darkcomet | 5b01cd848be1f1a8c9a3ed3aa59508be568abeaef19b287c200fe18723783ed1

General

Target

50e93ac55ff74b46be448f4adf103c43.exe
Size

692KB
MD5

50e93ac55ff74b46be448f4adf103c43
SHA1

b517f5f669048508ac90bbc662b6af9066fd3ff9
SHA256

5b01cd848be1f1a8c9a3ed3aa59508be568abeaef19b287c200fe18723783ed1
SHA512

38eed2dfe534551daae8322b1b9cff1dd141564d6dd1761b934871effd6a498af8e3781bade3105e135aaedc7696c0a3c8d9bc773862d9b9536b6a30cda746a3
SSDEEP

12288:8XhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452U3:qnAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jn

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

gehackt.no-ip.org:1604

gehackt.no-ip.org:3389

Mutex

DC_MUTEX-F3NGXVX

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
97X125MJWil4
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\svchost.exe"	50e93ac55ff74b46be448f4adf103c43.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2540	attrib.exe
2648	attrib.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\svchost.exe"	50e93ac55ff74b46be448f4adf103c43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeSecurityPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeTakeOwnershipPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeLoadDriverPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeSystemProfilePrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeSystemtimePrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeProfSingleProcessPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeIncBasePriorityPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeCreatePagefilePrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeBackupPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeRestorePrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeShutdownPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeDebugPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeSystemEnvironmentPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeChangeNotifyPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeRemoteShutdownPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeUndockPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeManageVolumePrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeImpersonatePrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: SeCreateGlobalPrivilege	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: 33	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: 34	2352	50e93ac55ff74b46be448f4adf103c43.exe
Token: 35	2352	50e93ac55ff74b46be448f4adf103c43.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2528	2352	50e93ac55ff74b46be448f4adf103c43.exe	23
PID 2352 wrote to memory of 2528	2352	50e93ac55ff74b46be448f4adf103c43.exe	23
PID 2352 wrote to memory of 2528	2352	50e93ac55ff74b46be448f4adf103c43.exe	23
PID 2352 wrote to memory of 2528	2352	50e93ac55ff74b46be448f4adf103c43.exe	23
PID 2352 wrote to memory of 2904	2352	50e93ac55ff74b46be448f4adf103c43.exe	22
PID 2352 wrote to memory of 2904	2352	50e93ac55ff74b46be448f4adf103c43.exe	22
PID 2352 wrote to memory of 2904	2352	50e93ac55ff74b46be448f4adf103c43.exe	22
PID 2352 wrote to memory of 2904	2352	50e93ac55ff74b46be448f4adf103c43.exe	22
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20
PID 2352 wrote to memory of 2988	2352	50e93ac55ff74b46be448f4adf103c43.exe	20

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2540	attrib.exe
2648	attrib.exe

C:\Users\Admin\AppData\Local\Temp\50e93ac55ff74b46be448f4adf103c43.exe
"C:\Users\Admin\AppData\Local\Temp\50e93ac55ff74b46be448f4adf103c43.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  PID:2904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\50e93ac55ff74b46be448f4adf103c43.exe" +s +h
  2⤵
  PID:2528

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2540

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\50e93ac55ff74b46be448f4adf103c43.exe" +s +h
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2648

C:\Windows\SysWOW64\notepad.exe
notepad
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe

Filesize
17KB

MD5
27e5cd940bd8c5cb530d15fa0a3a71f5

SHA1
fa72e9b0c65c56ab6987b8693d7bfb49e5af3d3c

SHA256
d97fcf6de78f37e336f30f8e77d3e0129152e3204a90290345ff546404c8bcb1

SHA512
2e201c60dae1482c773795dd9c56aa39f627acc921faa58f8c239bbb01db42514ac8fd0e789997d4bb6070e38ab1500614a526f2b7fdd87f09089f8c4a4bf5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\svchost.exe

Filesize
1KB

MD5
13995d5c87980ca6345c2a704c871d5d

SHA1
c50fc1a228cadb5622e7f5af583ea08a9a25eb36

SHA256
a059348fc13652558825f65c86c39cb50b5f74fc3be8d815bedc5e92a48fd2d1

SHA512
ddf2e35e542e3cc7efc4079f876cf4ef47271c41a5a6d42584db4fbb34efb2df9a2dd4f5abffd6edc4f83090f4302bc3840bd54f7969a7e991d8ce387aec183a

Download Submit
memory/2352-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2352-29-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2848-58-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2864-61-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-66-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-73-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-60-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-72-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-62-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-63-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-64-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-65-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-30-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2864-67-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-68-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-70-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2864-71-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2988-20-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2988-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads