darkcomet | 6cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f

General

Target

HELLO.unp.exe
Size

658KB
MD5

267094ebf6a54d3d49f534edae1cd2dc
SHA1

c160f42f2c8797f091e5ca82d81381f532b22587
SHA256

6cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f
SHA512

04ce86f361b48d820b1f45942c8d440597dafe1fe7cebca0f9a7a5689050ce7278ac0cd5c3f0f4a309d2e2f344d58c1976345308617bc89ac1ddbce63348e623
SSDEEP

12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:JZ1xuVVjfFoynPaVBUR8f+kN10Ed

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

lightttt.ddns.net:1604

Mutex

DCMIN_MUTEX-BJLBQY4

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
u03TbGe5ctBh
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

HELLO.unp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\DCSCMIN\\IMDCSC.exe"	HELLO.unp.exe

Executes dropped EXE 1 IoCs

Processes:

IMDCSC.exe

pid process

2028 IMDCSC.exe
Loads dropped DLL 2 IoCs

Processes:

HELLO.unp.exe

pid process

2972 HELLO.unp.exe
2972 HELLO.unp.exe

pid	process
2028	IMDCSC.exe

pid	process
2972	HELLO.unp.exe
2972	HELLO.unp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HELLO.unp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\DCSCMIN\\IMDCSC.exe"	HELLO.unp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

HELLO.unp.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2972	HELLO.unp.exe
Token: SeSecurityPrivilege	2972	HELLO.unp.exe
Token: SeTakeOwnershipPrivilege	2972	HELLO.unp.exe
Token: SeLoadDriverPrivilege	2972	HELLO.unp.exe
Token: SeSystemProfilePrivilege	2972	HELLO.unp.exe
Token: SeSystemtimePrivilege	2972	HELLO.unp.exe
Token: SeProfSingleProcessPrivilege	2972	HELLO.unp.exe
Token: SeIncBasePriorityPrivilege	2972	HELLO.unp.exe
Token: SeCreatePagefilePrivilege	2972	HELLO.unp.exe
Token: SeBackupPrivilege	2972	HELLO.unp.exe
Token: SeRestorePrivilege	2972	HELLO.unp.exe
Token: SeShutdownPrivilege	2972	HELLO.unp.exe
Token: SeDebugPrivilege	2972	HELLO.unp.exe
Token: SeSystemEnvironmentPrivilege	2972	HELLO.unp.exe
Token: SeChangeNotifyPrivilege	2972	HELLO.unp.exe
Token: SeRemoteShutdownPrivilege	2972	HELLO.unp.exe
Token: SeUndockPrivilege	2972	HELLO.unp.exe
Token: SeManageVolumePrivilege	2972	HELLO.unp.exe
Token: SeImpersonatePrivilege	2972	HELLO.unp.exe
Token: SeCreateGlobalPrivilege	2972	HELLO.unp.exe
Token: 33	2972	HELLO.unp.exe
Token: 34	2972	HELLO.unp.exe
Token: 35	2972	HELLO.unp.exe
Token: SeIncreaseQuotaPrivilege	2028	IMDCSC.exe
Token: SeSecurityPrivilege	2028	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	2028	IMDCSC.exe
Token: SeLoadDriverPrivilege	2028	IMDCSC.exe
Token: SeSystemProfilePrivilege	2028	IMDCSC.exe
Token: SeSystemtimePrivilege	2028	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	2028	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	2028	IMDCSC.exe
Token: SeCreatePagefilePrivilege	2028	IMDCSC.exe
Token: SeBackupPrivilege	2028	IMDCSC.exe
Token: SeRestorePrivilege	2028	IMDCSC.exe
Token: SeShutdownPrivilege	2028	IMDCSC.exe
Token: SeDebugPrivilege	2028	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	2028	IMDCSC.exe
Token: SeChangeNotifyPrivilege	2028	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	2028	IMDCSC.exe
Token: SeUndockPrivilege	2028	IMDCSC.exe
Token: SeManageVolumePrivilege	2028	IMDCSC.exe
Token: SeImpersonatePrivilege	2028	IMDCSC.exe
Token: SeCreateGlobalPrivilege	2028	IMDCSC.exe
Token: 33	2028	IMDCSC.exe
Token: 34	2028	IMDCSC.exe
Token: 35	2028	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

2028 IMDCSC.exe

pid	process
2028	IMDCSC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

HELLO.unp.exe

description	pid	process	target process
PID 2972 wrote to memory of 2028	2972	HELLO.unp.exe	IMDCSC.exe
PID 2972 wrote to memory of 2028	2972	HELLO.unp.exe	IMDCSC.exe
PID 2972 wrote to memory of 2028	2972	HELLO.unp.exe	IMDCSC.exe
PID 2972 wrote to memory of 2028	2972	HELLO.unp.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\HELLO.unp.exe
"C:\Users\Admin\AppData\Local\Temp\HELLO.unp.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe
Filesize
658KB

MD5
267094ebf6a54d3d49f534edae1cd2dc

SHA1
c160f42f2c8797f091e5ca82d81381f532b22587

SHA256
6cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f

SHA512
04ce86f361b48d820b1f45942c8d440597dafe1fe7cebca0f9a7a5689050ce7278ac0cd5c3f0f4a309d2e2f344d58c1976345308617bc89ac1ddbce63348e623

Download Submit
memory/2028-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2028-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2028-15-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2972-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2972-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads