darkcomet | de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f

Analysis

max time kernel
193s
max time network
67s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Size

659KB
MD5

88a08e03244386ad4044b52d05863cf8
SHA1

094aacac64a069e3fae53c7b866041f81f5da951
SHA256

de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f
SHA512

0e0c62044c473ab4407c88613056fec379cca114cab3dcd0926d0aee5cf69ccaa340ec0255261a017a2afb7d8ff0b0cdd854e16f399142e16b40160234f33d74
SSDEEP

12288:G9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hq:iZ1xuVVjfFoynPaVBUR8f+kN10EBA

Score

10^/10

darkcomet guest-2 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest-2

root-server.no-ip.biz:4444

Mutex

DC_MUTEX-MUT9FNF

Attributes

InstallPath
svechost.exe
gencode
sqSXDrf2rKig
install
true
offline_keylogger
true
persistence
true
reg_key
Svechost.exe

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\svechost.exe"	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svechost.exe

Executes dropped EXE 1 IoCs

pid	Process
2016	svechost.exe

Deletes itself 1 IoCs

pid	Process
1124	notepad.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svechost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svechost.exe = "C:\\svechost.exe"	svechost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svechost.exe = "C:\\svechost.exe"	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeSecurityPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeTakeOwnershipPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeLoadDriverPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeSystemProfilePrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeSystemtimePrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeProfSingleProcessPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeIncBasePriorityPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeCreatePagefilePrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeBackupPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeRestorePrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeShutdownPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeDebugPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeSystemEnvironmentPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeChangeNotifyPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeRemoteShutdownPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeUndockPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeManageVolumePrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeImpersonatePrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeCreateGlobalPrivilege	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: 33	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: 34	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: 35	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
Token: SeIncreaseQuotaPrivilege	2016	svechost.exe
Token: SeSecurityPrivilege	2016	svechost.exe
Token: SeTakeOwnershipPrivilege	2016	svechost.exe
Token: SeLoadDriverPrivilege	2016	svechost.exe
Token: SeSystemProfilePrivilege	2016	svechost.exe
Token: SeSystemtimePrivilege	2016	svechost.exe
Token: SeProfSingleProcessPrivilege	2016	svechost.exe
Token: SeIncBasePriorityPrivilege	2016	svechost.exe
Token: SeCreatePagefilePrivilege	2016	svechost.exe
Token: SeBackupPrivilege	2016	svechost.exe
Token: SeRestorePrivilege	2016	svechost.exe
Token: SeShutdownPrivilege	2016	svechost.exe
Token: SeDebugPrivilege	2016	svechost.exe
Token: SeSystemEnvironmentPrivilege	2016	svechost.exe
Token: SeChangeNotifyPrivilege	2016	svechost.exe
Token: SeRemoteShutdownPrivilege	2016	svechost.exe
Token: SeUndockPrivilege	2016	svechost.exe
Token: SeManageVolumePrivilege	2016	svechost.exe
Token: SeImpersonatePrivilege	2016	svechost.exe
Token: SeCreateGlobalPrivilege	2016	svechost.exe
Token: 33	2016	svechost.exe
Token: 34	2016	svechost.exe
Token: 35	2016	svechost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2016	svechost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 1124	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	28
PID 1108 wrote to memory of 2016	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	29
PID 1108 wrote to memory of 2016	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	29
PID 1108 wrote to memory of 2016	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	29
PID 1108 wrote to memory of 2016	1108	de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe	29

C:\Users\Admin\AppData\Local\Temp\de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe
"C:\Users\Admin\AppData\Local\Temp\de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  PID:1124
- C:\svechost.exe
  "C:\svechost.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\svechost.exe

Filesize
659KB

MD5
88a08e03244386ad4044b52d05863cf8

SHA1
094aacac64a069e3fae53c7b866041f81f5da951

SHA256
de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f

SHA512
0e0c62044c473ab4407c88613056fec379cca114cab3dcd0926d0aee5cf69ccaa340ec0255261a017a2afb7d8ff0b0cdd854e16f399142e16b40160234f33d74

Download Submit
C:\svechost.exe

Filesize
659KB

MD5
88a08e03244386ad4044b52d05863cf8

SHA1
094aacac64a069e3fae53c7b866041f81f5da951

SHA256
de5f09e0a1c8231b06860149cb8701b692925b45c51437812bcbad4d3171369f

SHA512
0e0c62044c473ab4407c88613056fec379cca114cab3dcd0926d0aee5cf69ccaa340ec0255261a017a2afb7d8ff0b0cdd854e16f399142e16b40160234f33d74

Download Submit
memory/1108-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads