
PID 1796 wrote to memory of 1620	1796	cmd.exe	28
PID 1796 wrote to memory of 1620	1796	cmd.exe	28
PID 1796 wrote to memory of 1620	1796	cmd.exe	28
PID 1096 wrote to memory of 1752	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	29
PID 1096 wrote to memory of 1752	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	29
PID 1096 wrote to memory of 1752	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	29
PID 1096 wrote to memory of 1752	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	29
PID 1096 wrote to memory of 1752	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	29
PID 1096 wrote to memory of 1752	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	29
PID 1096 wrote to memory of 1752	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	29
PID 1096 wrote to memory of 1752	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	29
PID 1096 wrote to memory of 1964	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	30
PID 1096 wrote to memory of 1964	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	30
PID 1096 wrote to memory of 1964	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	30
PID 1096 wrote to memory of 1964	1096	1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe	30

C:\Users\Admin\AppData\Local\Temp\1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
"C:\Users\Admin\AppData\Local\Temp\1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rX4Z04nM\DvslGD3.exe,explorer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\rX4Z04nM\DvslGD3.exe,explorer.exe"
    3⤵
    - Modifies WinLogon for persistence
    PID:1620
- C:\Users\Admin\AppData\Local\Temp\1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe
  "C:\Users\Admin\AppData\Local\Temp\1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1752
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\book_excerpt.pdf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe

Filesize
602KB

MD5
52a4476a5e7378b7895f5bdfbdac6420

SHA1
89118b16270a4b2c492864a0f4094bbfb31b9c31

SHA256
1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63

SHA512
ef77cb5a774446fddc51109878539503be221025ce0e8cbb6558fe5e49abebc72df5a540b3cee1f061f0a5e668b0f075d52582fe31982d4f5cf6472cd9097528

Download Submit
C:\Users\Admin\AppData\Local\Temp\book_excerpt.pdf

Filesize
101KB

MD5
cb2ccd9e6ab64bd6ebf50bb8091ae260

SHA1
f6c5f29c285fea0571210e83d08452d85823ed61

SHA256
64f662d5e4d5aff30fb39bb156e64eaba458a50d50cf452b2ee1660042cb8a72

SHA512
167cb73f82c183efe1bda97569a87ac076c7c40ff502719e2277141b228df6e934a5da20abfe18b602bf71ffa20692eddc573a1553363603e9fb0836cd2d4c2b

Download Submit
\Users\Admin\AppData\Local\Temp\1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63.exe

Filesize
602KB

MD5
52a4476a5e7378b7895f5bdfbdac6420

SHA1
89118b16270a4b2c492864a0f4094bbfb31b9c31

SHA256
1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63

SHA512
ef77cb5a774446fddc51109878539503be221025ce0e8cbb6558fe5e49abebc72df5a540b3cee1f061f0a5e668b0f075d52582fe31982d4f5cf6472cd9097528

Download Submit
\Users\Admin\AppData\Local\Temp\rX4Z04nM\DvslGD3.exe

Filesize
602KB

MD5
52a4476a5e7378b7895f5bdfbdac6420

SHA1
89118b16270a4b2c492864a0f4094bbfb31b9c31

SHA256
1a7623337b1bcf0d422f88607b8b160bd0d43c4079c2985014d597e130dead63

SHA512
ef77cb5a774446fddc51109878539503be221025ce0e8cbb6558fe5e49abebc72df5a540b3cee1f061f0a5e668b0f075d52582fe31982d4f5cf6472cd9097528

Download Submit
memory/1096-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1096-55-0x0000000074C70000-0x000000007521B000-memory.dmp

Filesize
5.7MB

Download
memory/1096-56-0x0000000074C70000-0x000000007521B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1752-64-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1752-62-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1752-61-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1752-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1752-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1752-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1752-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1752-76-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing