darkcomet | 3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa

General

Target

3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Size

751KB
MD5

4a28946dd4a3270bffab291cff7a4af0
SHA1

35327c65e06cb68823834791bb42b3886b3d4941
SHA256

3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa
SHA512

94330ff3a19b9065873b24472cc2896d2dfc134df5af718f9cfc5b5d23f607114396db38f2c67d604b6f2225b570319331b395eb73bd3a264c902368a6ce22b1
SSDEEP

12288:9uQy3/4W9AbG1SclUosPqCVmPtbiA71K+Y1e2kPNw4Bo7uS1PziLeGqtnCDk:UQyP4W9AbD0Js5cVC+SXkPRquS164C

Score

10^/10

darkcomet modiloader darkcomet_tom persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

darkcomet_tom

C2

lizzerdminecraft.no-ip.biz:246

Mutex

DCMIN_MUTEX-T1G1FP3

Attributes

gencode
h9nRHuFJSttf
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\build.exe	modiloader_stage2
\Users\Admin\AppData\Local\Temp\build.exe	modiloader_stage2
C:\Users\Admin\AppData\Local\Temp\build.exe	modiloader_stage2

Executes dropped EXE 1 IoCs

Processes:

build.exe

pid process

1704 build.exe

pid	process
1704	build.exe

Loads dropped DLL 2 IoCs

Processes:

3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

pid	process
1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\regloader = "C:\\Users\\Admin\\AppData\\Roaming\\coreloader.exe"	REG.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

description	pid	process	target process
PID 1448 set thread context of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

pid	process
1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

description	pid	process
Token: SeDebugPrivilege	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeIncreaseQuotaPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeSecurityPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeTakeOwnershipPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeLoadDriverPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeSystemProfilePrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeSystemtimePrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeProfSingleProcessPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeIncBasePriorityPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeCreatePagefilePrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeBackupPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeRestorePrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeShutdownPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeDebugPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeSystemEnvironmentPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeChangeNotifyPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeRemoteShutdownPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeUndockPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeManageVolumePrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeImpersonatePrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: SeCreateGlobalPrivilege	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: 33	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: 34	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
Token: 35	1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

pid process

1100 3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

pid	process
1100	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe

C:\Users\Admin\AppData\Local\Temp\3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
"C:\Users\Admin\AppData\Local\Temp\3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
"C:\Users\Admin\AppData\Local\Temp\3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "regloader" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\coreloader.exe
2⤵
- Adds Run key to start application
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
36KB

MD5
b4c712979fff03e90620ef4524f26545

SHA1
ad33b7b60642e71299fcb5c08c77c7e621d90e87

SHA256
85bcc895d77b002b84e8b9702de6171e94f6e659a7763647775fc706f1495b6a

SHA512
15ed2528d7fdada3aefac4145192142115ecac38f0f455fe75a4830df41a5aa6220a91ceaf1224bcc73d8fcb4b966d611d13115f7858ce61557cb29eb2a9057e

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
36KB

MD5
b4c712979fff03e90620ef4524f26545

SHA1
ad33b7b60642e71299fcb5c08c77c7e621d90e87

SHA256
85bcc895d77b002b84e8b9702de6171e94f6e659a7763647775fc706f1495b6a

SHA512
15ed2528d7fdada3aefac4145192142115ecac38f0f455fe75a4830df41a5aa6220a91ceaf1224bcc73d8fcb4b966d611d13115f7858ce61557cb29eb2a9057e

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe
Filesize
36KB

MD5
b4c712979fff03e90620ef4524f26545

SHA1
ad33b7b60642e71299fcb5c08c77c7e621d90e87

SHA256
85bcc895d77b002b84e8b9702de6171e94f6e659a7763647775fc706f1495b6a

SHA512
15ed2528d7fdada3aefac4145192142115ecac38f0f455fe75a4830df41a5aa6220a91ceaf1224bcc73d8fcb4b966d611d13115f7858ce61557cb29eb2a9057e

Download Submit
memory/668-79-0x0000000000000000-mapping.dmp

Download
memory/1100-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-76-0x000000000048F888-mapping.dmp

Download
memory/1100-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1100-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1448-55-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-81-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1704-58-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1448 wrote to memory of 1704	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	build.exe
PID 1448 wrote to memory of 1704	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	build.exe
PID 1448 wrote to memory of 1704	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	build.exe
PID 1448 wrote to memory of 1704	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	build.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 1100	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe
PID 1448 wrote to memory of 668	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	REG.exe
PID 1448 wrote to memory of 668	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	REG.exe
PID 1448 wrote to memory of 668	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	REG.exe
PID 1448 wrote to memory of 668	1448	3320cd98b8ae2d6caa55dd230118f1a99c506b79076af0a081e383d3007c34fa.exe	REG.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads