darkcomet | be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c

General

Target

be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Size

252KB
MD5

c59e571eb35a179093de7813abea3701
SHA1

68932d08d79e587684b9bab2c2bbd67e70b6b40d
SHA256

be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c
SHA512

5d29fd11f7dff221ceaca9949301407655a18a1a1d5ea74461d922107430d66754da0574cbc5b47f2ceaab0941bf6146be33726d8e7d64625ee9b6ed6d2e9281

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe

Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

3328 msdcsc.exe

pid	process
3328	msdcsc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1620 notepad.exe

pid	process
1620	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeSecurityPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeTakeOwnershipPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeLoadDriverPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeSystemProfilePrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeSystemtimePrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeProfSingleProcessPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeIncBasePriorityPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeCreatePagefilePrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeBackupPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeRestorePrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeShutdownPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeDebugPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeSystemEnvironmentPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeChangeNotifyPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeRemoteShutdownPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeUndockPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeManageVolumePrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeImpersonatePrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeCreateGlobalPrivilege	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: 33	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: 34	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: 35	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: 36	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
Token: SeIncreaseQuotaPrivilege	3328	msdcsc.exe
Token: SeSecurityPrivilege	3328	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3328	msdcsc.exe
Token: SeLoadDriverPrivilege	3328	msdcsc.exe
Token: SeSystemProfilePrivilege	3328	msdcsc.exe
Token: SeSystemtimePrivilege	3328	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3328	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3328	msdcsc.exe
Token: SeCreatePagefilePrivilege	3328	msdcsc.exe
Token: SeBackupPrivilege	3328	msdcsc.exe
Token: SeRestorePrivilege	3328	msdcsc.exe
Token: SeShutdownPrivilege	3328	msdcsc.exe
Token: SeDebugPrivilege	3328	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3328	msdcsc.exe
Token: SeChangeNotifyPrivilege	3328	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3328	msdcsc.exe
Token: SeUndockPrivilege	3328	msdcsc.exe
Token: SeManageVolumePrivilege	3328	msdcsc.exe
Token: SeImpersonatePrivilege	3328	msdcsc.exe
Token: SeCreateGlobalPrivilege	3328	msdcsc.exe
Token: 33	3328	msdcsc.exe
Token: 34	3328	msdcsc.exe
Token: 35	3328	msdcsc.exe
Token: 36	3328	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

3328 msdcsc.exe

pid	process
3328	msdcsc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe

description	pid	process	target process
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 1620	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	notepad.exe
PID 984 wrote to memory of 3328	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	msdcsc.exe
PID 984 wrote to memory of 3328	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	msdcsc.exe
PID 984 wrote to memory of 3328	984	be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe
"C:\Users\Admin\AppData\Local\Temp\be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:1620

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
MD5
c59e571eb35a179093de7813abea3701

SHA1
68932d08d79e587684b9bab2c2bbd67e70b6b40d

SHA256
be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c

SHA512
5d29fd11f7dff221ceaca9949301407655a18a1a1d5ea74461d922107430d66754da0574cbc5b47f2ceaab0941bf6146be33726d8e7d64625ee9b6ed6d2e9281

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
MD5
c59e571eb35a179093de7813abea3701

SHA1
68932d08d79e587684b9bab2c2bbd67e70b6b40d

SHA256
be7348ac661712d9c6ff32f570af43a435fa88015c48b6a421f3f68d944e943c

SHA512
5d29fd11f7dff221ceaca9949301407655a18a1a1d5ea74461d922107430d66754da0574cbc5b47f2ceaab0941bf6146be33726d8e7d64625ee9b6ed6d2e9281

Download Submit
memory/1620-0-0x0000000000000000-mapping.dmp

Download
memory/1620-1-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1620-2-0x0000000000000000-mapping.dmp

Download
memory/3328-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads