darkcomet | 6cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f

General

Target

HELLO.unp.exe
Size

658KB
MD5

267094ebf6a54d3d49f534edae1cd2dc
SHA1

c160f42f2c8797f091e5ca82d81381f532b22587
SHA256

6cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f
SHA512

04ce86f361b48d820b1f45942c8d440597dafe1fe7cebca0f9a7a5689050ce7278ac0cd5c3f0f4a309d2e2f344d58c1976345308617bc89ac1ddbce63348e623
SSDEEP

12288:f9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9EkNC/:JZ1xuVVjfFoynPaVBUR8f+kN10Ed

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

lightttt.ddns.net:1604

Mutex

DCMIN_MUTEX-BJLBQY4

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
u03TbGe5ctBh
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

HELLO.unp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\DCSCMIN\\IMDCSC.exe"	HELLO.unp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HELLO.unp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	HELLO.unp.exe

Executes dropped EXE 1 IoCs

Processes:

IMDCSC.exe

pid process

992 IMDCSC.exe

pid	process
992	IMDCSC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HELLO.unp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\DCSCMIN\\IMDCSC.exe"	HELLO.unp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

HELLO.unp.exeIMDCSC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3572	HELLO.unp.exe
Token: SeSecurityPrivilege	3572	HELLO.unp.exe
Token: SeTakeOwnershipPrivilege	3572	HELLO.unp.exe
Token: SeLoadDriverPrivilege	3572	HELLO.unp.exe
Token: SeSystemProfilePrivilege	3572	HELLO.unp.exe
Token: SeSystemtimePrivilege	3572	HELLO.unp.exe
Token: SeProfSingleProcessPrivilege	3572	HELLO.unp.exe
Token: SeIncBasePriorityPrivilege	3572	HELLO.unp.exe
Token: SeCreatePagefilePrivilege	3572	HELLO.unp.exe
Token: SeBackupPrivilege	3572	HELLO.unp.exe
Token: SeRestorePrivilege	3572	HELLO.unp.exe
Token: SeShutdownPrivilege	3572	HELLO.unp.exe
Token: SeDebugPrivilege	3572	HELLO.unp.exe
Token: SeSystemEnvironmentPrivilege	3572	HELLO.unp.exe
Token: SeChangeNotifyPrivilege	3572	HELLO.unp.exe
Token: SeRemoteShutdownPrivilege	3572	HELLO.unp.exe
Token: SeUndockPrivilege	3572	HELLO.unp.exe
Token: SeManageVolumePrivilege	3572	HELLO.unp.exe
Token: SeImpersonatePrivilege	3572	HELLO.unp.exe
Token: SeCreateGlobalPrivilege	3572	HELLO.unp.exe
Token: 33	3572	HELLO.unp.exe
Token: 34	3572	HELLO.unp.exe
Token: 35	3572	HELLO.unp.exe
Token: 36	3572	HELLO.unp.exe
Token: SeIncreaseQuotaPrivilege	992	IMDCSC.exe
Token: SeSecurityPrivilege	992	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	992	IMDCSC.exe
Token: SeLoadDriverPrivilege	992	IMDCSC.exe
Token: SeSystemProfilePrivilege	992	IMDCSC.exe
Token: SeSystemtimePrivilege	992	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	992	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	992	IMDCSC.exe
Token: SeCreatePagefilePrivilege	992	IMDCSC.exe
Token: SeBackupPrivilege	992	IMDCSC.exe
Token: SeRestorePrivilege	992	IMDCSC.exe
Token: SeShutdownPrivilege	992	IMDCSC.exe
Token: SeDebugPrivilege	992	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	992	IMDCSC.exe
Token: SeChangeNotifyPrivilege	992	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	992	IMDCSC.exe
Token: SeUndockPrivilege	992	IMDCSC.exe
Token: SeManageVolumePrivilege	992	IMDCSC.exe
Token: SeImpersonatePrivilege	992	IMDCSC.exe
Token: SeCreateGlobalPrivilege	992	IMDCSC.exe
Token: 33	992	IMDCSC.exe
Token: 34	992	IMDCSC.exe
Token: 35	992	IMDCSC.exe
Token: 36	992	IMDCSC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMDCSC.exe

pid process

992 IMDCSC.exe

pid	process
992	IMDCSC.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

HELLO.unp.exe

description	pid	process	target process
PID 3572 wrote to memory of 992	3572	HELLO.unp.exe	IMDCSC.exe
PID 3572 wrote to memory of 992	3572	HELLO.unp.exe	IMDCSC.exe
PID 3572 wrote to memory of 992	3572	HELLO.unp.exe	IMDCSC.exe

C:\Users\Admin\AppData\Local\Temp\HELLO.unp.exe
"C:\Users\Admin\AppData\Local\Temp\HELLO.unp.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572

C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2132,i,4018525042804461719,1997165676266557055,262144 --variations-seed-version /prefetch:8
1⤵
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\DCSCMIN\IMDCSC.exe
Filesize
658KB

MD5
267094ebf6a54d3d49f534edae1cd2dc

SHA1
c160f42f2c8797f091e5ca82d81381f532b22587

SHA256
6cf7e0d4a5c25a59425b81ffc18965e5b97776bb73968b704d7d40e19f23104f

SHA512
04ce86f361b48d820b1f45942c8d440597dafe1fe7cebca0f9a7a5689050ce7278ac0cd5c3f0f4a309d2e2f344d58c1976345308617bc89ac1ddbce63348e623

Download Submit
memory/992-12-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/992-14-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/992-16-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3572-0-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/3572-13-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads