darkcomet | 53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Size

1.5MB
MD5

e3db605b6b773ae7ed7fe8596abae583
SHA1

2b573adfe3e3a2edc68936a3e864d7a9a909f12d
SHA256

53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f
SHA512

a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b
SSDEEP

24576:/RmJkcoQricOIQxiZY1iaE/IyPoXBInUZQEAb+owaADl3N4d3D40Vf7:UJZoQrbTFZY1iaeIJX+UZZE+fl36dMkT

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

verydark25.no-ip.biz:100

Mutex

DCMIN_MUTEX-QPZZXFD

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
0GZSgZY5XLqM
install
true
offline_keylogger
true
persistence
false
reg_key
Chrome Updater

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe

Executes dropped EXE 2 IoCs

Processes:

IMDCSC.exeIMDCSC.exe

pid process

580 IMDCSC.exe
1132 IMDCSC.exe

pid	process
580	IMDCSC.exe
1132	IMDCSC.exe

Loads dropped DLL 8 IoCs

Processes:

53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exeWerFault.exe

pid	process
984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
796	WerFault.exe
796	WerFault.exe
796	WerFault.exe
796	WerFault.exe
796	WerFault.exe
796	WerFault.exe
796	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Updater = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe

description	pid	process	target process
PID 2028 set thread context of 984	2028	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

796 580 WerFault.exe IMDCSC.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exeIMDCSC.exe

pid process

2028 53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
580 IMDCSC.exe

pid	pid_target	process	target process
796	580	WerFault.exe	IMDCSC.exe

pid	process
2028	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
580	IMDCSC.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeSecurityPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeTakeOwnershipPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeLoadDriverPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeSystemProfilePrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeSystemtimePrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeProfSingleProcessPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeIncBasePriorityPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeCreatePagefilePrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeBackupPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeRestorePrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeShutdownPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeDebugPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeSystemEnvironmentPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeChangeNotifyPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeRemoteShutdownPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeUndockPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeManageVolumePrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeImpersonatePrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: SeCreateGlobalPrivilege	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: 33	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: 34	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
Token: 35	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exeIMDCSC.exe

description	pid	process	target process
PID 2028 wrote to memory of 984	2028	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
PID 2028 wrote to memory of 984	2028	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
PID 2028 wrote to memory of 984	2028	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
PID 2028 wrote to memory of 984	2028	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
PID 2028 wrote to memory of 984	2028	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
PID 2028 wrote to memory of 984	2028	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
PID 984 wrote to memory of 580	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	IMDCSC.exe
PID 984 wrote to memory of 580	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	IMDCSC.exe
PID 984 wrote to memory of 580	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	IMDCSC.exe
PID 984 wrote to memory of 580	984	53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe	IMDCSC.exe
PID 580 wrote to memory of 1132	580	IMDCSC.exe	IMDCSC.exe
PID 580 wrote to memory of 1132	580	IMDCSC.exe	IMDCSC.exe
PID 580 wrote to memory of 1132	580	IMDCSC.exe	IMDCSC.exe
PID 580 wrote to memory of 1132	580	IMDCSC.exe	IMDCSC.exe
PID 580 wrote to memory of 796	580	IMDCSC.exe	WerFault.exe
PID 580 wrote to memory of 796	580	IMDCSC.exe	WerFault.exe
PID 580 wrote to memory of 796	580	IMDCSC.exe	WerFault.exe
PID 580 wrote to memory of 796	580	IMDCSC.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
"C:\Users\Admin\AppData\Local\Temp\53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe
  "C:\Users\Admin\AppData\Local\Temp\53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
    "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
      "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
      4⤵
      Executes dropped EXE
      PID:1132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 376
      4⤵
      Loads dropped DLL
      Program crash
      PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\res.ico

Filesize
658KB

MD5
7a8e6391b3e51fee6e948a2dd3de2d02

SHA1
74197e9352960c413be37f0054ca7b12daaccd9e

SHA256
377181bc23a28ceb109b6f652f9298af35a1ac8c8eccc432254e5ca8e56225b1

SHA512
78570fc030364ccef0a6530a56d7b1721ddca5197d6711a10f929f4405ecd63d08c7b4d1b56bd9bc4124a1db7ab847e0c4deacee30e582e1d7351ebc22f7b897

Download Submit
C:\Users\Admin\AppData\Local\Temp\res.ico2

Filesize
658KB

MD5
07c4d7f2b2cfa8ab7b39a250429bfa78

SHA1
dc0e4ca81efbef25aa53d08dbc7fd24008b790b9

SHA256
0076395fd58ddcfaa73dcce59a05eb3b45d7116f671f32b5077846bddf3c16b2

SHA512
2a806c450f58e3e583f956a0c4a756e71a87c9e6ebce12d9ff5fa01f5724ee5823f22183d73ca0cba5fed772139c576bdf883b237f3b8897fc5264cdc68aa005

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.5MB

MD5
e3db605b6b773ae7ed7fe8596abae583

SHA1
2b573adfe3e3a2edc68936a3e864d7a9a909f12d

SHA256
53c30ab677a3c5538043afa46faadecce838a183889ffdd17655676ef7e1176f

SHA512
a5b139462b64e1196045000efe64ad553d8ee3204b5da3f9b3e0df77bcec3b6253b5d169331338f009c8213023443453bb1a5f18417c47e5e179378a7bd2900b

Download Submit
memory/580-63-0x0000000000000000-mapping.dmp

Download
memory/796-71-0x0000000000000000-mapping.dmp

Download
memory/984-61-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/984-67-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/984-59-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/984-58-0x000000000014F888-mapping.dmp

Download
memory/984-57-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/984-55-0x00000000000C0000-0x0000000000172000-memory.dmp

Filesize
712KB

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download