darkcomet | 66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc

General

Target

66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Size

705KB
MD5

5d5ae2dfec782528dbf7022a5e153c2e
SHA1

ad267543c3953a315fd585b274c61e8ade393219
SHA256

66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc
SHA512

358052014ed4f8e8419a4ce67d18230c33aebc6d3f9005dbacf096a8d2011f125664d4d3547a4bbe90ce32e60733931278acdca2e8929c3ff84128375ea1670a
SSDEEP

12288:bFa3rg0Tn+1rOO1lNqkLVmJWq88ILe4xwirKeuDZJfyIUdmgeCX5W2/oooJA1ooq:s00Tn+JNqkVLnlxwuKvDasCXJoooJA1O

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

amnizia.no-ip.org:1604

Mutex

DCMIN_MUTEX-T34E8EC

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
hD7ZKwX5TTz1
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\DCSCMIN\\IMDCSC.exe"	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe

Executes dropped EXE 2 IoCs

Processes:

IMDCSC.exeIMDCSC.exe

pid process

892 IMDCSC.exe
396 IMDCSC.exe

pid	process
892	IMDCSC.exe
396	IMDCSC.exe

Loads dropped DLL 3 IoCs

Processes:

66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exeIMDCSC.exe

pid	process
1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
892	IMDCSC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DCSCMIN\\IMDCSC.exe"	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exeIMDCSC.exe

description	pid	process	target process
PID 1348 set thread context of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 892 set thread context of 396	892	IMDCSC.exe	IMDCSC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeSecurityPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeTakeOwnershipPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeLoadDriverPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeSystemProfilePrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeSystemtimePrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeProfSingleProcessPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeIncBasePriorityPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeCreatePagefilePrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeBackupPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeRestorePrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeShutdownPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeDebugPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeSystemEnvironmentPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeChangeNotifyPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeRemoteShutdownPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeUndockPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeManageVolumePrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeImpersonatePrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeCreateGlobalPrivilege	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: 33	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: 34	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: 35	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
Token: SeIncreaseQuotaPrivilege	396	IMDCSC.exe
Token: SeSecurityPrivilege	396	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	396	IMDCSC.exe
Token: SeLoadDriverPrivilege	396	IMDCSC.exe
Token: SeSystemProfilePrivilege	396	IMDCSC.exe
Token: SeSystemtimePrivilege	396	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	396	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	396	IMDCSC.exe
Token: SeCreatePagefilePrivilege	396	IMDCSC.exe
Token: SeBackupPrivilege	396	IMDCSC.exe
Token: SeRestorePrivilege	396	IMDCSC.exe
Token: SeShutdownPrivilege	396	IMDCSC.exe
Token: SeDebugPrivilege	396	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	396	IMDCSC.exe
Token: SeChangeNotifyPrivilege	396	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	396	IMDCSC.exe
Token: SeUndockPrivilege	396	IMDCSC.exe
Token: SeManageVolumePrivilege	396	IMDCSC.exe
Token: SeImpersonatePrivilege	396	IMDCSC.exe
Token: SeCreateGlobalPrivilege	396	IMDCSC.exe
Token: 33	396	IMDCSC.exe
Token: 34	396	IMDCSC.exe
Token: 35	396	IMDCSC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exeIMDCSC.exeIMDCSC.exe

pid process

1348 66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
892 IMDCSC.exe
396 IMDCSC.exe

pid	process
1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
892	IMDCSC.exe
396	IMDCSC.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exeIMDCSC.exe

description	pid	process	target process
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1348 wrote to memory of 1284	1348	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
PID 1284 wrote to memory of 892	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	IMDCSC.exe
PID 1284 wrote to memory of 892	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	IMDCSC.exe
PID 1284 wrote to memory of 892	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	IMDCSC.exe
PID 1284 wrote to memory of 892	1284	66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe
PID 892 wrote to memory of 396	892	IMDCSC.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
"C:\Users\Admin\AppData\Local\Temp\66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe
"C:\Users\Admin\AppData\Local\Temp\66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe
Filesize
705KB

MD5
5d5ae2dfec782528dbf7022a5e153c2e

SHA1
ad267543c3953a315fd585b274c61e8ade393219

SHA256
66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc

SHA512
358052014ed4f8e8419a4ce67d18230c33aebc6d3f9005dbacf096a8d2011f125664d4d3547a4bbe90ce32e60733931278acdca2e8929c3ff84128375ea1670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe
Filesize
705KB

MD5
5d5ae2dfec782528dbf7022a5e153c2e

SHA1
ad267543c3953a315fd585b274c61e8ade393219

SHA256
66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc

SHA512
358052014ed4f8e8419a4ce67d18230c33aebc6d3f9005dbacf096a8d2011f125664d4d3547a4bbe90ce32e60733931278acdca2e8929c3ff84128375ea1670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe
Filesize
705KB

MD5
5d5ae2dfec782528dbf7022a5e153c2e

SHA1
ad267543c3953a315fd585b274c61e8ade393219

SHA256
66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc

SHA512
358052014ed4f8e8419a4ce67d18230c33aebc6d3f9005dbacf096a8d2011f125664d4d3547a4bbe90ce32e60733931278acdca2e8929c3ff84128375ea1670a

Download Submit
\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe
Filesize
705KB

MD5
5d5ae2dfec782528dbf7022a5e153c2e

SHA1
ad267543c3953a315fd585b274c61e8ade393219

SHA256
66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc

SHA512
358052014ed4f8e8419a4ce67d18230c33aebc6d3f9005dbacf096a8d2011f125664d4d3547a4bbe90ce32e60733931278acdca2e8929c3ff84128375ea1670a

Download Submit
\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe
Filesize
705KB

MD5
5d5ae2dfec782528dbf7022a5e153c2e

SHA1
ad267543c3953a315fd585b274c61e8ade393219

SHA256
66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc

SHA512
358052014ed4f8e8419a4ce67d18230c33aebc6d3f9005dbacf096a8d2011f125664d4d3547a4bbe90ce32e60733931278acdca2e8929c3ff84128375ea1670a

Download Submit
\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe
Filesize
705KB

MD5
5d5ae2dfec782528dbf7022a5e153c2e

SHA1
ad267543c3953a315fd585b274c61e8ade393219

SHA256
66cbf78bef04886de9f7dacc6b7dffe919a87011bfe482fd8ddfbe7bf791fbcc

SHA512
358052014ed4f8e8419a4ce67d18230c33aebc6d3f9005dbacf096a8d2011f125664d4d3547a4bbe90ce32e60733931278acdca2e8929c3ff84128375ea1670a

Download Submit
memory/396-105-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/396-104-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/396-99-0x0000000000490888-mapping.dmp

Download
memory/892-78-0x0000000000000000-mapping.dmp

Download
memory/1284-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-68-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-74-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-75-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-71-0x0000000000490888-mapping.dmp

Download
memory/1284-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-73-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1284-56-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-65-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-63-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-61-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1284-57-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads