darkcomet | 7da760265773acb56206463de01f699ab9316c53456f8d3bdb18db51bfd36a0e

General

Target

95a0aae8a7984d30a627a9838acd5434.exe
Size

918KB
MD5

95a0aae8a7984d30a627a9838acd5434
SHA1

31c5e330f02018243b7252b2a8d7be986a3731e5
SHA256

7da760265773acb56206463de01f699ab9316c53456f8d3bdb18db51bfd36a0e
SHA512

af6640b7bb357c1c96f8a33a61d36dae35ffc91d54c0c2e6e5fbf0d9b7c9cf3de2a960cde18047d44b7a895f6cadd3420bee08f52feb14906193899f15196bf7
SSDEEP

12288:rkzu/UrGcXu2Dvy1ThzF6bWEhLWkWo41Z6tlpFe5vyDmSljuI9MK:Icosz6bWEhq8Ne5aDpFuuf

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-72R2FVV

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
ojiVYv2dmChl
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Service.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	Service.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Service.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	Service.exe

Executes dropped EXE 2 IoCs

Processes:

Service.exeIMDCSC.exe

pid process

1208 Service.exe
2560 IMDCSC.exe

pid	process
1208	Service.exe
2560	IMDCSC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Service.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	Service.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

95a0aae8a7984d30a627a9838acd5434.exe

description pid process target process

PID 4076 set thread context of 1208 4076 95a0aae8a7984d30a627a9838acd5434.exe Service.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4076 set thread context of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Service.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1208	Service.exe
Token: SeSecurityPrivilege	1208	Service.exe
Token: SeTakeOwnershipPrivilege	1208	Service.exe
Token: SeLoadDriverPrivilege	1208	Service.exe
Token: SeSystemProfilePrivilege	1208	Service.exe
Token: SeSystemtimePrivilege	1208	Service.exe
Token: SeProfSingleProcessPrivilege	1208	Service.exe
Token: SeIncBasePriorityPrivilege	1208	Service.exe
Token: SeCreatePagefilePrivilege	1208	Service.exe
Token: SeBackupPrivilege	1208	Service.exe
Token: SeRestorePrivilege	1208	Service.exe
Token: SeShutdownPrivilege	1208	Service.exe
Token: SeDebugPrivilege	1208	Service.exe
Token: SeSystemEnvironmentPrivilege	1208	Service.exe
Token: SeChangeNotifyPrivilege	1208	Service.exe
Token: SeRemoteShutdownPrivilege	1208	Service.exe
Token: SeUndockPrivilege	1208	Service.exe
Token: SeManageVolumePrivilege	1208	Service.exe
Token: SeImpersonatePrivilege	1208	Service.exe
Token: SeCreateGlobalPrivilege	1208	Service.exe
Token: 33	1208	Service.exe
Token: 34	1208	Service.exe
Token: 35	1208	Service.exe
Token: 36	1208	Service.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

95a0aae8a7984d30a627a9838acd5434.exeService.exe

description	pid	process	target process
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 4076 wrote to memory of 1208	4076	95a0aae8a7984d30a627a9838acd5434.exe	Service.exe
PID 1208 wrote to memory of 2560	1208	Service.exe	IMDCSC.exe
PID 1208 wrote to memory of 2560	1208	Service.exe	IMDCSC.exe
PID 1208 wrote to memory of 2560	1208	Service.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\95a0aae8a7984d30a627a9838acd5434.exe
"C:\Users\Admin\AppData\Local\Temp\95a0aae8a7984d30a627a9838acd5434.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exe
C:\Users\Admin\AppData\Local\Temp\\plugtemp\Service.exe
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\plugtemp\Service.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1208-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1208-9-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1208-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1208-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1208-13-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1208-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4076-0-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4076-1-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4076-2-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/4076-28-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads