darkcomet | 21e6c4cc8f7785a4d0c8f312cbdf5219d24a0f1176a144d109f91cc427a062f7

General

Target

1977c2bdcaec144f08371608e0e7ee3a.exe
Size

1.4MB
MD5

1977c2bdcaec144f08371608e0e7ee3a
SHA1

2e98c250c112b6479673c6fac4c130bf1e45287d
SHA256

21e6c4cc8f7785a4d0c8f312cbdf5219d24a0f1176a144d109f91cc427a062f7
SHA512

2be17328024380a1718adcb587485a778e1d463a9b911efeccba881030d9db8f175f4ec511abb562a2d5ea5dc7bce317452eede45e79646c69350fe0e026b1d7
SSDEEP

24576:hh0r/k3pEdZWmRO56tTl6UMs0VbEGZ88TUM+b1ImBsz06xz:k9AGMZZxz

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

testme123.no-ip.biz:82

Mutex

DCMIN_MUTEX-EVANRM5

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
3ozW3J5fvJ1y
install
true
offline_keylogger
true
persistence
false
reg_key
Update

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

file1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	file1.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file1.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation file1.exe
Executes dropped EXE 2 IoCs

Processes:

file1.exeIMDCSC.exe

pid process

1620 file1.exe
764 IMDCSC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	file1.exe

pid	process
1620	file1.exe
764	IMDCSC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	file1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

file1.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1620	file1.exe
Token: SeSecurityPrivilege	1620	file1.exe
Token: SeTakeOwnershipPrivilege	1620	file1.exe
Token: SeLoadDriverPrivilege	1620	file1.exe
Token: SeSystemProfilePrivilege	1620	file1.exe
Token: SeSystemtimePrivilege	1620	file1.exe
Token: SeProfSingleProcessPrivilege	1620	file1.exe
Token: SeIncBasePriorityPrivilege	1620	file1.exe
Token: SeCreatePagefilePrivilege	1620	file1.exe
Token: SeBackupPrivilege	1620	file1.exe
Token: SeRestorePrivilege	1620	file1.exe
Token: SeShutdownPrivilege	1620	file1.exe
Token: SeDebugPrivilege	1620	file1.exe
Token: SeSystemEnvironmentPrivilege	1620	file1.exe
Token: SeChangeNotifyPrivilege	1620	file1.exe
Token: SeRemoteShutdownPrivilege	1620	file1.exe
Token: SeUndockPrivilege	1620	file1.exe
Token: SeManageVolumePrivilege	1620	file1.exe
Token: SeImpersonatePrivilege	1620	file1.exe
Token: SeCreateGlobalPrivilege	1620	file1.exe
Token: 33	1620	file1.exe
Token: 34	1620	file1.exe
Token: 35	1620	file1.exe
Token: 36	1620	file1.exe
Token: SeIncreaseQuotaPrivilege	764	IMDCSC.exe
Token: SeSecurityPrivilege	764	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	764	IMDCSC.exe
Token: SeLoadDriverPrivilege	764	IMDCSC.exe
Token: SeSystemProfilePrivilege	764	IMDCSC.exe
Token: SeSystemtimePrivilege	764	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	764	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	764	IMDCSC.exe
Token: SeCreatePagefilePrivilege	764	IMDCSC.exe
Token: SeBackupPrivilege	764	IMDCSC.exe
Token: SeRestorePrivilege	764	IMDCSC.exe
Token: SeShutdownPrivilege	764	IMDCSC.exe
Token: SeDebugPrivilege	764	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	764	IMDCSC.exe
Token: SeChangeNotifyPrivilege	764	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	764	IMDCSC.exe
Token: SeUndockPrivilege	764	IMDCSC.exe
Token: SeManageVolumePrivilege	764	IMDCSC.exe
Token: SeImpersonatePrivilege	764	IMDCSC.exe
Token: SeCreateGlobalPrivilege	764	IMDCSC.exe
Token: 33	764	IMDCSC.exe
Token: 34	764	IMDCSC.exe
Token: 35	764	IMDCSC.exe
Token: 36	764	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

764 IMDCSC.exe

pid	process
764	IMDCSC.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1977c2bdcaec144f08371608e0e7ee3a.exefile1.exe

description	pid	process	target process
PID 896 wrote to memory of 1620	896	1977c2bdcaec144f08371608e0e7ee3a.exe	file1.exe
PID 896 wrote to memory of 1620	896	1977c2bdcaec144f08371608e0e7ee3a.exe	file1.exe
PID 896 wrote to memory of 1620	896	1977c2bdcaec144f08371608e0e7ee3a.exe	file1.exe
PID 1620 wrote to memory of 764	1620	file1.exe	IMDCSC.exe
PID 1620 wrote to memory of 764	1620	file1.exe	IMDCSC.exe
PID 1620 wrote to memory of 764	1620	file1.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\1977c2bdcaec144f08371608e0e7ee3a.exe
"C:\Users\Admin\AppData\Local\Temp\1977c2bdcaec144f08371608e0e7ee3a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\file1.exe
C:\Users\Admin\AppData\Local\Temp\\file1.exe
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file1.exe
Filesize
532KB

MD5
47f3533e3430bb92649f60ffae3d5ca8

SHA1
75c1358af233565abdd02e6c68c7f9b55a00a8f6

SHA256
c936018fe9e638c296b7fe45ff83badfe83922d70cd0269813492ebd8e762a87

SHA512
fb6466e123d66199bda176e1be3eb47739b514e8a2dc8067bc8864b79e62dc959ac6a6a807d0c865a082b04d9be4cdc5a6af38dfb286c65e452e8fa8d25c281b

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe
Filesize
552KB

MD5
ca492c1580967296bfc11b8eca52468e

SHA1
f479ef3c1346de0c9cde26da9b2d40ae8bb507bc

SHA256
e1d6401a47cfe8de8ef09611a7f09b54e9d22e3b68ef44fb25da86197cf2952b

SHA512
bff7d1b9c25eb30a035cdb18af33da9d928a1e0a30b8b73ddd0ac1b6647e2cc29c6a9ef93a43cef7aaab725db15e42c4decc619b551b06cc4cfac70b6e7de977

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
138KB

MD5
7e8c592a2a44d530fa0eab0a252bc879

SHA1
43830209470df4d3795014ed9846ee8cb6039d4f

SHA256
79ca9ae8fd6ef5f788968159c4a9c9d1990de9c724f5a0ef911a68939f2d2ff8

SHA512
3b926aedb9a433816cc325f8a5f2e5a1e254853b636c83aa0a934964d2e49b82af35e5cbde37f3f814fa56c2902cdc3bfcbca4e2f89b2e5f26a0a0708f0bf2a9

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
53KB

MD5
38590c295fad7bf05fb661cc45bc746e

SHA1
172e78fff9186efcfe589d7f0cabfa9544959bd0

SHA256
befa0cc67286596550d087c58d56e50f132598e92ea2919cc773ccc86d162923

SHA512
08ce925cb53c51e6799e7d9d26bc1294726c17e24d3bc0db1e167d2566f7bc6f08e63cea67da5533156e7add97230ac06b3ea47233aa94a70461b1e4a503a19b

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
61KB

MD5
cfa387b936f38ca936b7dae663398381

SHA1
c8262cd69bf546cba1742a6275a1fcc58684c40a

SHA256
ee8c27dbefd5991f114d71f233e60b62c7587015e014ee46c83974d82a3bea61

SHA512
0a9003d5892cc09de990755ef3511cfc124f4a5a34d68391b71c05f52f268a5da293053fc6270ffe6da09ed74cc290c80314cb23b9aaa31835a8c33e09bdf7ff

Download Submit
memory/764-35-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-38-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-43-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-42-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-41-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-40-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-39-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-37-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-36-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-34-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-33-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-28-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/764-32-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/764-30-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/896-0-0x00007FFDB1860000-0x00007FFDB2201000-memory.dmp

Filesize
9.6MB

Download
memory/896-1-0x00007FFDB1860000-0x00007FFDB2201000-memory.dmp

Filesize
9.6MB

Download
memory/896-2-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/896-6-0x0000000000F20000-0x0000000000F28000-memory.dmp

Filesize
32KB

Download
memory/896-3-0x000000001B960000-0x000000001BA06000-memory.dmp

Filesize
664KB

Download
memory/896-16-0x00007FFDB1860000-0x00007FFDB2201000-memory.dmp

Filesize
9.6MB

Download
memory/896-15-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/896-4-0x000000001BEE0000-0x000000001C3AE000-memory.dmp

Filesize
4.8MB

Download
memory/896-5-0x000000001C450000-0x000000001C4EC000-memory.dmp

Filesize
624KB

Download
memory/896-8-0x0000000000F40000-0x0000000000F50000-memory.dmp

Filesize
64KB

Download
memory/896-7-0x000000001C4F0000-0x000000001C53C000-memory.dmp

Filesize
304KB

Download
memory/1620-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1620-13-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads