darkcomet | 5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737

Analysis

max time kernel
149s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Size

690KB
MD5

b59596f3ff64d6b7888c5a3381041c99
SHA1

ab77498daa7a39c8f562bcb77f1a9e18ca130a8c
SHA256

5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737
SHA512

86734883456a8db190dcd734a631471376b562de7dd68c001425e9d6c5539ac1dce598db536bd9068de8a869097071f28748a677950d1e3700348c4754ac490b
SSDEEP

12288:J9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hxZ:TZ1xuVVjfFoynPaVBUR8f+kN10EBd

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

127.0.0.1:1604

Mutex

DC_MUTEX-2QQNDNF

Attributes

InstallPath
Admin\Admin login.exe
gencode
SWpYKxw8bYYy
install
true
offline_keylogger
true
persistence
true
reg_key
Windows Update

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Admin\\Admin login.exe"	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe

Executes dropped EXE 1 IoCs

pid	Process
2000	Admin login.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1700	attrib.exe
560	attrib.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Admin\\Admin login.exe"	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Windows\\system32\\Admin\\Admin login.exe"	Admin login.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Admin\Admin login.exe	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
File opened for modification	C:\Windows\SysWOW64\Admin\Admin login.exe	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
File opened for modification	C:\Windows\SysWOW64\Admin\	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2000	Admin login.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeSecurityPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeTakeOwnershipPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeLoadDriverPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeSystemProfilePrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeSystemtimePrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeProfSingleProcessPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeIncBasePriorityPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeCreatePagefilePrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeBackupPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeRestorePrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeShutdownPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeDebugPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeSystemEnvironmentPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeChangeNotifyPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeRemoteShutdownPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeUndockPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeManageVolumePrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeImpersonatePrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeCreateGlobalPrivilege	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: 33	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: 34	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: 35	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
Token: SeIncreaseQuotaPrivilege	2000	Admin login.exe
Token: SeSecurityPrivilege	2000	Admin login.exe
Token: SeTakeOwnershipPrivilege	2000	Admin login.exe
Token: SeLoadDriverPrivilege	2000	Admin login.exe
Token: SeSystemProfilePrivilege	2000	Admin login.exe
Token: SeSystemtimePrivilege	2000	Admin login.exe
Token: SeProfSingleProcessPrivilege	2000	Admin login.exe
Token: SeIncBasePriorityPrivilege	2000	Admin login.exe
Token: SeCreatePagefilePrivilege	2000	Admin login.exe
Token: SeBackupPrivilege	2000	Admin login.exe
Token: SeRestorePrivilege	2000	Admin login.exe
Token: SeShutdownPrivilege	2000	Admin login.exe
Token: SeDebugPrivilege	2000	Admin login.exe
Token: SeSystemEnvironmentPrivilege	2000	Admin login.exe
Token: SeChangeNotifyPrivilege	2000	Admin login.exe
Token: SeRemoteShutdownPrivilege	2000	Admin login.exe
Token: SeUndockPrivilege	2000	Admin login.exe
Token: SeManageVolumePrivilege	2000	Admin login.exe
Token: SeImpersonatePrivilege	2000	Admin login.exe
Token: SeCreateGlobalPrivilege	2000	Admin login.exe
Token: 33	2000	Admin login.exe
Token: 34	2000	Admin login.exe
Token: 35	2000	Admin login.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2000	Admin login.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1892	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	26
PID 2032 wrote to memory of 1892	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	26
PID 2032 wrote to memory of 1892	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	26
PID 2032 wrote to memory of 1892	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	26
PID 2032 wrote to memory of 1288	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	28
PID 2032 wrote to memory of 1288	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	28
PID 2032 wrote to memory of 1288	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	28
PID 2032 wrote to memory of 1288	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	28
PID 1892 wrote to memory of 1700	1892	cmd.exe	30
PID 1892 wrote to memory of 1700	1892	cmd.exe	30
PID 1892 wrote to memory of 1700	1892	cmd.exe	30
PID 1892 wrote to memory of 1700	1892	cmd.exe	30
PID 1288 wrote to memory of 560	1288	cmd.exe	31
PID 1288 wrote to memory of 560	1288	cmd.exe	31
PID 1288 wrote to memory of 560	1288	cmd.exe	31
PID 1288 wrote to memory of 560	1288	cmd.exe	31
PID 2032 wrote to memory of 2000	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	32
PID 2032 wrote to memory of 2000	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	32
PID 2032 wrote to memory of 2000	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	32
PID 2032 wrote to memory of 2000	2032	5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe	32
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33
PID 2000 wrote to memory of 1868	2000	Admin login.exe	33

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1700	attrib.exe
560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe
"C:\Users\Admin\AppData\Local\Temp\5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:560
- C:\Windows\SysWOW64\Admin\Admin login.exe
  "C:\Windows\system32\Admin\Admin login.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Admin\Admin login.exe

Filesize
690KB

MD5
b59596f3ff64d6b7888c5a3381041c99

SHA1
ab77498daa7a39c8f562bcb77f1a9e18ca130a8c

SHA256
5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737

SHA512
86734883456a8db190dcd734a631471376b562de7dd68c001425e9d6c5539ac1dce598db536bd9068de8a869097071f28748a677950d1e3700348c4754ac490b

Download Submit
C:\Windows\SysWOW64\Admin\Admin login.exe

Filesize
690KB

MD5
b59596f3ff64d6b7888c5a3381041c99

SHA1
ab77498daa7a39c8f562bcb77f1a9e18ca130a8c

SHA256
5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737

SHA512
86734883456a8db190dcd734a631471376b562de7dd68c001425e9d6c5539ac1dce598db536bd9068de8a869097071f28748a677950d1e3700348c4754ac490b

Download Submit
\Windows\SysWOW64\Admin\Admin login.exe

Filesize
690KB

MD5
b59596f3ff64d6b7888c5a3381041c99

SHA1
ab77498daa7a39c8f562bcb77f1a9e18ca130a8c

SHA256
5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737

SHA512
86734883456a8db190dcd734a631471376b562de7dd68c001425e9d6c5539ac1dce598db536bd9068de8a869097071f28748a677950d1e3700348c4754ac490b

Download Submit
\Windows\SysWOW64\Admin\Admin login.exe

Filesize
690KB

MD5
b59596f3ff64d6b7888c5a3381041c99

SHA1
ab77498daa7a39c8f562bcb77f1a9e18ca130a8c

SHA256
5c2220564d9f14f1ff5416b4f124ae1cbaa8643a9a9c0c04cd760bbff749b737

SHA512
86734883456a8db190dcd734a631471376b562de7dd68c001425e9d6c5539ac1dce598db536bd9068de8a869097071f28748a677950d1e3700348c4754ac490b

Download Submit
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads