darkcomet | 894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523

General

Target

894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Size

1.4MB
MD5

60a9c28e01b11254b21a765021a5c047
SHA1

6b070320d8fd5f062884ff97d6fa0914c25ca497
SHA256

894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523
SHA512

65b1d35ee737fb86f61632ec9411927cd693ea74d51aa3db2aa2048ec9924ca96d2c4f58f86c79b8a309a3345ab251c8c26ae37473ae9636ba52488c97cc9be9
SSDEEP

12288:EmG3KzGqLHIZ9wivE7hBeZ7AJhVGAQhHPq3Ycat4WUujROpDdn6mh/k+lNhI2r:bG65IZ9wivgBetuGAQhvcWLgCmFkcLr

Score

10^/10

darkcomet wire persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

WIRE

C2

munachim.linkpc.net:1605

Mutex

DCMIN_MUTEX-MSP77U0

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
mor58pndC03T
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe

Executes dropped EXE 2 IoCs

Processes:

IMDCSC.exeIMDCSC.exe

pid process

2008 IMDCSC.exe
4940 IMDCSC.exe

pid	process
2008	IMDCSC.exe
4940	IMDCSC.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exeIMDCSC.exe

description	pid	process	target process
PID 4532 set thread context of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 2008 set thread context of 4940	2008	IMDCSC.exe	IMDCSC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeSecurityPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeTakeOwnershipPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeLoadDriverPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeSystemProfilePrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeSystemtimePrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeProfSingleProcessPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeIncBasePriorityPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeCreatePagefilePrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeBackupPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeRestorePrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeShutdownPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeDebugPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeSystemEnvironmentPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeChangeNotifyPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeRemoteShutdownPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeUndockPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeManageVolumePrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeImpersonatePrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeCreateGlobalPrivilege	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: 33	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: 34	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: 35	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: 36	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
Token: SeIncreaseQuotaPrivilege	4940	IMDCSC.exe
Token: SeSecurityPrivilege	4940	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	4940	IMDCSC.exe
Token: SeLoadDriverPrivilege	4940	IMDCSC.exe
Token: SeSystemProfilePrivilege	4940	IMDCSC.exe
Token: SeSystemtimePrivilege	4940	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	4940	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	4940	IMDCSC.exe
Token: SeCreatePagefilePrivilege	4940	IMDCSC.exe
Token: SeBackupPrivilege	4940	IMDCSC.exe
Token: SeRestorePrivilege	4940	IMDCSC.exe
Token: SeShutdownPrivilege	4940	IMDCSC.exe
Token: SeDebugPrivilege	4940	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	4940	IMDCSC.exe
Token: SeChangeNotifyPrivilege	4940	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	4940	IMDCSC.exe
Token: SeUndockPrivilege	4940	IMDCSC.exe
Token: SeManageVolumePrivilege	4940	IMDCSC.exe
Token: SeImpersonatePrivilege	4940	IMDCSC.exe
Token: SeCreateGlobalPrivilege	4940	IMDCSC.exe
Token: 33	4940	IMDCSC.exe
Token: 34	4940	IMDCSC.exe
Token: 35	4940	IMDCSC.exe
Token: 36	4940	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

4940 IMDCSC.exe

pid	process
4940	IMDCSC.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exeIMDCSC.exe

description	pid	process	target process
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 4532 wrote to memory of 1672	4532	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
PID 1672 wrote to memory of 2008	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	IMDCSC.exe
PID 1672 wrote to memory of 2008	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	IMDCSC.exe
PID 1672 wrote to memory of 2008	1672	894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe
PID 2008 wrote to memory of 4940	2008	IMDCSC.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
"C:\Users\Admin\AppData\Local\Temp\894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe
"C:\Users\Admin\AppData\Local\Temp\894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.4MB

MD5
60a9c28e01b11254b21a765021a5c047

SHA1
6b070320d8fd5f062884ff97d6fa0914c25ca497

SHA256
894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523

SHA512
65b1d35ee737fb86f61632ec9411927cd693ea74d51aa3db2aa2048ec9924ca96d2c4f58f86c79b8a309a3345ab251c8c26ae37473ae9636ba52488c97cc9be9

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.4MB

MD5
60a9c28e01b11254b21a765021a5c047

SHA1
6b070320d8fd5f062884ff97d6fa0914c25ca497

SHA256
894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523

SHA512
65b1d35ee737fb86f61632ec9411927cd693ea74d51aa3db2aa2048ec9924ca96d2c4f58f86c79b8a309a3345ab251c8c26ae37473ae9636ba52488c97cc9be9

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
1.4MB

MD5
60a9c28e01b11254b21a765021a5c047

SHA1
6b070320d8fd5f062884ff97d6fa0914c25ca497

SHA256
894e3644929bec7530458bf5e71b3d4fc1f2cae8fa9ea17880644c9a8b09a523

SHA512
65b1d35ee737fb86f61632ec9411927cd693ea74d51aa3db2aa2048ec9924ca96d2c4f58f86c79b8a309a3345ab251c8c26ae37473ae9636ba52488c97cc9be9

Download Submit
memory/1672-135-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1672-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1672-134-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1672-133-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1672-132-0x0000000000000000-mapping.dmp

Download
memory/2008-136-0x0000000000000000-mapping.dmp

Download
memory/4940-140-0x0000000000000000-mapping.dmp

Download
memory/4940-144-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4940-145-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4940-146-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads