darkcomet | 40cb38cb4b789d4f3781cd809ec36d9c0d0705742040abe460b7d4be275f7d2a

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RetroHack.exe
Size

650KB
MD5

f04f2b2f5d5a158dc13cc31454b49187
SHA1

9f974f15a18c3bffac7d23ff7b86c74efafbe1db
SHA256

19570160318b305d9700803dcafe231ad917fd78fce7c06a7a97e0b800ff295a
SHA512

1a579d6304f078ec849bbb6d3d0aaf347873e7ad7fa1c0e2422b2444d15fedc26b927bb0da727d59415c2662da3195ef63e9918b982ba5cf36856437a9b28ea2
SSDEEP

12288:7k0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+R:w0QRWoJEfg0oChGdJQbjPbNW5tYeP+Gc

Score

10^/10

darkcomet latentbot guest16 discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

zapperdezippzap.zapto.org:1604

Mutex

DC_MUTEX-1TF5DWF

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
oWJocAYWilPy
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Extracted

Family

latentbot

zapperdezippzap.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RetroHack.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	RetroHack.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid	Process
1616	msdcsc.exe

Loads dropped DLL 2 IoCs

Processes:

RetroHack.exe

pid	Process
1472	RetroHack.exe
1472	RetroHack.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RetroHack.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	RetroHack.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description	pid	Process	procid_target
PID 1616 set thread context of 2560	1616	msdcsc.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RetroHack.exemsdcsc.exeiexplore.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RetroHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RetroHack.exemsdcsc.exeiexplore.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1472	RetroHack.exe
Token: SeSecurityPrivilege	1472	RetroHack.exe
Token: SeTakeOwnershipPrivilege	1472	RetroHack.exe
Token: SeLoadDriverPrivilege	1472	RetroHack.exe
Token: SeSystemProfilePrivilege	1472	RetroHack.exe
Token: SeSystemtimePrivilege	1472	RetroHack.exe
Token: SeProfSingleProcessPrivilege	1472	RetroHack.exe
Token: SeIncBasePriorityPrivilege	1472	RetroHack.exe
Token: SeCreatePagefilePrivilege	1472	RetroHack.exe
Token: SeBackupPrivilege	1472	RetroHack.exe
Token: SeRestorePrivilege	1472	RetroHack.exe
Token: SeShutdownPrivilege	1472	RetroHack.exe
Token: SeDebugPrivilege	1472	RetroHack.exe
Token: SeSystemEnvironmentPrivilege	1472	RetroHack.exe
Token: SeChangeNotifyPrivilege	1472	RetroHack.exe
Token: SeRemoteShutdownPrivilege	1472	RetroHack.exe
Token: SeUndockPrivilege	1472	RetroHack.exe
Token: SeManageVolumePrivilege	1472	RetroHack.exe
Token: SeImpersonatePrivilege	1472	RetroHack.exe
Token: SeCreateGlobalPrivilege	1472	RetroHack.exe
Token: 33	1472	RetroHack.exe
Token: 34	1472	RetroHack.exe
Token: 35	1472	RetroHack.exe
Token: SeIncreaseQuotaPrivilege	1616	msdcsc.exe
Token: SeSecurityPrivilege	1616	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1616	msdcsc.exe
Token: SeLoadDriverPrivilege	1616	msdcsc.exe
Token: SeSystemProfilePrivilege	1616	msdcsc.exe
Token: SeSystemtimePrivilege	1616	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1616	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1616	msdcsc.exe
Token: SeCreatePagefilePrivilege	1616	msdcsc.exe
Token: SeBackupPrivilege	1616	msdcsc.exe
Token: SeRestorePrivilege	1616	msdcsc.exe
Token: SeShutdownPrivilege	1616	msdcsc.exe
Token: SeDebugPrivilege	1616	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1616	msdcsc.exe
Token: SeChangeNotifyPrivilege	1616	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1616	msdcsc.exe
Token: SeUndockPrivilege	1616	msdcsc.exe
Token: SeManageVolumePrivilege	1616	msdcsc.exe
Token: SeImpersonatePrivilege	1616	msdcsc.exe
Token: SeCreateGlobalPrivilege	1616	msdcsc.exe
Token: 33	1616	msdcsc.exe
Token: 34	1616	msdcsc.exe
Token: 35	1616	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2560	iexplore.exe
Token: SeSecurityPrivilege	2560	iexplore.exe
Token: SeTakeOwnershipPrivilege	2560	iexplore.exe
Token: SeLoadDriverPrivilege	2560	iexplore.exe
Token: SeSystemProfilePrivilege	2560	iexplore.exe
Token: SeSystemtimePrivilege	2560	iexplore.exe
Token: SeProfSingleProcessPrivilege	2560	iexplore.exe
Token: SeIncBasePriorityPrivilege	2560	iexplore.exe
Token: SeCreatePagefilePrivilege	2560	iexplore.exe
Token: SeBackupPrivilege	2560	iexplore.exe
Token: SeRestorePrivilege	2560	iexplore.exe
Token: SeShutdownPrivilege	2560	iexplore.exe
Token: SeDebugPrivilege	2560	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2560	iexplore.exe
Token: SeChangeNotifyPrivilege	2560	iexplore.exe
Token: SeRemoteShutdownPrivilege	2560	iexplore.exe
Token: SeUndockPrivilege	2560	iexplore.exe
Token: SeManageVolumePrivilege	2560	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid	Process
2560	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

RetroHack.exemsdcsc.exe

description	pid	Process	procid_target
PID 1472 wrote to memory of 1616	1472	RetroHack.exe	30
PID 1472 wrote to memory of 1616	1472	RetroHack.exe	30
PID 1472 wrote to memory of 1616	1472	RetroHack.exe	30
PID 1472 wrote to memory of 1616	1472	RetroHack.exe	30
PID 1616 wrote to memory of 2560	1616	msdcsc.exe	31
PID 1616 wrote to memory of 2560	1616	msdcsc.exe	31
PID 1616 wrote to memory of 2560	1616	msdcsc.exe	31
PID 1616 wrote to memory of 2560	1616	msdcsc.exe	31
PID 1616 wrote to memory of 2560	1616	msdcsc.exe	31
PID 1616 wrote to memory of 2560	1616	msdcsc.exe	31

C:\Users\Admin\AppData\Local\Temp\RetroHack.exe
"C:\Users\Admin\AppData\Local\Temp\RetroHack.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
650KB

MD5
f04f2b2f5d5a158dc13cc31454b49187

SHA1
9f974f15a18c3bffac7d23ff7b86c74efafbe1db

SHA256
19570160318b305d9700803dcafe231ad917fd78fce7c06a7a97e0b800ff295a

SHA512
1a579d6304f078ec849bbb6d3d0aaf347873e7ad7fa1c0e2422b2444d15fedc26b927bb0da727d59415c2662da3195ef63e9918b982ba5cf36856437a9b28ea2

Download Submit
memory/1472-0-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1472-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1616-12-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1616-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2560-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download