darkcomet | 25e21ed65dbb774bf9ba33bc6ed82ada407e2e47d9333bf983aadcef5ae6828a

General

Target

9fc730001f0b9de1015cb0544c3cc775.exe
Size

1.2MB
MD5

9fc730001f0b9de1015cb0544c3cc775
SHA1

180cafcff5843da1bb4e6b898007352bd8f7422a
SHA256

25e21ed65dbb774bf9ba33bc6ed82ada407e2e47d9333bf983aadcef5ae6828a
SHA512

89e0b6fb131af80a313fc6c4ef61e937b46173b75f868f1110cf8b3724b9503c62c205c5a2509edae0ada6cfc6a56e6d078ca8c4f1d20e3f6b680be4b3377302
SSDEEP

24576:RmJuqft9oiO8jrzI1LmpqoTYo7IOUAF7/cfg/c10tcT4QqiBmxf0:RmleejUm4Lsxc

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

alrdmh1.no-ip.info:1604

Mutex

DC_MUTEX-T32EFR2

Attributes

InstallPath
MSDCSC\ssms.exe
gencode
d3jVJWfh6uR6
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

9fc730001f0b9de1015cb0544c3cc775.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\ssms.exe"	9fc730001f0b9de1015cb0544c3cc775.exe

Executes dropped EXE 2 IoCs

Processes:

ssms.exessms.exe

pid process

2812 ssms.exe
2640 ssms.exe
Loads dropped DLL 2 IoCs

Processes:

9fc730001f0b9de1015cb0544c3cc775.exe

pid process

2316 9fc730001f0b9de1015cb0544c3cc775.exe
2316 9fc730001f0b9de1015cb0544c3cc775.exe

pid	process
2812	ssms.exe
2640	ssms.exe

pid	process
2316	9fc730001f0b9de1015cb0544c3cc775.exe
2316	9fc730001f0b9de1015cb0544c3cc775.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9fc730001f0b9de1015cb0544c3cc775.exessms.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\ssms.exe"	9fc730001f0b9de1015cb0544c3cc775.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\ssms.exe"	ssms.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9fc730001f0b9de1015cb0544c3cc775.exessms.exe

description	pid	process	target process
PID 2296 set thread context of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2812 set thread context of 2640	2812	ssms.exe	ssms.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ssms.exe

pid process

2640 ssms.exe

pid	process
2640	ssms.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

9fc730001f0b9de1015cb0544c3cc775.exessms.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeSecurityPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeTakeOwnershipPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeLoadDriverPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeSystemProfilePrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeSystemtimePrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeProfSingleProcessPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeIncBasePriorityPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeCreatePagefilePrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeBackupPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeRestorePrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeShutdownPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeDebugPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeSystemEnvironmentPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeChangeNotifyPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeRemoteShutdownPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeUndockPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeManageVolumePrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeImpersonatePrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeCreateGlobalPrivilege	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: 33	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: 34	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: 35	2316	9fc730001f0b9de1015cb0544c3cc775.exe
Token: SeIncreaseQuotaPrivilege	2640	ssms.exe
Token: SeSecurityPrivilege	2640	ssms.exe
Token: SeTakeOwnershipPrivilege	2640	ssms.exe
Token: SeLoadDriverPrivilege	2640	ssms.exe
Token: SeSystemProfilePrivilege	2640	ssms.exe
Token: SeSystemtimePrivilege	2640	ssms.exe
Token: SeProfSingleProcessPrivilege	2640	ssms.exe
Token: SeIncBasePriorityPrivilege	2640	ssms.exe
Token: SeCreatePagefilePrivilege	2640	ssms.exe
Token: SeBackupPrivilege	2640	ssms.exe
Token: SeRestorePrivilege	2640	ssms.exe
Token: SeShutdownPrivilege	2640	ssms.exe
Token: SeDebugPrivilege	2640	ssms.exe
Token: SeSystemEnvironmentPrivilege	2640	ssms.exe
Token: SeChangeNotifyPrivilege	2640	ssms.exe
Token: SeRemoteShutdownPrivilege	2640	ssms.exe
Token: SeUndockPrivilege	2640	ssms.exe
Token: SeManageVolumePrivilege	2640	ssms.exe
Token: SeImpersonatePrivilege	2640	ssms.exe
Token: SeCreateGlobalPrivilege	2640	ssms.exe
Token: 33	2640	ssms.exe
Token: 34	2640	ssms.exe
Token: 35	2640	ssms.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ssms.exe

pid process

2640 ssms.exe

pid	process
2640	ssms.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

9fc730001f0b9de1015cb0544c3cc775.exe9fc730001f0b9de1015cb0544c3cc775.exessms.exe

description	pid	process	target process
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2296 wrote to memory of 2316	2296	9fc730001f0b9de1015cb0544c3cc775.exe	9fc730001f0b9de1015cb0544c3cc775.exe
PID 2316 wrote to memory of 2812	2316	9fc730001f0b9de1015cb0544c3cc775.exe	ssms.exe
PID 2316 wrote to memory of 2812	2316	9fc730001f0b9de1015cb0544c3cc775.exe	ssms.exe
PID 2316 wrote to memory of 2812	2316	9fc730001f0b9de1015cb0544c3cc775.exe	ssms.exe
PID 2316 wrote to memory of 2812	2316	9fc730001f0b9de1015cb0544c3cc775.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe
PID 2812 wrote to memory of 2640	2812	ssms.exe	ssms.exe

C:\Users\Admin\AppData\Local\Temp\9fc730001f0b9de1015cb0544c3cc775.exe
"C:\Users\Admin\AppData\Local\Temp\9fc730001f0b9de1015cb0544c3cc775.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\9fc730001f0b9de1015cb0544c3cc775.exe
C:\Users\Admin\AppData\Local\Temp\9fc730001f0b9de1015cb0544c3cc775.exe
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\Documents\MSDCSC\ssms.exe
"C:\Users\Admin\Documents\MSDCSC\ssms.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\Documents\MSDCSC\ssms.exe
C:\Users\Admin\Documents\MSDCSC\ssms.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\ssms.exe
Filesize
1.2MB

MD5
9fc730001f0b9de1015cb0544c3cc775

SHA1
180cafcff5843da1bb4e6b898007352bd8f7422a

SHA256
25e21ed65dbb774bf9ba33bc6ed82ada407e2e47d9333bf983aadcef5ae6828a

SHA512
89e0b6fb131af80a313fc6c4ef61e937b46173b75f868f1110cf8b3724b9503c62c205c5a2509edae0ada6cfc6a56e6d078ca8c4f1d20e3f6b680be4b3377302

Download Submit
memory/2296-30-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2296-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2316-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-29-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-22-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2316-44-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-25-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-31-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-32-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2316-11-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2316-3-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2640-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2640-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2640-78-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2812-75-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2812-43-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads