darkcomet | 3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53

Analysis

max time kernel
151s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Size

356KB
MD5

6665f5e35cc8a79573b7a60f42793ad5
SHA1

38f5f0131b63098f9fab7f6cdfb91b80999d4d94
SHA256

3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53
SHA512

0a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf
SSDEEP

6144:BcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL378CfCY:BcW7KEZlPzCy378kC

Score

10^/10

darkcomet nmp1 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

nmp1

nhatnhoa.no-ip.org:9998

Mutex

DC_MUTEX-6SF0UYS

Attributes

InstallPath
MSDCSC\svhost.exe
gencode
f9Jslnn1jp65
install
true
offline_keylogger
true
password
jimmynmp
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\svhost.exe"	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe

Executes dropped EXE 1 IoCs

pid	Process
1872	svhost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000152c0-55.dat	upx
behavioral1/files/0x00080000000152c0-58.dat	upx
behavioral1/files/0x00080000000152c0-56.dat	upx
behavioral1/files/0x00080000000152c0-60.dat	upx
behavioral1/memory/1872-61-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/1376-62-0x0000000000400000-0x00000000004EA000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\svhost.exe"	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 472	1872	svhost.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
472	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeSecurityPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeTakeOwnershipPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeLoadDriverPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeSystemProfilePrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeSystemtimePrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeProfSingleProcessPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeIncBasePriorityPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeCreatePagefilePrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeBackupPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeRestorePrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeShutdownPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeDebugPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeSystemEnvironmentPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeChangeNotifyPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeRemoteShutdownPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeUndockPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeManageVolumePrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeImpersonatePrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeCreateGlobalPrivilege	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: 33	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: 34	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: 35	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
Token: SeIncreaseQuotaPrivilege	1872	svhost.exe
Token: SeSecurityPrivilege	1872	svhost.exe
Token: SeTakeOwnershipPrivilege	1872	svhost.exe
Token: SeLoadDriverPrivilege	1872	svhost.exe
Token: SeSystemProfilePrivilege	1872	svhost.exe
Token: SeSystemtimePrivilege	1872	svhost.exe
Token: SeProfSingleProcessPrivilege	1872	svhost.exe
Token: SeIncBasePriorityPrivilege	1872	svhost.exe
Token: SeCreatePagefilePrivilege	1872	svhost.exe
Token: SeBackupPrivilege	1872	svhost.exe
Token: SeRestorePrivilege	1872	svhost.exe
Token: SeShutdownPrivilege	1872	svhost.exe
Token: SeDebugPrivilege	1872	svhost.exe
Token: SeSystemEnvironmentPrivilege	1872	svhost.exe
Token: SeChangeNotifyPrivilege	1872	svhost.exe
Token: SeRemoteShutdownPrivilege	1872	svhost.exe
Token: SeUndockPrivilege	1872	svhost.exe
Token: SeManageVolumePrivilege	1872	svhost.exe
Token: SeImpersonatePrivilege	1872	svhost.exe
Token: SeCreateGlobalPrivilege	1872	svhost.exe
Token: 33	1872	svhost.exe
Token: 34	1872	svhost.exe
Token: 35	1872	svhost.exe
Token: SeIncreaseQuotaPrivilege	472	iexplore.exe
Token: SeSecurityPrivilege	472	iexplore.exe
Token: SeTakeOwnershipPrivilege	472	iexplore.exe
Token: SeLoadDriverPrivilege	472	iexplore.exe
Token: SeSystemProfilePrivilege	472	iexplore.exe
Token: SeSystemtimePrivilege	472	iexplore.exe
Token: SeProfSingleProcessPrivilege	472	iexplore.exe
Token: SeIncBasePriorityPrivilege	472	iexplore.exe
Token: SeCreatePagefilePrivilege	472	iexplore.exe
Token: SeBackupPrivilege	472	iexplore.exe
Token: SeRestorePrivilege	472	iexplore.exe
Token: SeShutdownPrivilege	472	iexplore.exe
Token: SeDebugPrivilege	472	iexplore.exe
Token: SeSystemEnvironmentPrivilege	472	iexplore.exe
Token: SeChangeNotifyPrivilege	472	iexplore.exe
Token: SeRemoteShutdownPrivilege	472	iexplore.exe
Token: SeUndockPrivilege	472	iexplore.exe
Token: SeManageVolumePrivilege	472	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
472	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1872	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe	26
PID 1376 wrote to memory of 1872	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe	26
PID 1376 wrote to memory of 1872	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe	26
PID 1376 wrote to memory of 1872	1376	3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe	26
PID 1872 wrote to memory of 472	1872	svhost.exe	27
PID 1872 wrote to memory of 472	1872	svhost.exe	27
PID 1872 wrote to memory of 472	1872	svhost.exe	27
PID 1872 wrote to memory of 472	1872	svhost.exe	27
PID 1872 wrote to memory of 472	1872	svhost.exe	27
PID 1872 wrote to memory of 472	1872	svhost.exe	27

C:\Users\Admin\AppData\Local\Temp\3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe
"C:\Users\Admin\AppData\Local\Temp\3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\Documents\MSDCSC\svhost.exe
  "C:\Users\Admin\Documents\MSDCSC\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\svhost.exe

Filesize
356KB

MD5
6665f5e35cc8a79573b7a60f42793ad5

SHA1
38f5f0131b63098f9fab7f6cdfb91b80999d4d94

SHA256
3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53

SHA512
0a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf

Download Submit
C:\Users\Admin\Documents\MSDCSC\svhost.exe

Filesize
356KB

MD5
6665f5e35cc8a79573b7a60f42793ad5

SHA1
38f5f0131b63098f9fab7f6cdfb91b80999d4d94

SHA256
3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53

SHA512
0a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf

Download Submit
\Users\Admin\Documents\MSDCSC\svhost.exe

Filesize
356KB

MD5
6665f5e35cc8a79573b7a60f42793ad5

SHA1
38f5f0131b63098f9fab7f6cdfb91b80999d4d94

SHA256
3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53

SHA512
0a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf

Download Submit
\Users\Admin\Documents\MSDCSC\svhost.exe

Filesize
356KB

MD5
6665f5e35cc8a79573b7a60f42793ad5

SHA1
38f5f0131b63098f9fab7f6cdfb91b80999d4d94

SHA256
3696652fcd7885fb3982eb9bac6274ffea26273121748ba11187f48edee1ed53

SHA512
0a2578d4f15a2fb755a299b21fa5492b42e4c943178ad075a44412a0161aea6580d19543a06bff00c6f62d2626a678b0c0c2b802253312b042e06a98dc5adecf

Download Submit
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1376-62-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1376-63-0x0000000004D20000-0x0000000004E0A000-memory.dmp

Filesize
936KB

Download
memory/1872-61-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads