darkcomet | 172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe
Size

338KB
MD5

27aed8242c89f5a513c097dcc36c5bef
SHA1

9a53be98d594fabed2fc567e65b7b16d73b69300
SHA256

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86
SHA512

8f81c85b4653096ccaca23a706527130eecd2a226c111db44138577efcd5446415fe5ebadf12e71361bd5e267f5436bd2f1dc4255e20e1fc55974f630e80b478
SSDEEP

6144:wC4W+NSe7/mE5WAGb/msFw13ocRGQqrDsZOZ3ZpWoM7+aaTaaaHbiXJEdpC8bQ:w/W+cHEIAGb/msFwxocgQq3sZOZIbuq

Score

10^/10

darkcomet slave evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

gotcha1337.no-ip.biz:1604

Mutex

DC_MUTEX-YL1K3PD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
KFeuKKdTKtY3
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	cvtres.exe

UPX dump on OEP (original entry point) 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3000-20-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3000-18-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3000-14-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3000-23-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3000-26-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3000-24-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX
behavioral1/memory/3000-39-0x0000000000400000-0x00000000004B7000-memory.dmp	UPX

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2516	attrib.exe
2400	attrib.exe

Executes dropped EXE 2 IoCs

Processes:

cvtres.exemsdcsc.exe

pid	Process
3000	cvtres.exe
2448	msdcsc.exe

Loads dropped DLL 4 IoCs

Processes:

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.execvtres.exe

pid	Process
2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe
2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe
3000	cvtres.exe
3000	cvtres.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3000-20-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3000-18-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3000-14-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3000-12-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3000-23-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3000-26-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3000-24-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3000-39-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe

description	pid	Process	procid_target
PID 2992 set thread context of 3000	2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

cvtres.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3000	cvtres.exe
Token: SeSecurityPrivilege	3000	cvtres.exe
Token: SeTakeOwnershipPrivilege	3000	cvtres.exe
Token: SeLoadDriverPrivilege	3000	cvtres.exe
Token: SeSystemProfilePrivilege	3000	cvtres.exe
Token: SeSystemtimePrivilege	3000	cvtres.exe
Token: SeProfSingleProcessPrivilege	3000	cvtres.exe
Token: SeIncBasePriorityPrivilege	3000	cvtres.exe
Token: SeCreatePagefilePrivilege	3000	cvtres.exe
Token: SeBackupPrivilege	3000	cvtres.exe
Token: SeRestorePrivilege	3000	cvtres.exe
Token: SeShutdownPrivilege	3000	cvtres.exe
Token: SeDebugPrivilege	3000	cvtres.exe
Token: SeSystemEnvironmentPrivilege	3000	cvtres.exe
Token: SeChangeNotifyPrivilege	3000	cvtres.exe
Token: SeRemoteShutdownPrivilege	3000	cvtres.exe
Token: SeUndockPrivilege	3000	cvtres.exe
Token: SeManageVolumePrivilege	3000	cvtres.exe
Token: SeImpersonatePrivilege	3000	cvtres.exe
Token: SeCreateGlobalPrivilege	3000	cvtres.exe
Token: 33	3000	cvtres.exe
Token: 34	3000	cvtres.exe
Token: 35	3000	cvtres.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.execvtres.execmd.execmd.exe

description	pid	Process	procid_target
PID 2992 wrote to memory of 3000	2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	28
PID 2992 wrote to memory of 3000	2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	28
PID 2992 wrote to memory of 3000	2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	28
PID 2992 wrote to memory of 3000	2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	28
PID 2992 wrote to memory of 3000	2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	28
PID 2992 wrote to memory of 3000	2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	28
PID 2992 wrote to memory of 3000	2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	28
PID 2992 wrote to memory of 3000	2992	172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe	28
PID 3000 wrote to memory of 2756	3000	cvtres.exe	29
PID 3000 wrote to memory of 2756	3000	cvtres.exe	29
PID 3000 wrote to memory of 2756	3000	cvtres.exe	29
PID 3000 wrote to memory of 2756	3000	cvtres.exe	29
PID 3000 wrote to memory of 2072	3000	cvtres.exe	30
PID 3000 wrote to memory of 2072	3000	cvtres.exe	30
PID 3000 wrote to memory of 2072	3000	cvtres.exe	30
PID 3000 wrote to memory of 2072	3000	cvtres.exe	30
PID 2756 wrote to memory of 2516	2756	cmd.exe	33
PID 2756 wrote to memory of 2516	2756	cmd.exe	33
PID 2756 wrote to memory of 2516	2756	cmd.exe	33
PID 2756 wrote to memory of 2516	2756	cmd.exe	33
PID 2072 wrote to memory of 2400	2072	cmd.exe	34
PID 2072 wrote to memory of 2400	2072	cmd.exe	34
PID 2072 wrote to memory of 2400	2072	cmd.exe	34
PID 2072 wrote to memory of 2400	2072	cmd.exe	34
PID 3000 wrote to memory of 2448	3000	cvtres.exe	35
PID 3000 wrote to memory of 2448	3000	cvtres.exe	35
PID 3000 wrote to memory of 2448	3000	cvtres.exe	35
PID 3000 wrote to memory of 2448	3000	cvtres.exe	35

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2516	attrib.exe
2400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe
"C:\Users\Admin\AppData\Local\Temp\172af0ea71ebe1942681d48eba3418a5d5cd243dd9b4248407c3201146894c86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\cvtres.exe
  "C:\Users\Admin\AppData\Local\Temp\cvtres.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\cvtres.exe" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2400
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cvtres.exe

Filesize
1024B

MD5
54b1c45da8980b32759042e2c3c78dfb

SHA1
11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

SHA256
9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

SHA512
73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

Download Submit
memory/2992-2-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2992-22-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-0-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-1-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-14-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3000-10-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3000-12-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3000-20-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3000-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3000-18-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3000-23-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3000-26-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3000-24-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3000-27-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3000-39-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download