darkcomet | 5d7f6ab4f324bfaa347af5917a59a9b633f4dd891a96870235c6509fb9e7b5d4

General

Target

2abeee8718f57cf5318197003550909d.exe
Size

1.4MB
MD5

2abeee8718f57cf5318197003550909d
SHA1

9e4662401cc01283eb03ad9b79a52b02713963fb
SHA256

5d7f6ab4f324bfaa347af5917a59a9b633f4dd891a96870235c6509fb9e7b5d4
SHA512

4897d94a4263451890e060a5488570c889dbd54e55fe9f4dc8c8ce00739ecf696392d9534d4f534370c59c073d496e0e5afac985cfb12b3c5d5e2a11523b06d8
SSDEEP

24576:tVrEOG6glVYeR74l7UiAHbdgSMs3hn3x2VpuDJGhuNKx/la60x:ttE16gLYK7BBHMox2buDYQQh060x

Score

10^/10

darkcomet luxygt persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

luxygt

C2

dartkom22.ddns.net:2009

Mutex

DCMIN_MUTEX-UT0S86Q

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
fT1b0Py34wS5
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2abeee8718f57cf5318197003550909d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	2abeee8718f57cf5318197003550909d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2abeee8718f57cf5318197003550909d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	2abeee8718f57cf5318197003550909d.exe

Executes dropped EXE 2 IoCs

Processes:

IMDCSC.exeIMDCSC.exe

pid process

1944 IMDCSC.exe
3076 IMDCSC.exe

pid	process
1944	IMDCSC.exe
3076	IMDCSC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2abeee8718f57cf5318197003550909d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	2abeee8718f57cf5318197003550909d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2abeee8718f57cf5318197003550909d.exeIMDCSC.exe

description	pid	process	target process
PID 228 set thread context of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 1944 set thread context of 3076	1944	IMDCSC.exe	IMDCSC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2abeee8718f57cf5318197003550909d.exe

pid	process
228	2abeee8718f57cf5318197003550909d.exe
228	2abeee8718f57cf5318197003550909d.exe
228	2abeee8718f57cf5318197003550909d.exe
228	2abeee8718f57cf5318197003550909d.exe
228	2abeee8718f57cf5318197003550909d.exe
228	2abeee8718f57cf5318197003550909d.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

2abeee8718f57cf5318197003550909d.exe2abeee8718f57cf5318197003550909d.exeIMDCSC.exe

description	pid	process
Token: SeDebugPrivilege	228	2abeee8718f57cf5318197003550909d.exe
Token: SeIncreaseQuotaPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeSecurityPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeTakeOwnershipPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeLoadDriverPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeSystemProfilePrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeSystemtimePrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeProfSingleProcessPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeIncBasePriorityPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeCreatePagefilePrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeBackupPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeRestorePrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeShutdownPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeDebugPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeSystemEnvironmentPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeChangeNotifyPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeRemoteShutdownPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeUndockPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeManageVolumePrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeImpersonatePrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeCreateGlobalPrivilege	4568	2abeee8718f57cf5318197003550909d.exe
Token: 33	4568	2abeee8718f57cf5318197003550909d.exe
Token: 34	4568	2abeee8718f57cf5318197003550909d.exe
Token: 35	4568	2abeee8718f57cf5318197003550909d.exe
Token: 36	4568	2abeee8718f57cf5318197003550909d.exe
Token: SeIncreaseQuotaPrivilege	3076	IMDCSC.exe
Token: SeSecurityPrivilege	3076	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	3076	IMDCSC.exe
Token: SeLoadDriverPrivilege	3076	IMDCSC.exe
Token: SeSystemProfilePrivilege	3076	IMDCSC.exe
Token: SeSystemtimePrivilege	3076	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	3076	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	3076	IMDCSC.exe
Token: SeCreatePagefilePrivilege	3076	IMDCSC.exe
Token: SeBackupPrivilege	3076	IMDCSC.exe
Token: SeRestorePrivilege	3076	IMDCSC.exe
Token: SeShutdownPrivilege	3076	IMDCSC.exe
Token: SeDebugPrivilege	3076	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	3076	IMDCSC.exe
Token: SeChangeNotifyPrivilege	3076	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	3076	IMDCSC.exe
Token: SeUndockPrivilege	3076	IMDCSC.exe
Token: SeManageVolumePrivilege	3076	IMDCSC.exe
Token: SeImpersonatePrivilege	3076	IMDCSC.exe
Token: SeCreateGlobalPrivilege	3076	IMDCSC.exe
Token: 33	3076	IMDCSC.exe
Token: 34	3076	IMDCSC.exe
Token: 35	3076	IMDCSC.exe
Token: 36	3076	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

3076 IMDCSC.exe

pid	process
3076	IMDCSC.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

2abeee8718f57cf5318197003550909d.exe2abeee8718f57cf5318197003550909d.exeIMDCSC.exe

description	pid	process	target process
PID 228 wrote to memory of 4444	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4444	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4444	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 3372	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 3372	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 3372	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4456	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4456	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4456	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 228 wrote to memory of 4568	228	2abeee8718f57cf5318197003550909d.exe	2abeee8718f57cf5318197003550909d.exe
PID 4568 wrote to memory of 1944	4568	2abeee8718f57cf5318197003550909d.exe	IMDCSC.exe
PID 4568 wrote to memory of 1944	4568	2abeee8718f57cf5318197003550909d.exe	IMDCSC.exe
PID 4568 wrote to memory of 1944	4568	2abeee8718f57cf5318197003550909d.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe
PID 1944 wrote to memory of 3076	1944	IMDCSC.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe
"C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe
"C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe"
2⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe
"C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe"
2⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe
"C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe"
2⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe
"C:\Users\Admin\AppData\Local\Temp\2abeee8718f57cf5318197003550909d.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.4MB

MD5
2abeee8718f57cf5318197003550909d

SHA1
9e4662401cc01283eb03ad9b79a52b02713963fb

SHA256
5d7f6ab4f324bfaa347af5917a59a9b633f4dd891a96870235c6509fb9e7b5d4

SHA512
4897d94a4263451890e060a5488570c889dbd54e55fe9f4dc8c8ce00739ecf696392d9534d4f534370c59c073d496e0e5afac985cfb12b3c5d5e2a11523b06d8

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.4MB

MD5
2abeee8718f57cf5318197003550909d

SHA1
9e4662401cc01283eb03ad9b79a52b02713963fb

SHA256
5d7f6ab4f324bfaa347af5917a59a9b633f4dd891a96870235c6509fb9e7b5d4

SHA512
4897d94a4263451890e060a5488570c889dbd54e55fe9f4dc8c8ce00739ecf696392d9534d4f534370c59c073d496e0e5afac985cfb12b3c5d5e2a11523b06d8

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.4MB

MD5
2abeee8718f57cf5318197003550909d

SHA1
9e4662401cc01283eb03ad9b79a52b02713963fb

SHA256
5d7f6ab4f324bfaa347af5917a59a9b633f4dd891a96870235c6509fb9e7b5d4

SHA512
4897d94a4263451890e060a5488570c889dbd54e55fe9f4dc8c8ce00739ecf696392d9534d4f534370c59c073d496e0e5afac985cfb12b3c5d5e2a11523b06d8

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.4MB

MD5
2abeee8718f57cf5318197003550909d

SHA1
9e4662401cc01283eb03ad9b79a52b02713963fb

SHA256
5d7f6ab4f324bfaa347af5917a59a9b633f4dd891a96870235c6509fb9e7b5d4

SHA512
4897d94a4263451890e060a5488570c889dbd54e55fe9f4dc8c8ce00739ecf696392d9534d4f534370c59c073d496e0e5afac985cfb12b3c5d5e2a11523b06d8

Download Submit
memory/228-134-0x0000000005DF0000-0x0000000006394000-memory.dmp

Filesize
5.6MB

Download
memory/228-137-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/228-133-0x0000000000D50000-0x0000000000EC8000-memory.dmp

Filesize
1.5MB

Download
memory/3076-164-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3076-162-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3076-163-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/3076-161-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3076-165-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3076-158-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3076-159-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4568-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4568-160-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4568-141-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/4568-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4568-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4568-135-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads