darkcomet | 65d1b87c16eb44d2d057df7492af8ee0f0f070e59f6678d9cb04a40b33df0d0f

General

Target

14929a757a1299c47ab1395a63d4c8ee.exe
Size

775KB
MD5

14929a757a1299c47ab1395a63d4c8ee
SHA1

fcc28114965b83bee2919e450b7731feebbbdd09
SHA256

65d1b87c16eb44d2d057df7492af8ee0f0f070e59f6678d9cb04a40b33df0d0f
SHA512

856470354ab7956c5709589c3a77674ca8e265b5ae29748d5d4d2e52c8986b9f6d4f8166f4a9ecc47b9c9cfdc16d7d699d4cd03c7f6ef596f2e58a36348e01ec

Score

10^/10

darkcomet ��persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

��

C2

dcv123.no-ip.biz:1604

Mutex

DC_MUTEX-45YS4L8

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
jvfglC4ADoBp
install
true
offline_keylogger
true
persistence
true
reg_key
msdcsc

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Steam.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Steam.exe

Executes dropped EXE 1 IoCs

Processes:

Steam.exe

pid process

1188 Steam.exe
Loads dropped DLL 2 IoCs

Processes:

14929a757a1299c47ab1395a63d4c8ee.exe

pid process

2024 14929a757a1299c47ab1395a63d4c8ee.exe
2024 14929a757a1299c47ab1395a63d4c8ee.exe

pid	process
1188	Steam.exe

pid	process
2024	14929a757a1299c47ab1395a63d4c8ee.exe
2024	14929a757a1299c47ab1395a63d4c8ee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Steam.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\msdcsc = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Steam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

Steam.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1188	Steam.exe
Token: SeSecurityPrivilege	1188	Steam.exe
Token: SeTakeOwnershipPrivilege	1188	Steam.exe
Token: SeLoadDriverPrivilege	1188	Steam.exe
Token: SeSystemProfilePrivilege	1188	Steam.exe
Token: SeSystemtimePrivilege	1188	Steam.exe
Token: SeProfSingleProcessPrivilege	1188	Steam.exe
Token: SeIncBasePriorityPrivilege	1188	Steam.exe
Token: SeCreatePagefilePrivilege	1188	Steam.exe
Token: SeBackupPrivilege	1188	Steam.exe
Token: SeRestorePrivilege	1188	Steam.exe
Token: SeShutdownPrivilege	1188	Steam.exe
Token: SeDebugPrivilege	1188	Steam.exe
Token: SeSystemEnvironmentPrivilege	1188	Steam.exe
Token: SeChangeNotifyPrivilege	1188	Steam.exe
Token: SeRemoteShutdownPrivilege	1188	Steam.exe
Token: SeUndockPrivilege	1188	Steam.exe
Token: SeManageVolumePrivilege	1188	Steam.exe
Token: SeImpersonatePrivilege	1188	Steam.exe
Token: SeCreateGlobalPrivilege	1188	Steam.exe
Token: 33	1188	Steam.exe
Token: 34	1188	Steam.exe
Token: 35	1188	Steam.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

14929a757a1299c47ab1395a63d4c8ee.exe

description	pid	process	target process
PID 2024 wrote to memory of 1188	2024	14929a757a1299c47ab1395a63d4c8ee.exe	Steam.exe
PID 2024 wrote to memory of 1188	2024	14929a757a1299c47ab1395a63d4c8ee.exe	Steam.exe
PID 2024 wrote to memory of 1188	2024	14929a757a1299c47ab1395a63d4c8ee.exe	Steam.exe
PID 2024 wrote to memory of 1188	2024	14929a757a1299c47ab1395a63d4c8ee.exe	Steam.exe

C:\Users\Admin\AppData\Local\Temp\14929a757a1299c47ab1395a63d4c8ee.exe
"C:\Users\Admin\AppData\Local\Temp\14929a757a1299c47ab1395a63d4c8ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1188

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Steam.exe
MD5
ccf6a95666b780aa1420ebc1eadc5463

SHA1
cb9f6d999959d4f7dbcc8b5d9b94913cb9db015b

SHA256
857a582cf3b9e8bfd6f65698a0879dc8b7c8361963505092b4af26d711f32b60

SHA512
bb6fc1a2996800185286c8e40c8e64ddfef732385f2cc678502efb3f64543275c985a3cc12ce94338ac48c995ffd9095b840c12b310ad34f395a66f70237665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam.exe
MD5
ccf6a95666b780aa1420ebc1eadc5463

SHA1
cb9f6d999959d4f7dbcc8b5d9b94913cb9db015b

SHA256
857a582cf3b9e8bfd6f65698a0879dc8b7c8361963505092b4af26d711f32b60

SHA512
bb6fc1a2996800185286c8e40c8e64ddfef732385f2cc678502efb3f64543275c985a3cc12ce94338ac48c995ffd9095b840c12b310ad34f395a66f70237665f

Download Submit
\Users\Admin\AppData\Local\Temp\Steam.exe
MD5
ccf6a95666b780aa1420ebc1eadc5463

SHA1
cb9f6d999959d4f7dbcc8b5d9b94913cb9db015b

SHA256
857a582cf3b9e8bfd6f65698a0879dc8b7c8361963505092b4af26d711f32b60

SHA512
bb6fc1a2996800185286c8e40c8e64ddfef732385f2cc678502efb3f64543275c985a3cc12ce94338ac48c995ffd9095b840c12b310ad34f395a66f70237665f

Download Submit
\Users\Admin\AppData\Local\Temp\Steam.exe
MD5
ccf6a95666b780aa1420ebc1eadc5463

SHA1
cb9f6d999959d4f7dbcc8b5d9b94913cb9db015b

SHA256
857a582cf3b9e8bfd6f65698a0879dc8b7c8361963505092b4af26d711f32b60

SHA512
bb6fc1a2996800185286c8e40c8e64ddfef732385f2cc678502efb3f64543275c985a3cc12ce94338ac48c995ffd9095b840c12b310ad34f395a66f70237665f

Download Submit
memory/1188-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads