darkcomet | b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Size

264KB
MD5

d815641ecaba50daefbe9112431c10ec
SHA1

3f2de42ccd82a30300a1c6345541101b57019560
SHA256

b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415
SHA512

99c1d86093ecb217ec42a84cebe47eb20e5f76acf9e979ea10cba27ad776bb7e90d79a23469703d02c39723c5ce0d96c134d3db6626f396dacc48854841bb167
SSDEEP

6144:WwT5O7pJmNB6dLY6dCnnsyZLHoaIyv6ocU/qxDS2xDWb3cuh9:WP+NULZdCn3TbncU2D7Ab3J7

Score

10^/10

darkcomet new discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

new

legolas8.no-ip.biz:1604

Mutex

DC_MUTEX-2DS0WZ2

Attributes

InstallPath
MSDCSC\desktop.exe
gencode
3R00lMmzC7aS
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\desktop.exe"	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	desktop.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	iexplore.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	desktop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	desktop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iexplore.exe

Executes dropped EXE 1 IoCs

pid	Process
2580	desktop.exe

Loads dropped DLL 2 IoCs

pid	Process
2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2580-19-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2660-18-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/files/0x0006000000019246-16.dat	upx
behavioral1/memory/2584-21-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/2580-23-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	desktop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	desktop.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\desktop.exe"	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\desktop.exe"	desktop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\desktop.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2580 set thread context of 2584	2580	desktop.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	desktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeSecurityPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeTakeOwnershipPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeLoadDriverPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeSystemProfilePrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeSystemtimePrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeProfSingleProcessPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeIncBasePriorityPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeCreatePagefilePrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeBackupPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeRestorePrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeShutdownPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeDebugPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeSystemEnvironmentPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeChangeNotifyPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeRemoteShutdownPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeUndockPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeManageVolumePrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeImpersonatePrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeCreateGlobalPrivilege	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: 33	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: 34	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: 35	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
Token: SeIncreaseQuotaPrivilege	2580	desktop.exe
Token: SeSecurityPrivilege	2580	desktop.exe
Token: SeTakeOwnershipPrivilege	2580	desktop.exe
Token: SeLoadDriverPrivilege	2580	desktop.exe
Token: SeSystemProfilePrivilege	2580	desktop.exe
Token: SeSystemtimePrivilege	2580	desktop.exe
Token: SeProfSingleProcessPrivilege	2580	desktop.exe
Token: SeIncBasePriorityPrivilege	2580	desktop.exe
Token: SeCreatePagefilePrivilege	2580	desktop.exe
Token: SeBackupPrivilege	2580	desktop.exe
Token: SeRestorePrivilege	2580	desktop.exe
Token: SeShutdownPrivilege	2580	desktop.exe
Token: SeDebugPrivilege	2580	desktop.exe
Token: SeSystemEnvironmentPrivilege	2580	desktop.exe
Token: SeChangeNotifyPrivilege	2580	desktop.exe
Token: SeRemoteShutdownPrivilege	2580	desktop.exe
Token: SeUndockPrivilege	2580	desktop.exe
Token: SeManageVolumePrivilege	2580	desktop.exe
Token: SeImpersonatePrivilege	2580	desktop.exe
Token: SeCreateGlobalPrivilege	2580	desktop.exe
Token: 33	2580	desktop.exe
Token: 34	2580	desktop.exe
Token: 35	2580	desktop.exe
Token: SeIncreaseQuotaPrivilege	2584	iexplore.exe
Token: SeSecurityPrivilege	2584	iexplore.exe
Token: SeTakeOwnershipPrivilege	2584	iexplore.exe
Token: SeLoadDriverPrivilege	2584	iexplore.exe
Token: SeSystemProfilePrivilege	2584	iexplore.exe
Token: SeSystemtimePrivilege	2584	iexplore.exe
Token: SeProfSingleProcessPrivilege	2584	iexplore.exe
Token: SeIncBasePriorityPrivilege	2584	iexplore.exe
Token: SeCreatePagefilePrivilege	2584	iexplore.exe
Token: SeBackupPrivilege	2584	iexplore.exe
Token: SeRestorePrivilege	2584	iexplore.exe
Token: SeShutdownPrivilege	2584	iexplore.exe
Token: SeDebugPrivilege	2584	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2584	iexplore.exe
Token: SeChangeNotifyPrivilege	2584	iexplore.exe
Token: SeRemoteShutdownPrivilege	2584	iexplore.exe
Token: SeUndockPrivilege	2584	iexplore.exe
Token: SeManageVolumePrivilege	2584	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2584	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2580	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe	31
PID 2660 wrote to memory of 2580	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe	31
PID 2660 wrote to memory of 2580	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe	31
PID 2660 wrote to memory of 2580	2660	b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe	31
PID 2580 wrote to memory of 2584	2580	desktop.exe	32
PID 2580 wrote to memory of 2584	2580	desktop.exe	32
PID 2580 wrote to memory of 2584	2580	desktop.exe	32
PID 2580 wrote to memory of 2584	2580	desktop.exe	32
PID 2580 wrote to memory of 2584	2580	desktop.exe	32
PID 2580 wrote to memory of 2584	2580	desktop.exe	32

C:\Users\Admin\AppData\Local\Temp\b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe
"C:\Users\Admin\AppData\Local\Temp\b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\desktop.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\desktop.exe"
  2⤵
  - Modifies security service
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies security service
    - Windows security bypass
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2584

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\desktop.exe

Filesize
264KB

MD5
d815641ecaba50daefbe9112431c10ec

SHA1
3f2de42ccd82a30300a1c6345541101b57019560

SHA256
b7d2176ff9ac42eac22d807f8d9e1e66d158f7b4d0f352ba988a447448f01415

SHA512
99c1d86093ecb217ec42a84cebe47eb20e5f76acf9e979ea10cba27ad776bb7e90d79a23469703d02c39723c5ce0d96c134d3db6626f396dacc48854841bb167

Download Submit
C:\Users\Admin\AppData\Local\Temp\SARA.JPG

Filesize
14KB

MD5
7fc7adb4e483f45b6aa6d2cb24b66b79

SHA1
9dcdfbecee25942c46a8fd8915cd982e40bc66c9

SHA256
76e75bb4c92e674127dd8de52a056e45e09266734c2a04387787e750cce38c93

SHA512
be82effd82dc6be37e2560423671e0668de4ceb22dfd524c679cfc2dc4b3db53b51ad0c846fcb93246d4729c521e9d8ba65c8fed280827f79a3c0b2857e1ce9f

Download Submit
memory/2580-19-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2580-23-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2584-21-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2660-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2660-1-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2660-5-0x0000000003BD0000-0x0000000003BD2000-memory.dmp

Filesize
8KB

Download
memory/2660-18-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2704-6-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2704-7-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2704-24-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads