darkcomet | 1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe
Size

658KB
MD5

1d2720fa9e1cfef3eb2be0786132ab7f
SHA1

c37c644f162ae96c4b3d5fef864d5d8961f8b61e
SHA256

1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c
SHA512

669d4e11c1ed8b6e83efaf4a656731c381bd0464dec279b029d6a65103ba5a94866a631197635dbe711bd4d799ae10fcfd53d1d0373f77ac9d0d557cffc9cdd9
SSDEEP

12288:JSqDkTWx75L04pwmLfM7I00I5imb1ov38yDvHWcLq/Awjn4o2cWq:TCWx77TEP5imRoE6Wc2/A73C

Score

10^/10

darkcomet fuckingrat persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

FUCKINGRAT

jack.redirectme.net:1604

Mutex

DCMIN_MUTEX-PHJQ3QW

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
vbg3YXMYJr5c
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\DCSCMIN\\IMDCSC.exe"	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
1720	IMDCSC.exe
1324	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c1.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-56-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1688-58-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1688-59-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1688-61-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1688-63-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1688-66-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1688-74-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c1.exe

Loads dropped DLL 3 IoCs

pid	Process
1688	vbc.exe
2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe
2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Windows\\system32\\DCSCMIN\\IMDCSC.exe"	vbc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DCSCMIN\IMDCSC.exe	vbc.exe
File created	C:\Windows\SysWOW64\DCSCMIN\IMDCSC.exe	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1688	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1688	vbc.exe
Token: SeSecurityPrivilege	1688	vbc.exe
Token: SeTakeOwnershipPrivilege	1688	vbc.exe
Token: SeLoadDriverPrivilege	1688	vbc.exe
Token: SeSystemProfilePrivilege	1688	vbc.exe
Token: SeSystemtimePrivilege	1688	vbc.exe
Token: SeProfSingleProcessPrivilege	1688	vbc.exe
Token: SeIncBasePriorityPrivilege	1688	vbc.exe
Token: SeCreatePagefilePrivilege	1688	vbc.exe
Token: SeBackupPrivilege	1688	vbc.exe
Token: SeRestorePrivilege	1688	vbc.exe
Token: SeShutdownPrivilege	1688	vbc.exe
Token: SeDebugPrivilege	1688	vbc.exe
Token: SeSystemEnvironmentPrivilege	1688	vbc.exe
Token: SeChangeNotifyPrivilege	1688	vbc.exe
Token: SeRemoteShutdownPrivilege	1688	vbc.exe
Token: SeUndockPrivilege	1688	vbc.exe
Token: SeManageVolumePrivilege	1688	vbc.exe
Token: SeImpersonatePrivilege	1688	vbc.exe
Token: SeCreateGlobalPrivilege	1688	vbc.exe
Token: 33	1688	vbc.exe
Token: 34	1688	vbc.exe
Token: 35	1688	vbc.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1688	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	27
PID 2024 wrote to memory of 1688	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	27
PID 2024 wrote to memory of 1688	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	27
PID 2024 wrote to memory of 1688	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	27
PID 2024 wrote to memory of 1688	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	27
PID 2024 wrote to memory of 1688	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	27
PID 2024 wrote to memory of 1688	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	27
PID 2024 wrote to memory of 1688	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	27
PID 2024 wrote to memory of 584	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	28
PID 2024 wrote to memory of 584	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	28
PID 2024 wrote to memory of 584	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	28
PID 2024 wrote to memory of 584	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	28
PID 1688 wrote to memory of 1720	1688	vbc.exe	30
PID 1688 wrote to memory of 1720	1688	vbc.exe	30
PID 1688 wrote to memory of 1720	1688	vbc.exe	30
PID 1688 wrote to memory of 1720	1688	vbc.exe	30
PID 584 wrote to memory of 820	584	vbc.exe	32
PID 584 wrote to memory of 820	584	vbc.exe	32
PID 584 wrote to memory of 820	584	vbc.exe	32
PID 584 wrote to memory of 820	584	vbc.exe	32
PID 2024 wrote to memory of 1324	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	33
PID 2024 wrote to memory of 1324	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	33
PID 2024 wrote to memory of 1324	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	33
PID 2024 wrote to memory of 1324	2024	1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe	33

C:\Users\Admin\AppData\Local\Temp\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe
"C:\Users\Admin\AppData\Local\Temp\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\DCSCMIN\IMDCSC.exe
    "C:\Windows\system32\DCSCMIN\IMDCSC.exe"
    3⤵
    - Executes dropped EXE
    PID:1720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rrsd_xfs.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1048.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1037.tmp"
    3⤵
    PID:820
- C:\Users\Admin\AppData\Roaming\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c1.exe
  "C:\Users\Admin\AppData\Roaming\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c1.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1048.tmp

Filesize
1KB

MD5
01946201b0f826f07746c94febf3d0ba

SHA1
0a3305eb168d2ab2b6a8547e2876f4fb08e3ac32

SHA256
2637bf08c938f82d313709da1aef37301d3405be9c72c1219ce39b1c5cecd28a

SHA512
d1e52b9343c97cdf78e3f7de6731a7726f9ddee87c65ebbad33e1bf4c45998f5b3a5b67e4265ed86efe382d1938b95edf8dad895ba26ef972a17b4dffedc67d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrsd_xfs.0.vb

Filesize
417B

MD5
98478473a1897f832248bb29f0d9c191

SHA1
3bce401d89cb9fb41625f843cc54f71fc0c4b190

SHA256
88e149711a16e058d51502c2b2fc48dbbc39cd05c8e7e59b87977e33632a6740

SHA512
f9ad4c80f3ffc8c947af0eef483a4cbaddb07f32204dfb60108868ac3fb2e4b15351654dc9e1e5e43419d80d5b5d0abff69540e6566d1c18e66013847f420add

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrsd_xfs.cmdline

Filesize
253B

MD5
7cc290e67d6e84995df45dd706814b97

SHA1
9f412af5d56700d51eafecd8236e08a9d6665ee6

SHA256
9a53c971560ed6247d3a66aa58f12f6ec9252a39438ed7c3fe95b2b60b8975ae

SHA512
5e9a859dd2aae298fb2493e022494c8f7c92f9c02c5bd928fe46a5dc4775eb890aeec35b6563ae11e27c151ca82aac8f5c61c2fa1b77ebae7878cc05a0c05ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1037.tmp

Filesize
876B

MD5
b6d37280f69bb9bade8324c9e52e5ebc

SHA1
96993c01bf5e822f6399ad23f63ec461118883a0

SHA256
968c6b0b7475b6aaf3e229b5ae908a01db8aed91980f88dbbbbbfab2cbe2106d

SHA512
c31ba2721aaacf1b4bfdf437bd3c36c24413d28998c0cfa20996f469a1d971a357545aff38e20d83d27a51f08422fc7b7d999176d1352b8d00f492b51c81d612

Download Submit
C:\Users\Admin\AppData\Roaming\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c.exe

Filesize
658KB

MD5
1d2720fa9e1cfef3eb2be0786132ab7f

SHA1
c37c644f162ae96c4b3d5fef864d5d8961f8b61e

SHA256
1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c

SHA512
669d4e11c1ed8b6e83efaf4a656731c381bd0464dec279b029d6a65103ba5a94866a631197635dbe711bd4d799ae10fcfd53d1d0373f77ac9d0d557cffc9cdd9

Download Submit
C:\Users\Admin\AppData\Roaming\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c1.exe

Filesize
6KB

MD5
0429bb5bbf48f64783f4f0289f3db11d

SHA1
37c64835c0e35b9f55bf74f5b54f51ac56a0c1a0

SHA256
d7eb18a377c5e951fd439a29e4a9e70b9b6829c5899ac4a9d7bf62d52f651d4f

SHA512
9f5dd663e14260d36a9349b9d342bb00669c8431c17e379e2d737b2e312f13326e387cf66cd9205383b77978e08b503b370491f7c50d5843257378c3af321492

Download Submit
C:\Users\Admin\AppData\Roaming\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c1.exe

Filesize
6KB

MD5
0429bb5bbf48f64783f4f0289f3db11d

SHA1
37c64835c0e35b9f55bf74f5b54f51ac56a0c1a0

SHA256
d7eb18a377c5e951fd439a29e4a9e70b9b6829c5899ac4a9d7bf62d52f651d4f

SHA512
9f5dd663e14260d36a9349b9d342bb00669c8431c17e379e2d737b2e312f13326e387cf66cd9205383b77978e08b503b370491f7c50d5843257378c3af321492

Download Submit
C:\Windows\SysWOW64\DCSCMIN\IMDCSC.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\DCSCMIN\IMDCSC.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c1.exe

Filesize
6KB

MD5
0429bb5bbf48f64783f4f0289f3db11d

SHA1
37c64835c0e35b9f55bf74f5b54f51ac56a0c1a0

SHA256
d7eb18a377c5e951fd439a29e4a9e70b9b6829c5899ac4a9d7bf62d52f651d4f

SHA512
9f5dd663e14260d36a9349b9d342bb00669c8431c17e379e2d737b2e312f13326e387cf66cd9205383b77978e08b503b370491f7c50d5843257378c3af321492

Download Submit
\Users\Admin\AppData\Roaming\1456a7bc715b2b34298d14cc9a626dd568fb95fb5be0829ba1321ab9ee36de9c1.exe

Filesize
6KB

MD5
0429bb5bbf48f64783f4f0289f3db11d

SHA1
37c64835c0e35b9f55bf74f5b54f51ac56a0c1a0

SHA256
d7eb18a377c5e951fd439a29e4a9e70b9b6829c5899ac4a9d7bf62d52f651d4f

SHA512
9f5dd663e14260d36a9349b9d342bb00669c8431c17e379e2d737b2e312f13326e387cf66cd9205383b77978e08b503b370491f7c50d5843257378c3af321492

Download Submit
\Windows\SysWOW64\DCSCMIN\IMDCSC.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1324-85-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1688-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1688-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1688-58-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1688-61-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1688-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1688-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1688-55-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1688-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2024-73-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2024-84-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads