darkcomet | 92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c

General

Target

92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Size

1009KB
MD5

e0fecd1853ec03f20e8d2cc28b7012da
SHA1

93a0a322615876ed4c625e0410ca1fdc08e8ad8b
SHA256

92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c
SHA512

efc56b9c045eef8df9072c99d28b7797b17e64fc337152ca7816975f608717f9b0df0c652e138f5fc071b7838e91f4460eed0ea99c668881b37e3863657191e9
SSDEEP

24576:w3/+i1/ShId2i5JZYb/v5goqv2rL7fimsAONU:wXO8g

Score

10^/10

darkcomet rsaccs persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

RSACCS

C2

trojanhasswag.chickenkiller.com:1337

Mutex

DCMIN_MUTEX-SHQRVP8

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
PwMPh90f59Ky
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe

Executes dropped EXE 2 IoCs

Processes:

IMDCSC.exeIMDCSC.exe

pid process

1488 IMDCSC.exe
1652 IMDCSC.exe
Loads dropped DLL 1 IoCs

Processes:

92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe

pid process

1168 92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe

pid	process
1488	IMDCSC.exe
1652	IMDCSC.exe

pid	process
1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\startup = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\u00ad\\Start Menu\\Programs\\Startup\\startup.exe"	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exeIMDCSC.exe

description	pid	process	target process
PID 1508 set thread context of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1488 set thread context of 1652	1488	IMDCSC.exe	IMDCSC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exeIMDCSC.exe

description	pid	process
Token: SeDebugPrivilege	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeIncreaseQuotaPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeSecurityPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeTakeOwnershipPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeLoadDriverPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeSystemProfilePrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeSystemtimePrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeProfSingleProcessPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeIncBasePriorityPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeCreatePagefilePrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeBackupPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeRestorePrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeShutdownPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeDebugPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeSystemEnvironmentPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeChangeNotifyPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeRemoteShutdownPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeUndockPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeManageVolumePrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeImpersonatePrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeCreateGlobalPrivilege	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: 33	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: 34	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: 35	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
Token: SeDebugPrivilege	1488	IMDCSC.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exeIMDCSC.exe

description	pid	process	target process
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1508 wrote to memory of 1168	1508	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
PID 1168 wrote to memory of 1488	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	IMDCSC.exe
PID 1168 wrote to memory of 1488	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	IMDCSC.exe
PID 1168 wrote to memory of 1488	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	IMDCSC.exe
PID 1168 wrote to memory of 1488	1168	92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe
PID 1488 wrote to memory of 1652	1488	IMDCSC.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
"C:\Users\Admin\AppData\Local\Temp\92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
C:\Users\Admin\AppData\Local\Temp\92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c.exe
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
4⤵
- Executes dropped EXE
PID:1652

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1009KB

MD5
e0fecd1853ec03f20e8d2cc28b7012da

SHA1
93a0a322615876ed4c625e0410ca1fdc08e8ad8b

SHA256
92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c

SHA512
efc56b9c045eef8df9072c99d28b7797b17e64fc337152ca7816975f608717f9b0df0c652e138f5fc071b7838e91f4460eed0ea99c668881b37e3863657191e9

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1009KB

MD5
e0fecd1853ec03f20e8d2cc28b7012da

SHA1
93a0a322615876ed4c625e0410ca1fdc08e8ad8b

SHA256
92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c

SHA512
efc56b9c045eef8df9072c99d28b7797b17e64fc337152ca7816975f608717f9b0df0c652e138f5fc071b7838e91f4460eed0ea99c668881b37e3863657191e9

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1009KB

MD5
e0fecd1853ec03f20e8d2cc28b7012da

SHA1
93a0a322615876ed4c625e0410ca1fdc08e8ad8b

SHA256
92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c

SHA512
efc56b9c045eef8df9072c99d28b7797b17e64fc337152ca7816975f608717f9b0df0c652e138f5fc071b7838e91f4460eed0ea99c668881b37e3863657191e9

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1009KB

MD5
e0fecd1853ec03f20e8d2cc28b7012da

SHA1
93a0a322615876ed4c625e0410ca1fdc08e8ad8b

SHA256
92ca5e43bb22376cd1995ba5664a92690ee01b44930809619422fffe2f200e7c

SHA512
efc56b9c045eef8df9072c99d28b7797b17e64fc337152ca7816975f608717f9b0df0c652e138f5fc071b7838e91f4460eed0ea99c668881b37e3863657191e9

Download Submit
memory/1168-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-57-0x000000000048F888-mapping.dmp

Download
memory/1168-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1488-63-0x0000000000000000-mapping.dmp

Download
memory/1488-71-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-73-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1508-55-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-72-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-68-0x000000000048F888-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads