darkcomet | 21e6c4cc8f7785a4d0c8f312cbdf5219d24a0f1176a144d109f91cc427a062f7

General

Target

1977c2bdcaec144f08371608e0e7ee3a.exe
Size

1.4MB
MD5

1977c2bdcaec144f08371608e0e7ee3a
SHA1

2e98c250c112b6479673c6fac4c130bf1e45287d
SHA256

21e6c4cc8f7785a4d0c8f312cbdf5219d24a0f1176a144d109f91cc427a062f7
SHA512

2be17328024380a1718adcb587485a778e1d463a9b911efeccba881030d9db8f175f4ec511abb562a2d5ea5dc7bce317452eede45e79646c69350fe0e026b1d7
SSDEEP

24576:hh0r/k3pEdZWmRO56tTl6UMs0VbEGZ88TUM+b1ImBsz06xz:k9AGMZZxz

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

testme123.no-ip.biz:82

Mutex

DCMIN_MUTEX-EVANRM5

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
3ozW3J5fvJ1y
install
true
offline_keylogger
true
persistence
false
reg_key
Update

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

file1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	file1.exe

Executes dropped EXE 2 IoCs

Processes:

file1.exeIMDCSC.exe

pid process

2512 file1.exe
2724 IMDCSC.exe
Loads dropped DLL 2 IoCs

Processes:

file1.exe

pid process

2512 file1.exe
2512 file1.exe

pid	process
2512	file1.exe
2724	IMDCSC.exe

pid	process
2512	file1.exe
2512	file1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	file1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

file1.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2512	file1.exe
Token: SeSecurityPrivilege	2512	file1.exe
Token: SeTakeOwnershipPrivilege	2512	file1.exe
Token: SeLoadDriverPrivilege	2512	file1.exe
Token: SeSystemProfilePrivilege	2512	file1.exe
Token: SeSystemtimePrivilege	2512	file1.exe
Token: SeProfSingleProcessPrivilege	2512	file1.exe
Token: SeIncBasePriorityPrivilege	2512	file1.exe
Token: SeCreatePagefilePrivilege	2512	file1.exe
Token: SeBackupPrivilege	2512	file1.exe
Token: SeRestorePrivilege	2512	file1.exe
Token: SeShutdownPrivilege	2512	file1.exe
Token: SeDebugPrivilege	2512	file1.exe
Token: SeSystemEnvironmentPrivilege	2512	file1.exe
Token: SeChangeNotifyPrivilege	2512	file1.exe
Token: SeRemoteShutdownPrivilege	2512	file1.exe
Token: SeUndockPrivilege	2512	file1.exe
Token: SeManageVolumePrivilege	2512	file1.exe
Token: SeImpersonatePrivilege	2512	file1.exe
Token: SeCreateGlobalPrivilege	2512	file1.exe
Token: 33	2512	file1.exe
Token: 34	2512	file1.exe
Token: 35	2512	file1.exe
Token: SeIncreaseQuotaPrivilege	2724	IMDCSC.exe
Token: SeSecurityPrivilege	2724	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	2724	IMDCSC.exe
Token: SeLoadDriverPrivilege	2724	IMDCSC.exe
Token: SeSystemProfilePrivilege	2724	IMDCSC.exe
Token: SeSystemtimePrivilege	2724	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	2724	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	2724	IMDCSC.exe
Token: SeCreatePagefilePrivilege	2724	IMDCSC.exe
Token: SeBackupPrivilege	2724	IMDCSC.exe
Token: SeRestorePrivilege	2724	IMDCSC.exe
Token: SeShutdownPrivilege	2724	IMDCSC.exe
Token: SeDebugPrivilege	2724	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	2724	IMDCSC.exe
Token: SeChangeNotifyPrivilege	2724	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	2724	IMDCSC.exe
Token: SeUndockPrivilege	2724	IMDCSC.exe
Token: SeManageVolumePrivilege	2724	IMDCSC.exe
Token: SeImpersonatePrivilege	2724	IMDCSC.exe
Token: SeCreateGlobalPrivilege	2724	IMDCSC.exe
Token: 33	2724	IMDCSC.exe
Token: 34	2724	IMDCSC.exe
Token: 35	2724	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

2724 IMDCSC.exe

pid	process
2724	IMDCSC.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1977c2bdcaec144f08371608e0e7ee3a.exefile1.exe

description	pid	process	target process
PID 2100 wrote to memory of 2512	2100	1977c2bdcaec144f08371608e0e7ee3a.exe	file1.exe
PID 2100 wrote to memory of 2512	2100	1977c2bdcaec144f08371608e0e7ee3a.exe	file1.exe
PID 2100 wrote to memory of 2512	2100	1977c2bdcaec144f08371608e0e7ee3a.exe	file1.exe
PID 2100 wrote to memory of 2512	2100	1977c2bdcaec144f08371608e0e7ee3a.exe	file1.exe
PID 2512 wrote to memory of 2724	2512	file1.exe	IMDCSC.exe
PID 2512 wrote to memory of 2724	2512	file1.exe	IMDCSC.exe
PID 2512 wrote to memory of 2724	2512	file1.exe	IMDCSC.exe
PID 2512 wrote to memory of 2724	2512	file1.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\1977c2bdcaec144f08371608e0e7ee3a.exe
"C:\Users\Admin\AppData\Local\Temp\1977c2bdcaec144f08371608e0e7ee3a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\file1.exe
C:\Users\Admin\AppData\Local\Temp\\file1.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file1.exe
Filesize
92KB

MD5
f241f3baf6881b6b57aca234a78505d0

SHA1
7f73a3c9c77e8cc49c51464e397d9d4de9713b48

SHA256
6d4987705bb1fff8882f30b5273e6f8c626e219efd973f43be7890a3dbec4769

SHA512
1bab695f31bb122e0fa3001603e0b50933aab1e58dbfdcc286f6a249b72a7eabd18e8b7f479754b17a7398fb6a9d3a47dada597b1fdae4a53a16880bee475f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe
Filesize
93KB

MD5
8e92bfd20af69e47a31cf31cc0e69246

SHA1
5117fccf1098b5e5ca5900c79f8ec201d5e840aa

SHA256
73de315a695f05d920d8b9ec025bf18b04cabc9ffc16a8113b315ae010acac03

SHA512
690c43cc90f7b1a9d37494e14534122061c6cdcadfdc435dd2d906354f181c3065e238add4f1110723cb5686367376dff05c2457cd98f3d3c326589f672d725d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe
Filesize
658KB

MD5
080817d63b20fbe25f84a5ce767ef18a

SHA1
8f34c9d2a4446721c5be37cab12ee051f93a391f

SHA256
489d5801d6a8ba1863aea1f35e0e61ecab50308a0c6ac531dada72be03d95f5a

SHA512
27cac4ee8a4b11512a0857ddccfad9db19551ce667316df11634f36ae0cdceea47854b70df773ba0b939596f9f210d799dbbe4b27967f1123797537b863c0685

Download Submit
memory/2100-0-0x000007FEF5310000-0x000007FEF5CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2100-2-0x000007FEF5310000-0x000007FEF5CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2100-3-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/2100-1-0x0000000002040000-0x00000000020C0000-memory.dmp

Filesize
512KB

Download
memory/2100-21-0x000007FEF5310000-0x000007FEF5CAD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-24-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2512-10-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2724-26-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-22-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2724-27-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-28-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-30-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-33-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-34-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2724-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads