darkcomet | c1990fc60695c907817670cb510764eab966c0581ce825820999d42e1d4a930b

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious1845a1255c8d.exe
Size

948KB
MD5

81aa0004ab6395cc670810ec1912133a
SHA1

94a2f9f9f9e050c1fed207ddd51c2c3dee15b80e
SHA256

c1990fc60695c907817670cb510764eab966c0581ce825820999d42e1d4a930b
SHA512

098e82d9269de8a31048bda1b5e92bfdbe059f3d8b910eb66a1574f03f9ffe035dcd3e4e93ce2c9a11bf574093183a3845157f3e767d9dd8db710fcebfe94c68
SSDEEP

24576:GZ1xuVVjfFoynPaVBUR8f+kN10EBgu+DK7L:WQDgok30hu+IL

Score

10^/10

darkcomet metin2 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

metin2

127.0.0.1:1337

192.168.1.6:1337

eminreyiz421.duckdns.org:1337

Mutex

DC_MUTEX-CCXVC7A

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
wflW6toZeCtJ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	easyMalicious1845a1255c8d.exe

Deletes itself 1 IoCs

pid	Process
2164	notepad.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	msdcsc.exe

Loads dropped DLL 2 IoCs

pid	Process
592	easyMalicious1845a1255c8d.exe
592	easyMalicious1845a1255c8d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	easyMalicious1845a1255c8d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeSecurityPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeTakeOwnershipPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeLoadDriverPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeSystemProfilePrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeSystemtimePrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeProfSingleProcessPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeIncBasePriorityPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeCreatePagefilePrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeBackupPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeRestorePrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeShutdownPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeDebugPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeSystemEnvironmentPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeChangeNotifyPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeRemoteShutdownPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeUndockPrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeManageVolumePrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeImpersonatePrivilege	592	easyMalicious1845a1255c8d.exe
Token: SeCreateGlobalPrivilege	592	easyMalicious1845a1255c8d.exe
Token: 33	592	easyMalicious1845a1255c8d.exe
Token: 34	592	easyMalicious1845a1255c8d.exe
Token: 35	592	easyMalicious1845a1255c8d.exe
Token: SeIncreaseQuotaPrivilege	2968	msdcsc.exe
Token: SeSecurityPrivilege	2968	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2968	msdcsc.exe
Token: SeLoadDriverPrivilege	2968	msdcsc.exe
Token: SeSystemProfilePrivilege	2968	msdcsc.exe
Token: SeSystemtimePrivilege	2968	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2968	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2968	msdcsc.exe
Token: SeCreatePagefilePrivilege	2968	msdcsc.exe
Token: SeBackupPrivilege	2968	msdcsc.exe
Token: SeRestorePrivilege	2968	msdcsc.exe
Token: SeShutdownPrivilege	2968	msdcsc.exe
Token: SeDebugPrivilege	2968	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2968	msdcsc.exe
Token: SeChangeNotifyPrivilege	2968	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2968	msdcsc.exe
Token: SeUndockPrivilege	2968	msdcsc.exe
Token: SeManageVolumePrivilege	2968	msdcsc.exe
Token: SeImpersonatePrivilege	2968	msdcsc.exe
Token: SeCreateGlobalPrivilege	2968	msdcsc.exe
Token: 33	2968	msdcsc.exe
Token: 34	2968	msdcsc.exe
Token: 35	2968	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2968	msdcsc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2164	592	easyMalicious1845a1255c8d.exe	29
PID 592 wrote to memory of 2968	592	easyMalicious1845a1255c8d.exe	30
PID 592 wrote to memory of 2968	592	easyMalicious1845a1255c8d.exe	30
PID 592 wrote to memory of 2968	592	easyMalicious1845a1255c8d.exe	30
PID 592 wrote to memory of 2968	592	easyMalicious1845a1255c8d.exe	30

C:\Users\Admin\AppData\Local\Temp\easyMalicious1845a1255c8d.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious1845a1255c8d.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  PID:2164
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
948KB

MD5
81aa0004ab6395cc670810ec1912133a

SHA1
94a2f9f9f9e050c1fed207ddd51c2c3dee15b80e

SHA256
c1990fc60695c907817670cb510764eab966c0581ce825820999d42e1d4a930b

SHA512
098e82d9269de8a31048bda1b5e92bfdbe059f3d8b910eb66a1574f03f9ffe035dcd3e4e93ce2c9a11bf574093183a3845157f3e767d9dd8db710fcebfe94c68

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
948KB

MD5
81aa0004ab6395cc670810ec1912133a

SHA1
94a2f9f9f9e050c1fed207ddd51c2c3dee15b80e

SHA256
c1990fc60695c907817670cb510764eab966c0581ce825820999d42e1d4a930b

SHA512
098e82d9269de8a31048bda1b5e92bfdbe059f3d8b910eb66a1574f03f9ffe035dcd3e4e93ce2c9a11bf574093183a3845157f3e767d9dd8db710fcebfe94c68

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
948KB

MD5
81aa0004ab6395cc670810ec1912133a

SHA1
94a2f9f9f9e050c1fed207ddd51c2c3dee15b80e

SHA256
c1990fc60695c907817670cb510764eab966c0581ce825820999d42e1d4a930b

SHA512
098e82d9269de8a31048bda1b5e92bfdbe059f3d8b910eb66a1574f03f9ffe035dcd3e4e93ce2c9a11bf574093183a3845157f3e767d9dd8db710fcebfe94c68

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
948KB

MD5
81aa0004ab6395cc670810ec1912133a

SHA1
94a2f9f9f9e050c1fed207ddd51c2c3dee15b80e

SHA256
c1990fc60695c907817670cb510764eab966c0581ce825820999d42e1d4a930b

SHA512
098e82d9269de8a31048bda1b5e92bfdbe059f3d8b910eb66a1574f03f9ffe035dcd3e4e93ce2c9a11bf574093183a3845157f3e767d9dd8db710fcebfe94c68

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
948KB

MD5
81aa0004ab6395cc670810ec1912133a

SHA1
94a2f9f9f9e050c1fed207ddd51c2c3dee15b80e

SHA256
c1990fc60695c907817670cb510764eab966c0581ce825820999d42e1d4a930b

SHA512
098e82d9269de8a31048bda1b5e92bfdbe059f3d8b910eb66a1574f03f9ffe035dcd3e4e93ce2c9a11bf574093183a3845157f3e767d9dd8db710fcebfe94c68

Download Submit
memory/592-82-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/592-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2164-70-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2164-56-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2968-81-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2968-84-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2968-85-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2968-86-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2968-89-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2968-92-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2968-94-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2968-95-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2968-97-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads