darkcomet | 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f

General

Target

78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Size

251KB
MD5

0ff29b69d35e90def532d1131eddaf78
SHA1

28024d4cdbec6c77b14788662e66933bedff8cd7
SHA256

78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f
SHA512

194da7f5fb7312f99733b18f6e72844e3650b7e0054a1975beae48d45d9867132be51aa5597f05f5cee9a2e6bc9360b4f8edcdc3bd01287e2e87064deab64f21

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\msdcsc.exe"	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

776 msdcsc.exe

pid	process
776	msdcsc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\msdcsc.exe	upx
C:\Users\Admin\AppData\Local\Temp\msdcsc.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msdcsc.exe"	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeSecurityPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeTakeOwnershipPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeLoadDriverPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeSystemProfilePrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeSystemtimePrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeProfSingleProcessPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeIncBasePriorityPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeCreatePagefilePrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeBackupPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeRestorePrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeShutdownPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeDebugPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeSystemEnvironmentPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeChangeNotifyPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeRemoteShutdownPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeUndockPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeManageVolumePrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeImpersonatePrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeCreateGlobalPrivilege	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: 33	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: 34	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: 35	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: 36	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Token: SeIncreaseQuotaPrivilege	776	msdcsc.exe
Token: SeSecurityPrivilege	776	msdcsc.exe
Token: SeTakeOwnershipPrivilege	776	msdcsc.exe
Token: SeLoadDriverPrivilege	776	msdcsc.exe
Token: SeSystemProfilePrivilege	776	msdcsc.exe
Token: SeSystemtimePrivilege	776	msdcsc.exe
Token: SeProfSingleProcessPrivilege	776	msdcsc.exe
Token: SeIncBasePriorityPrivilege	776	msdcsc.exe
Token: SeCreatePagefilePrivilege	776	msdcsc.exe
Token: SeBackupPrivilege	776	msdcsc.exe
Token: SeRestorePrivilege	776	msdcsc.exe
Token: SeShutdownPrivilege	776	msdcsc.exe
Token: SeDebugPrivilege	776	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	776	msdcsc.exe
Token: SeChangeNotifyPrivilege	776	msdcsc.exe
Token: SeRemoteShutdownPrivilege	776	msdcsc.exe
Token: SeUndockPrivilege	776	msdcsc.exe
Token: SeManageVolumePrivilege	776	msdcsc.exe
Token: SeImpersonatePrivilege	776	msdcsc.exe
Token: SeCreateGlobalPrivilege	776	msdcsc.exe
Token: 33	776	msdcsc.exe
Token: 34	776	msdcsc.exe
Token: 35	776	msdcsc.exe
Token: 36	776	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

776 msdcsc.exe

pid	process
776	msdcsc.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exemsdcsc.exe

description	pid	process	target process
PID 4796 wrote to memory of 776	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe	msdcsc.exe
PID 4796 wrote to memory of 776	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe	msdcsc.exe
PID 4796 wrote to memory of 776	4796	78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe	msdcsc.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe
PID 776 wrote to memory of 4312	776	msdcsc.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
"C:\Users\Admin\AppData\Local\Temp\78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Local\Temp\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:4312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msdcsc.exe
MD5
0ff29b69d35e90def532d1131eddaf78

SHA1
28024d4cdbec6c77b14788662e66933bedff8cd7

SHA256
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f

SHA512
194da7f5fb7312f99733b18f6e72844e3650b7e0054a1975beae48d45d9867132be51aa5597f05f5cee9a2e6bc9360b4f8edcdc3bd01287e2e87064deab64f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\msdcsc.exe
MD5
0ff29b69d35e90def532d1131eddaf78

SHA1
28024d4cdbec6c77b14788662e66933bedff8cd7

SHA256
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f

SHA512
194da7f5fb7312f99733b18f6e72844e3650b7e0054a1975beae48d45d9867132be51aa5597f05f5cee9a2e6bc9360b4f8edcdc3bd01287e2e87064deab64f21

Download Submit
memory/776-0-0x0000000000000000-mapping.dmp

Download
memory/4312-3-0x0000000000000000-mapping.dmp

Download
memory/4312-4-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/4312-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads