darkcomet | dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26

General

Target

dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe
Size

1013KB
MD5

eebf02768297ef104a07d6bb59069f25
SHA1

fcfc068313e49d0643bd63e4b7e80412b0fc9772
SHA256

dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26
SHA512

925e6924999346f05fd0489defdc136cba638af3e7a05546555539c6ee95a45f224f77465374e1092973049fc300fac9a7fe5eeecb2020f9679afe2f3bd9c089
SSDEEP

24576:Vby5T5OBt/EmYDSD+CEOkLr15FlKXkKJED:VbWT5mEmULrGBKD

Score

10^/10

darkcomet ilikedicks rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

ilikedicks

C2

98.236.11.150:1604

Mutex

DCMIN_MUTEX-9TZK8AZ

Attributes

gencode
MReDlsnviHt7
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

required.exerequired.exe

pid process

2040 required.exe
580 required.exe

pid	process
2040	required.exe
580	required.exe

Drops startup file 1 IoCs

Processes:

dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Required.vbs	dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe

Loads dropped DLL 1 IoCs

Processes:

dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe

pid process

1120 dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

required.exe

description pid process target process

PID 2040 set thread context of 580 2040 required.exe required.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

required.exe

pid process

2040 required.exe
2040 required.exe

pid	process
1120	dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe

description	pid	process	target process
PID 2040 set thread context of 580	2040	required.exe	required.exe

pid	process
2040	required.exe
2040	required.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

required.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	580	required.exe
Token: SeSecurityPrivilege	580	required.exe
Token: SeTakeOwnershipPrivilege	580	required.exe
Token: SeLoadDriverPrivilege	580	required.exe
Token: SeSystemProfilePrivilege	580	required.exe
Token: SeSystemtimePrivilege	580	required.exe
Token: SeProfSingleProcessPrivilege	580	required.exe
Token: SeIncBasePriorityPrivilege	580	required.exe
Token: SeCreatePagefilePrivilege	580	required.exe
Token: SeBackupPrivilege	580	required.exe
Token: SeRestorePrivilege	580	required.exe
Token: SeShutdownPrivilege	580	required.exe
Token: SeDebugPrivilege	580	required.exe
Token: SeSystemEnvironmentPrivilege	580	required.exe
Token: SeChangeNotifyPrivilege	580	required.exe
Token: SeRemoteShutdownPrivilege	580	required.exe
Token: SeUndockPrivilege	580	required.exe
Token: SeManageVolumePrivilege	580	required.exe
Token: SeImpersonatePrivilege	580	required.exe
Token: SeCreateGlobalPrivilege	580	required.exe
Token: 33	580	required.exe
Token: 34	580	required.exe
Token: 35	580	required.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

required.exe

pid process

580 required.exe

pid	process
580	required.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exerequired.exe

description	pid	process	target process
PID 1120 wrote to memory of 2040	1120	dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe	required.exe
PID 1120 wrote to memory of 2040	1120	dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe	required.exe
PID 1120 wrote to memory of 2040	1120	dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe	required.exe
PID 1120 wrote to memory of 2040	1120	dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe	required.exe
PID 2040 wrote to memory of 580	2040	required.exe	required.exe
PID 2040 wrote to memory of 580	2040	required.exe	required.exe
PID 2040 wrote to memory of 580	2040	required.exe	required.exe
PID 2040 wrote to memory of 580	2040	required.exe	required.exe

C:\Users\Admin\AppData\Local\Temp\dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe
"C:\Users\Admin\AppData\Local\Temp\dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\dcpower\required.exe
"C:\Users\Admin\AppData\Roaming\dcpower\required.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\dcpower\required.exe
"C:\Users\Admin\AppData\Roaming\dcpower\required.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dcpower\required.exe

Filesize
1013KB

MD5
eebf02768297ef104a07d6bb59069f25

SHA1
fcfc068313e49d0643bd63e4b7e80412b0fc9772

SHA256
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26

SHA512
925e6924999346f05fd0489defdc136cba638af3e7a05546555539c6ee95a45f224f77465374e1092973049fc300fac9a7fe5eeecb2020f9679afe2f3bd9c089

Download Submit
C:\Users\Admin\AppData\Roaming\dcpower\required.exe

Filesize
1013KB

MD5
eebf02768297ef104a07d6bb59069f25

SHA1
fcfc068313e49d0643bd63e4b7e80412b0fc9772

SHA256
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26

SHA512
925e6924999346f05fd0489defdc136cba638af3e7a05546555539c6ee95a45f224f77465374e1092973049fc300fac9a7fe5eeecb2020f9679afe2f3bd9c089

Download Submit
C:\Users\Admin\AppData\Roaming\dcpower\required.exe

Filesize
1013KB

MD5
eebf02768297ef104a07d6bb59069f25

SHA1
fcfc068313e49d0643bd63e4b7e80412b0fc9772

SHA256
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26

SHA512
925e6924999346f05fd0489defdc136cba638af3e7a05546555539c6ee95a45f224f77465374e1092973049fc300fac9a7fe5eeecb2020f9679afe2f3bd9c089

Download Submit
\Users\Admin\AppData\Roaming\dcpower\required.exe

Filesize
1013KB

MD5
eebf02768297ef104a07d6bb59069f25

SHA1
fcfc068313e49d0643bd63e4b7e80412b0fc9772

SHA256
dc63e0a0dc9d6d51546b0e58a0bb335088216892e23f1e47c709b3b9d223dd26

SHA512
925e6924999346f05fd0489defdc136cba638af3e7a05546555539c6ee95a45f224f77465374e1092973049fc300fac9a7fe5eeecb2020f9679afe2f3bd9c089

Download Submit
memory/580-59-0x000000000048F888-mapping.dmp

Download
memory/580-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/580-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1120-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads