darkcomet | 030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9

General

Target

030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Size

252KB
MD5

81d1f0ba69f70c3b8eb6c00dea432dfe
SHA1

f2e23705a6a465e8e6c7f02f3b175e2e06e84719
SHA256

030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9
SHA512

0fea7f04790a53638e2cc342f2d1713ba49363c31faa36bc5698f4f18be4b8d9f5006592b775d7c4bcf6f467f43fd005b80b5b6d5ad73aa3f0bfa344f0ad90ce

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ximer2020.ddns.net:1604

Mutex

DC_MUTEX-4U0HFC0

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
aDFqoxfKfrcR
install
true
offline_keylogger
true
password
82121020202222
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1172 msdcsc.exe

pid	process
1172	msdcsc.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
behavioral1/memory/1984-8-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1984-10-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1984-11-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1824 notepad.exe

pid	process
1824	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe

pid	process
1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exemsdcsc.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 1172 set thread context of 1984 1172 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1984 iexplore.exe

description	pid	process	target process
PID 1172 set thread context of 1984	1172	msdcsc.exe	iexplore.exe

pid	process
1984	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeSecurityPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeTakeOwnershipPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeLoadDriverPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeSystemProfilePrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeSystemtimePrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeProfSingleProcessPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeIncBasePriorityPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeCreatePagefilePrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeBackupPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeRestorePrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeShutdownPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeDebugPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeSystemEnvironmentPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeChangeNotifyPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeRemoteShutdownPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeUndockPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeManageVolumePrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeImpersonatePrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeCreateGlobalPrivilege	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: 33	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: 34	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: 35	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
Token: SeIncreaseQuotaPrivilege	1172	msdcsc.exe
Token: SeSecurityPrivilege	1172	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1172	msdcsc.exe
Token: SeLoadDriverPrivilege	1172	msdcsc.exe
Token: SeSystemProfilePrivilege	1172	msdcsc.exe
Token: SeSystemtimePrivilege	1172	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1172	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1172	msdcsc.exe
Token: SeCreatePagefilePrivilege	1172	msdcsc.exe
Token: SeBackupPrivilege	1172	msdcsc.exe
Token: SeRestorePrivilege	1172	msdcsc.exe
Token: SeShutdownPrivilege	1172	msdcsc.exe
Token: SeDebugPrivilege	1172	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1172	msdcsc.exe
Token: SeChangeNotifyPrivilege	1172	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1172	msdcsc.exe
Token: SeUndockPrivilege	1172	msdcsc.exe
Token: SeManageVolumePrivilege	1172	msdcsc.exe
Token: SeImpersonatePrivilege	1172	msdcsc.exe
Token: SeCreateGlobalPrivilege	1172	msdcsc.exe
Token: 33	1172	msdcsc.exe
Token: 34	1172	msdcsc.exe
Token: 35	1172	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1984	iexplore.exe
Token: SeSecurityPrivilege	1984	iexplore.exe
Token: SeTakeOwnershipPrivilege	1984	iexplore.exe
Token: SeLoadDriverPrivilege	1984	iexplore.exe
Token: SeSystemProfilePrivilege	1984	iexplore.exe
Token: SeSystemtimePrivilege	1984	iexplore.exe
Token: SeProfSingleProcessPrivilege	1984	iexplore.exe
Token: SeIncBasePriorityPrivilege	1984	iexplore.exe
Token: SeCreatePagefilePrivilege	1984	iexplore.exe
Token: SeBackupPrivilege	1984	iexplore.exe
Token: SeRestorePrivilege	1984	iexplore.exe
Token: SeShutdownPrivilege	1984	iexplore.exe
Token: SeDebugPrivilege	1984	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1984	iexplore.exe
Token: SeChangeNotifyPrivilege	1984	iexplore.exe
Token: SeRemoteShutdownPrivilege	1984	iexplore.exe
Token: SeUndockPrivilege	1984	iexplore.exe
Token: SeManageVolumePrivilege	1984	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

1984 iexplore.exe

pid	process
1984	iexplore.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exemsdcsc.exeiexplore.exe

description	pid	process	target process
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1824	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	notepad.exe
PID 1756 wrote to memory of 1172	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	msdcsc.exe
PID 1756 wrote to memory of 1172	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	msdcsc.exe
PID 1756 wrote to memory of 1172	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	msdcsc.exe
PID 1756 wrote to memory of 1172	1756	030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe	msdcsc.exe
PID 1172 wrote to memory of 1984	1172	msdcsc.exe	iexplore.exe
PID 1172 wrote to memory of 1984	1172	msdcsc.exe	iexplore.exe
PID 1172 wrote to memory of 1984	1172	msdcsc.exe	iexplore.exe
PID 1172 wrote to memory of 1984	1172	msdcsc.exe	iexplore.exe
PID 1172 wrote to memory of 1984	1172	msdcsc.exe	iexplore.exe
PID 1172 wrote to memory of 1984	1172	msdcsc.exe	iexplore.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe
PID 1984 wrote to memory of 1732	1984	iexplore.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe
"C:\Users\Admin\AppData\Local\Temp\030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:1824

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
81d1f0ba69f70c3b8eb6c00dea432dfe

SHA1
f2e23705a6a465e8e6c7f02f3b175e2e06e84719

SHA256
030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9

SHA512
0fea7f04790a53638e2cc342f2d1713ba49363c31faa36bc5698f4f18be4b8d9f5006592b775d7c4bcf6f467f43fd005b80b5b6d5ad73aa3f0bfa344f0ad90ce

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
81d1f0ba69f70c3b8eb6c00dea432dfe

SHA1
f2e23705a6a465e8e6c7f02f3b175e2e06e84719

SHA256
030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9

SHA512
0fea7f04790a53638e2cc342f2d1713ba49363c31faa36bc5698f4f18be4b8d9f5006592b775d7c4bcf6f467f43fd005b80b5b6d5ad73aa3f0bfa344f0ad90ce

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
81d1f0ba69f70c3b8eb6c00dea432dfe

SHA1
f2e23705a6a465e8e6c7f02f3b175e2e06e84719

SHA256
030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9

SHA512
0fea7f04790a53638e2cc342f2d1713ba49363c31faa36bc5698f4f18be4b8d9f5006592b775d7c4bcf6f467f43fd005b80b5b6d5ad73aa3f0bfa344f0ad90ce

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
81d1f0ba69f70c3b8eb6c00dea432dfe

SHA1
f2e23705a6a465e8e6c7f02f3b175e2e06e84719

SHA256
030e0523148995ec2e91544642cacded035534ef6bf42c534336167fc96501f9

SHA512
0fea7f04790a53638e2cc342f2d1713ba49363c31faa36bc5698f4f18be4b8d9f5006592b775d7c4bcf6f467f43fd005b80b5b6d5ad73aa3f0bfa344f0ad90ce

Download Submit
memory/1172-5-0x0000000000000000-mapping.dmp

Download
memory/1732-12-0x0000000000000000-mapping.dmp

Download
memory/1732-14-0x0000000000000000-mapping.dmp

Download
memory/1732-13-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1824-0-0x0000000000000000-mapping.dmp

Download
memory/1824-2-0x0000000000000000-mapping.dmp

Download
memory/1824-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1984-8-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1984-9-0x00000000004B5820-mapping.dmp

Download
memory/1984-10-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1984-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads