darkcomet | 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02

Analysis

max time kernel
151s
max time network
192s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Size

661KB
MD5

081479fd083ec172e9a7c23caba03bb1
SHA1

e7cb1abdef3384ca5ac1a31c2c791a84304926e9
SHA256

707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02
SHA512

261cab6c1c3cdba1783b89a15c3b4c6e3e7bee8a4b129c9c9abf511d35f7f4658fea67a561ce775498a7a9df4311357670119ba67acc1f210830baf8c147a900
SSDEEP

12288:MXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UR:anAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jh

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

shizzlekid.zapto.org:1919

Mutex

DC_MUTEX-NE6UK92

Attributes

InstallPath
MSDCSC\microsoft.exe
gencode
YcKFVzKEhbEr
install
true
offline_keylogger
true
persistence
false
reg_key
Microsoft

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\microsoft.exe"	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	microsoft.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
808	attrib.exe

Loads dropped DLL 2 IoCs

pid	Process
976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\Documents\\MSDCSC\\microsoft.exe"	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	microsoft.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeSecurityPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeTakeOwnershipPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeLoadDriverPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeSystemProfilePrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeSystemtimePrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeProfSingleProcessPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeIncBasePriorityPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeCreatePagefilePrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeBackupPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeRestorePrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeShutdownPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeDebugPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeSystemEnvironmentPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeChangeNotifyPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeRemoteShutdownPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeUndockPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeManageVolumePrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeImpersonatePrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeCreateGlobalPrivilege	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: 33	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: 34	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: 35	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Token: SeIncreaseQuotaPrivilege	1916	microsoft.exe
Token: SeSecurityPrivilege	1916	microsoft.exe
Token: SeTakeOwnershipPrivilege	1916	microsoft.exe
Token: SeLoadDriverPrivilege	1916	microsoft.exe
Token: SeSystemProfilePrivilege	1916	microsoft.exe
Token: SeSystemtimePrivilege	1916	microsoft.exe
Token: SeProfSingleProcessPrivilege	1916	microsoft.exe
Token: SeIncBasePriorityPrivilege	1916	microsoft.exe
Token: SeCreatePagefilePrivilege	1916	microsoft.exe
Token: SeBackupPrivilege	1916	microsoft.exe
Token: SeRestorePrivilege	1916	microsoft.exe
Token: SeShutdownPrivilege	1916	microsoft.exe
Token: SeDebugPrivilege	1916	microsoft.exe
Token: SeSystemEnvironmentPrivilege	1916	microsoft.exe
Token: SeChangeNotifyPrivilege	1916	microsoft.exe
Token: SeRemoteShutdownPrivilege	1916	microsoft.exe
Token: SeUndockPrivilege	1916	microsoft.exe
Token: SeManageVolumePrivilege	1916	microsoft.exe
Token: SeImpersonatePrivilege	1916	microsoft.exe
Token: SeCreateGlobalPrivilege	1916	microsoft.exe
Token: 33	1916	microsoft.exe
Token: 34	1916	microsoft.exe
Token: 35	1916	microsoft.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1916	microsoft.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1388	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe	27
PID 976 wrote to memory of 1388	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe	27
PID 976 wrote to memory of 1388	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe	27
PID 976 wrote to memory of 1388	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe	27
PID 1388 wrote to memory of 808	1388	cmd.exe	29
PID 1388 wrote to memory of 808	1388	cmd.exe	29
PID 1388 wrote to memory of 808	1388	cmd.exe	29
PID 1388 wrote to memory of 808	1388	cmd.exe	29
PID 976 wrote to memory of 1916	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe	30
PID 976 wrote to memory of 1916	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe	30
PID 976 wrote to memory of 1916	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe	30
PID 976 wrote to memory of 1916	976	707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe	30
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31
PID 1916 wrote to memory of 2024	1916	microsoft.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
"C:\Users\Admin\AppData\Local\Temp\707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:808
- C:\Users\Admin\Documents\MSDCSC\microsoft.exe
  "C:\Users\Admin\Documents\MSDCSC\microsoft.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\microsoft.exe

Filesize
661KB

MD5
081479fd083ec172e9a7c23caba03bb1

SHA1
e7cb1abdef3384ca5ac1a31c2c791a84304926e9

SHA256
707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02

SHA512
261cab6c1c3cdba1783b89a15c3b4c6e3e7bee8a4b129c9c9abf511d35f7f4658fea67a561ce775498a7a9df4311357670119ba67acc1f210830baf8c147a900

Download Submit
\Users\Admin\Documents\MSDCSC\microsoft.exe

Filesize
661KB

MD5
081479fd083ec172e9a7c23caba03bb1

SHA1
e7cb1abdef3384ca5ac1a31c2c791a84304926e9

SHA256
707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02

SHA512
261cab6c1c3cdba1783b89a15c3b4c6e3e7bee8a4b129c9c9abf511d35f7f4658fea67a561ce775498a7a9df4311357670119ba67acc1f210830baf8c147a900

Download Submit
\Users\Admin\Documents\MSDCSC\microsoft.exe

Filesize
661KB

MD5
081479fd083ec172e9a7c23caba03bb1

SHA1
e7cb1abdef3384ca5ac1a31c2c791a84304926e9

SHA256
707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02

SHA512
261cab6c1c3cdba1783b89a15c3b4c6e3e7bee8a4b129c9c9abf511d35f7f4658fea67a561ce775498a7a9df4311357670119ba67acc1f210830baf8c147a900

Download Submit
memory/976-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads