darkcomet | 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f

General

Target

5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
Size

860KB
MD5

092b49f0c3b6f861931daa51dee4407f
SHA1

9babf781166b9e361bf42c0ab68da61851e31dc3
SHA256

5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f
SHA512

fd72863c788e282c946ce94e8fa09985565e6e023ea9e0fb91d9ff2469a460ae43e95a61722410d00156e9e448603a494c4b0ad9bb503b72b6c18a52d3b35518
SSDEEP

12288:YLoHy90PuADQPt5tgo5y08XVFstOxfhquCaSX6eg0EkplAWL94IYtndeqgmk2Nm+:HygdMt+08KOhiCqlAWL9dWk+mj2jh

Score

10^/10

darkcomet modiloader persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

1960 svhost.exe

pid	process
1960	svhost.exe

Loads dropped DLL 3 IoCs

Processes:

5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exesvhost.exe

pid	process
1968	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
1968	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
1960	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svhost.exe

pid process

1960 svhost.exe

pid	process
1960	svhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svhost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1960	svhost.exe
Token: SeSecurityPrivilege	1960	svhost.exe
Token: SeTakeOwnershipPrivilege	1960	svhost.exe
Token: SeLoadDriverPrivilege	1960	svhost.exe
Token: SeSystemProfilePrivilege	1960	svhost.exe
Token: SeSystemtimePrivilege	1960	svhost.exe
Token: SeProfSingleProcessPrivilege	1960	svhost.exe
Token: SeIncBasePriorityPrivilege	1960	svhost.exe
Token: SeCreatePagefilePrivilege	1960	svhost.exe
Token: SeBackupPrivilege	1960	svhost.exe
Token: SeRestorePrivilege	1960	svhost.exe
Token: SeShutdownPrivilege	1960	svhost.exe
Token: SeDebugPrivilege	1960	svhost.exe
Token: SeSystemEnvironmentPrivilege	1960	svhost.exe
Token: SeChangeNotifyPrivilege	1960	svhost.exe
Token: SeRemoteShutdownPrivilege	1960	svhost.exe
Token: SeUndockPrivilege	1960	svhost.exe
Token: SeManageVolumePrivilege	1960	svhost.exe
Token: SeImpersonatePrivilege	1960	svhost.exe
Token: SeCreateGlobalPrivilege	1960	svhost.exe
Token: 33	1960	svhost.exe
Token: 34	1960	svhost.exe
Token: 35	1960	svhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svhost.exe

pid process

1960 svhost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

svhost.exe

pid process

1960 svhost.exe

pid	process
1960	svhost.exe

pid	process
1960	svhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exesvhost.exe

description	pid	process	target process
PID 1968 wrote to memory of 1960	1968	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 1968 wrote to memory of 1960	1968	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 1968 wrote to memory of 1960	1968	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 1968 wrote to memory of 1960	1968	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 1968 wrote to memory of 1960	1968	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 1968 wrote to memory of 1960	1968	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 1968 wrote to memory of 1960	1968	5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe	svhost.exe
PID 1960 wrote to memory of 1108	1960	svhost.exe	WScript.exe
PID 1960 wrote to memory of 1108	1960	svhost.exe	WScript.exe
PID 1960 wrote to memory of 1108	1960	svhost.exe	WScript.exe
PID 1960 wrote to memory of 1108	1960	svhost.exe	WScript.exe
PID 1960 wrote to memory of 1108	1960	svhost.exe	WScript.exe
PID 1960 wrote to memory of 1108	1960	svhost.exe	WScript.exe
PID 1960 wrote to memory of 1108	1960	svhost.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
"C:\Users\Admin\AppData\Local\Temp\5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp3.vbs"
3⤵
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
Filesize
715KB

MD5
7e047d6b75ff28c0bfb5971ea11df4c8

SHA1
9bc13061ac2129117753781c7b31c67facae5d85

SHA256
11d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3

SHA512
13d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
Filesize
715KB

MD5
7e047d6b75ff28c0bfb5971ea11df4c8

SHA1
9bc13061ac2129117753781c7b31c67facae5d85

SHA256
11d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3

SHA512
13d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3.vbs
Filesize
351B

MD5
cbb9d404e8923607d52f5b72f0e6b08a

SHA1
e8823b0e7ec1665c6c80733c699f48c51a2b2c93

SHA256
ac68650090db47c13402db9b9233a25ac7cfc035e8400a8c4d4e6701a483f347

SHA512
f0ecc48bda1982dfc4dd2fc39ad7f5c0c1579f4babe76f30cf63e803601571a6fb4515f94d06bf935bb7a2c1fd17b9bf149d0a8925ec7caf20f5d8104a5117c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
Filesize
715KB

MD5
7e047d6b75ff28c0bfb5971ea11df4c8

SHA1
9bc13061ac2129117753781c7b31c67facae5d85

SHA256
11d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3

SHA512
13d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
Filesize
715KB

MD5
7e047d6b75ff28c0bfb5971ea11df4c8

SHA1
9bc13061ac2129117753781c7b31c67facae5d85

SHA256
11d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3

SHA512
13d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe
Filesize
715KB

MD5
7e047d6b75ff28c0bfb5971ea11df4c8

SHA1
9bc13061ac2129117753781c7b31c67facae5d85

SHA256
11d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3

SHA512
13d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224

Download Submit
memory/1108-62-0x0000000000000000-mapping.dmp

Download
memory/1960-57-0x0000000000000000-mapping.dmp

Download
memory/1960-65-0x0000000000400000-0x0000000000569C24-memory.dmp

Filesize
1.4MB

Download
memory/1960-66-0x0000000000400000-0x0000000000569C24-memory.dmp

Filesize
1.4MB

Download
memory/1968-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads