darkcomet | 9637eb28918049462e11ed2cd4120331ef2f69fbd0b2fa0161a3677302f3581a

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0431fcc335792f97fe4660c5ba857fa7.exe
Size

659KB
MD5

0431fcc335792f97fe4660c5ba857fa7
SHA1

cc1a5bec1653f1661b3e4185a488d81fb6c97939
SHA256

9637eb28918049462e11ed2cd4120331ef2f69fbd0b2fa0161a3677302f3581a
SHA512

a1118c79ec6a73fb95c07f097c633c6321c10dcac6f480585818eb030bb91a702b2e316573a704ec2dbb2082a87ef3598d7d5d76d8b94ca89a31bb00609c8d29
SSDEEP

12288:EX2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/Q0X:Css2Sm39NNv9wY7tHwbzfIoK6Mof

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

127.0.0.1:1604

Mutex

DCMIN_MUTEX-4P9QREJ

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
aapwobi7GLgZ
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	0431fcc335792f97fe4660c5ba857fa7.exe

Executes dropped EXE 1 IoCs

pid	Process
2524	IMDCSC.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	0431fcc335792f97fe4660c5ba857fa7.exe
2928	0431fcc335792f97fe4660c5ba857fa7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	0431fcc335792f97fe4660c5ba857fa7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeSecurityPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeTakeOwnershipPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeLoadDriverPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeSystemProfilePrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeSystemtimePrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeProfSingleProcessPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeIncBasePriorityPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeCreatePagefilePrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeBackupPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeRestorePrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeShutdownPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeDebugPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeSystemEnvironmentPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeChangeNotifyPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeRemoteShutdownPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeUndockPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeManageVolumePrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeImpersonatePrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeCreateGlobalPrivilege	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: 33	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: 34	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: 35	2928	0431fcc335792f97fe4660c5ba857fa7.exe
Token: SeIncreaseQuotaPrivilege	2524	IMDCSC.exe
Token: SeSecurityPrivilege	2524	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	2524	IMDCSC.exe
Token: SeLoadDriverPrivilege	2524	IMDCSC.exe
Token: SeSystemProfilePrivilege	2524	IMDCSC.exe
Token: SeSystemtimePrivilege	2524	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	2524	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	2524	IMDCSC.exe
Token: SeCreatePagefilePrivilege	2524	IMDCSC.exe
Token: SeBackupPrivilege	2524	IMDCSC.exe
Token: SeRestorePrivilege	2524	IMDCSC.exe
Token: SeShutdownPrivilege	2524	IMDCSC.exe
Token: SeDebugPrivilege	2524	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	2524	IMDCSC.exe
Token: SeChangeNotifyPrivilege	2524	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	2524	IMDCSC.exe
Token: SeUndockPrivilege	2524	IMDCSC.exe
Token: SeManageVolumePrivilege	2524	IMDCSC.exe
Token: SeImpersonatePrivilege	2524	IMDCSC.exe
Token: SeCreateGlobalPrivilege	2524	IMDCSC.exe
Token: 33	2524	IMDCSC.exe
Token: 34	2524	IMDCSC.exe
Token: 35	2524	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2524	IMDCSC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2524	2928	0431fcc335792f97fe4660c5ba857fa7.exe	28
PID 2928 wrote to memory of 2524	2928	0431fcc335792f97fe4660c5ba857fa7.exe	28
PID 2928 wrote to memory of 2524	2928	0431fcc335792f97fe4660c5ba857fa7.exe	28
PID 2928 wrote to memory of 2524	2928	0431fcc335792f97fe4660c5ba857fa7.exe	28

C:\Users\Admin\AppData\Local\Temp\0431fcc335792f97fe4660c5ba857fa7.exe
"C:\Users\Admin\AppData\Local\Temp\0431fcc335792f97fe4660c5ba857fa7.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
  "C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Documents\DCSCMIN\IMDCSC.exe

Filesize
659KB

MD5
0431fcc335792f97fe4660c5ba857fa7

SHA1
cc1a5bec1653f1661b3e4185a488d81fb6c97939

SHA256
9637eb28918049462e11ed2cd4120331ef2f69fbd0b2fa0161a3677302f3581a

SHA512
a1118c79ec6a73fb95c07f097c633c6321c10dcac6f480585818eb030bb91a702b2e316573a704ec2dbb2082a87ef3598d7d5d76d8b94ca89a31bb00609c8d29

Download Submit
memory/2524-11-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2524-12-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2524-14-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2928-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2928-10-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads