darkcomet | 27b67644170b08d57dcd8bb39d9b779632aad6697845015175e51e4801a42a5a

General

Target

b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Size

800KB
MD5

b6b6a5213f8b3e7ce5306cd069dcbf5e
SHA1

9991f4da8630039b84f4bf8c1b45fec898fa80b7
SHA256

27b67644170b08d57dcd8bb39d9b779632aad6697845015175e51e4801a42a5a
SHA512

bb0deacba3eeca40fe69990c30a9a3cee3d82052d895a50e7c92b461ca19ecf6c1109209763b6df4ea2fe9c3565c672fe63c7a11dfd9692ba71fae223eafb6ea
SSDEEP

12288:+f9tz7HqHG/niI+dExFzfPrwbg1llIfUls:+f7z7HqKsE+2lIff

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

speeed.hopto.org:147

Mutex

DC_MUTEX-HGY40HP

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
cNTlixxZgYma
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\cNTlixxZgYma\\msdcsc.exe"	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\cNTlixxZgYma\\msdcsc.exe"	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeSecurityPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeTakeOwnershipPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeLoadDriverPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeSystemProfilePrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeSystemtimePrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeProfSingleProcessPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeIncBasePriorityPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeCreatePagefilePrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeBackupPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeRestorePrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeShutdownPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeDebugPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeSystemEnvironmentPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeChangeNotifyPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeRemoteShutdownPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeUndockPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeManageVolumePrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeImpersonatePrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: SeCreateGlobalPrivilege	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: 33	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: 34	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: 35	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
Token: 36	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

pid process

2992 b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

pid	process
2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

b6b6a5213f8b3e7ce5306cd069dcbf5e.exe

description	pid	process	target process
PID 2992 wrote to memory of 4572	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe	iexplore.exe
PID 2992 wrote to memory of 4572	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe	iexplore.exe
PID 2992 wrote to memory of 4572	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe	iexplore.exe
PID 2992 wrote to memory of 4640	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe	explorer.exe
PID 2992 wrote to memory of 4640	2992	b6b6a5213f8b3e7ce5306cd069dcbf5e.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\b6b6a5213f8b3e7ce5306cd069dcbf5e.exe
"C:\Users\Admin\AppData\Local\Temp\b6b6a5213f8b3e7ce5306cd069dcbf5e.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:4572

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2992-0-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-3-0x0000000002270000-0x00000000022A9000-memory.dmp

Filesize
228KB

Download
memory/2992-2-0x0000000000780000-0x0000000000784000-memory.dmp

Filesize
16KB

Download
memory/2992-1-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-4-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2992-5-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2992-6-0x0000000076F62000-0x0000000076F63000-memory.dmp

Filesize
4KB

Download
memory/2992-7-0x0000000075ED0000-0x0000000075FC0000-memory.dmp

Filesize
960KB

Download
memory/2992-8-0x0000000076F63000-0x0000000076F64000-memory.dmp

Filesize
4KB

Download
memory/2992-9-0x0000000076F53000-0x0000000076F54000-memory.dmp

Filesize
4KB

Download
memory/2992-10-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2992-11-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2992-12-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-13-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2992-14-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-15-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-16-0x0000000002270000-0x00000000022A9000-memory.dmp

Filesize
228KB

Download
memory/2992-17-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2992-18-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/2992-19-0x0000000075ED0000-0x0000000075FC0000-memory.dmp

Filesize
960KB

Download
memory/2992-20-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2992-21-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-22-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-23-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-24-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-25-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-26-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-27-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-28-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-29-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-30-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-31-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-32-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-33-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2992-34-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads