darkcomet | 7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b

General

Target

7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe
Size

1.7MB
MD5

4d1ae7a48b2d7d91f73660ff0e674e28
SHA1

6e19115fec75bd5ea27d40a9c05158975c91d276
SHA256

7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b
SHA512

ce03d22a14e83a3c5aac63c4823ec3b2f6e7c5ef24fefcd3a21edfb785db3ce3ec207dffa0478292581f42e6cc4c03fcb0457bd6c3b9b6006bb0f1c0870d7943
SSDEEP

49152:Kkwkn9IMHea+Wbpq0aPCS+88RQUF0sQEEfGTeB:ZdnVWWbgLPCEJlNnGeB

Score

10^/10

darkcomet 3009 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

3009

C2

31.34.123.97:1604

Mutex

DC_MUTEX-AG0Z6VK

Attributes

InstallPath
My picture\windll.exe
gencode
KzwgPdBPhgWX
install
true
offline_keylogger
true
persistence
true
reg_key
svchost

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

notepad.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\My picture\\windll.exe"	notepad.exe

Executes dropped EXE 1 IoCs

Processes:

windll.exe

pid process

4708 windll.exe

pid	process
4708	windll.exe

Drops startup file 1 IoCs

Processes:

7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe.lnk	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

notepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\Documents\\My picture\\windll.exe"	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe

description	pid	process	target process
PID 4700 set thread context of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

notepad.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ notepad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	notepad.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

notepad.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3380	notepad.exe
Token: SeSecurityPrivilege	3380	notepad.exe
Token: SeTakeOwnershipPrivilege	3380	notepad.exe
Token: SeLoadDriverPrivilege	3380	notepad.exe
Token: SeSystemProfilePrivilege	3380	notepad.exe
Token: SeSystemtimePrivilege	3380	notepad.exe
Token: SeProfSingleProcessPrivilege	3380	notepad.exe
Token: SeIncBasePriorityPrivilege	3380	notepad.exe
Token: SeCreatePagefilePrivilege	3380	notepad.exe
Token: SeBackupPrivilege	3380	notepad.exe
Token: SeRestorePrivilege	3380	notepad.exe
Token: SeShutdownPrivilege	3380	notepad.exe
Token: SeDebugPrivilege	3380	notepad.exe
Token: SeSystemEnvironmentPrivilege	3380	notepad.exe
Token: SeChangeNotifyPrivilege	3380	notepad.exe
Token: SeRemoteShutdownPrivilege	3380	notepad.exe
Token: SeUndockPrivilege	3380	notepad.exe
Token: SeManageVolumePrivilege	3380	notepad.exe
Token: SeImpersonatePrivilege	3380	notepad.exe
Token: SeCreateGlobalPrivilege	3380	notepad.exe
Token: 33	3380	notepad.exe
Token: 34	3380	notepad.exe
Token: 35	3380	notepad.exe
Token: 36	3380	notepad.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe

pid	process
4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe
4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe
4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe

pid	process
4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe
4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe
4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exenotepad.exe

description	pid	process	target process
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 4700 wrote to memory of 3380	4700	7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 3640	3380	notepad.exe	notepad.exe
PID 3380 wrote to memory of 4708	3380	notepad.exe	windll.exe
PID 3380 wrote to memory of 4708	3380	notepad.exe	windll.exe
PID 3380 wrote to memory of 4708	3380	notepad.exe	windll.exe

C:\Users\Admin\AppData\Local\Temp\7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe
"C:\Users\Admin\AppData\Local\Temp\7ce12277d8a1cf1571e742a7278333478c5c4bda817169df3ad546a31545097b.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\SysWOW64\notepad.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:3640
- - C:\Users\Admin\Documents\My picture\windll.exe
    "C:\Users\Admin\Documents\My picture\windll.exe"
    3⤵
    - Executes dropped EXE
    PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\My picture\windll.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
memory/3380-132-0x0000000000000000-mapping.dmp

Download
memory/3380-133-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3380-134-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3380-135-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3380-137-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3640-136-0x0000000000000000-mapping.dmp

Download
memory/4708-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads