darkcomet | 7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853

General

Target

61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Size

349KB
MD5

0983cb6fb6ca713e547893ef1c90c09d
SHA1

766807324427b5a4ecc82c75d15be09d1695795d
SHA256

7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853
SHA512

73e9bb86649eb4df330e4e12c0adbf1e03f03d55b37dba192e3081902f6f6143b38283610c7137124998aeeaadfa66c94fec992802a0ea37f5970e599043776b

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

61c6858c5ecd6f8c83bc8d318d9f9c5f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\windows\\msdcsc.exe"	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1172 msdcsc.exe

pid	process
1172	msdcsc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe	upx
\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe	upx
C:\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe	upx
C:\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe	upx

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1484 notepad.exe
Loads dropped DLL 2 IoCs

Processes:

61c6858c5ecd6f8c83bc8d318d9f9c5f.exe

pid process

1588 61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
1588 61c6858c5ecd6f8c83bc8d318d9f9c5f.exe

pid	process
1484	notepad.exe

pid	process
1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

61c6858c5ecd6f8c83bc8d318d9f9c5f.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows\\msdcsc.exe"	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\windows\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

61c6858c5ecd6f8c83bc8d318d9f9c5f.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeSecurityPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeTakeOwnershipPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeLoadDriverPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeSystemProfilePrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeSystemtimePrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeProfSingleProcessPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeIncBasePriorityPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeCreatePagefilePrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeBackupPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeRestorePrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeShutdownPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeDebugPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeSystemEnvironmentPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeChangeNotifyPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeRemoteShutdownPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeUndockPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeManageVolumePrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeImpersonatePrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeCreateGlobalPrivilege	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: 33	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: 34	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: 35	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
Token: SeIncreaseQuotaPrivilege	1172	msdcsc.exe
Token: SeSecurityPrivilege	1172	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1172	msdcsc.exe
Token: SeLoadDriverPrivilege	1172	msdcsc.exe
Token: SeSystemProfilePrivilege	1172	msdcsc.exe
Token: SeSystemtimePrivilege	1172	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1172	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1172	msdcsc.exe
Token: SeCreatePagefilePrivilege	1172	msdcsc.exe
Token: SeBackupPrivilege	1172	msdcsc.exe
Token: SeRestorePrivilege	1172	msdcsc.exe
Token: SeShutdownPrivilege	1172	msdcsc.exe
Token: SeDebugPrivilege	1172	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1172	msdcsc.exe
Token: SeChangeNotifyPrivilege	1172	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1172	msdcsc.exe
Token: SeUndockPrivilege	1172	msdcsc.exe
Token: SeManageVolumePrivilege	1172	msdcsc.exe
Token: SeImpersonatePrivilege	1172	msdcsc.exe
Token: SeCreateGlobalPrivilege	1172	msdcsc.exe
Token: 33	1172	msdcsc.exe
Token: 34	1172	msdcsc.exe
Token: 35	1172	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1172 msdcsc.exe

pid	process
1172	msdcsc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

61c6858c5ecd6f8c83bc8d318d9f9c5f.exe

description	pid	process	target process
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1484	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	notepad.exe
PID 1588 wrote to memory of 1172	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	msdcsc.exe
PID 1588 wrote to memory of 1172	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	msdcsc.exe
PID 1588 wrote to memory of 1172	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	msdcsc.exe
PID 1588 wrote to memory of 1172	1588	61c6858c5ecd6f8c83bc8d318d9f9c5f.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\61c6858c5ecd6f8c83bc8d318d9f9c5f.exe
"C:\Users\Admin\AppData\Local\Temp\61c6858c5ecd6f8c83bc8d318d9f9c5f.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:1484

C:\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe
MD5
0983cb6fb6ca713e547893ef1c90c09d

SHA1
766807324427b5a4ecc82c75d15be09d1695795d

SHA256
7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853

SHA512
73e9bb86649eb4df330e4e12c0adbf1e03f03d55b37dba192e3081902f6f6143b38283610c7137124998aeeaadfa66c94fec992802a0ea37f5970e599043776b

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe
MD5
0983cb6fb6ca713e547893ef1c90c09d

SHA1
766807324427b5a4ecc82c75d15be09d1695795d

SHA256
7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853

SHA512
73e9bb86649eb4df330e4e12c0adbf1e03f03d55b37dba192e3081902f6f6143b38283610c7137124998aeeaadfa66c94fec992802a0ea37f5970e599043776b

Download Submit
\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe
MD5
0983cb6fb6ca713e547893ef1c90c09d

SHA1
766807324427b5a4ecc82c75d15be09d1695795d

SHA256
7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853

SHA512
73e9bb86649eb4df330e4e12c0adbf1e03f03d55b37dba192e3081902f6f6143b38283610c7137124998aeeaadfa66c94fec992802a0ea37f5970e599043776b

Download Submit
\Users\Admin\AppData\Local\Temp\windows\msdcsc.exe
MD5
0983cb6fb6ca713e547893ef1c90c09d

SHA1
766807324427b5a4ecc82c75d15be09d1695795d

SHA256
7eb160d254641cd57c9abbae458370718b989d6096f17c6888318a8ebb253853

SHA512
73e9bb86649eb4df330e4e12c0adbf1e03f03d55b37dba192e3081902f6f6143b38283610c7137124998aeeaadfa66c94fec992802a0ea37f5970e599043776b

Download Submit
memory/1172-5-0x0000000000000000-mapping.dmp

Download
memory/1484-0-0x0000000000000000-mapping.dmp

Download
memory/1484-1-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1484-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads