darkcomet | bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32

General

Target

bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Size

759KB
MD5

0033390156302419d1c2443fb91b3b7d
SHA1

d1f62d7c700090f9d19a534109e783d13fd4ff48
SHA256

bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32
SHA512

17b88128a27d2ac444b71c31019eeda32dadd7ff14806e5210f33220eede8921c3fb2a1115fde157e33e1f87794420b6f720d347418d99cbeeeb30df6bec4b0d

Score

10^/10

darkcomet killme evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

killme

C2

exte.duckdns.org:1604

Mutex

DC_MUTEX-1B8PLBC

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Vb8gzzR5D30d
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe

Executes dropped EXE 2 IoCs

Processes:

LEGIT.EXEmsdcsc.exe

pid process

996 LEGIT.EXE
2844 msdcsc.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

LEGIT.EXE

pid	process
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE
996	LEGIT.EXE

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exemsdcsc.exeLEGIT.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeSecurityPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeTakeOwnershipPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeLoadDriverPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeSystemProfilePrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeSystemtimePrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeProfSingleProcessPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeIncBasePriorityPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeCreatePagefilePrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeBackupPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeRestorePrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeShutdownPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeDebugPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeSystemEnvironmentPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeChangeNotifyPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeRemoteShutdownPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeUndockPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeManageVolumePrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeImpersonatePrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeCreateGlobalPrivilege	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: 33	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: 34	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: 35	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: 36	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
Token: SeIncreaseQuotaPrivilege	2844	msdcsc.exe
Token: SeSecurityPrivilege	2844	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2844	msdcsc.exe
Token: SeLoadDriverPrivilege	2844	msdcsc.exe
Token: SeSystemProfilePrivilege	2844	msdcsc.exe
Token: SeSystemtimePrivilege	2844	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2844	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2844	msdcsc.exe
Token: SeCreatePagefilePrivilege	2844	msdcsc.exe
Token: SeBackupPrivilege	2844	msdcsc.exe
Token: SeRestorePrivilege	2844	msdcsc.exe
Token: SeShutdownPrivilege	2844	msdcsc.exe
Token: SeDebugPrivilege	2844	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2844	msdcsc.exe
Token: SeChangeNotifyPrivilege	2844	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2844	msdcsc.exe
Token: SeUndockPrivilege	2844	msdcsc.exe
Token: SeManageVolumePrivilege	2844	msdcsc.exe
Token: SeImpersonatePrivilege	2844	msdcsc.exe
Token: SeCreateGlobalPrivilege	2844	msdcsc.exe
Token: 33	2844	msdcsc.exe
Token: 34	2844	msdcsc.exe
Token: 35	2844	msdcsc.exe
Token: 36	2844	msdcsc.exe
Token: SeDebugPrivilege	996	LEGIT.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

2844 msdcsc.exe

pid	process
2844	msdcsc.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 1048 wrote to memory of 2796	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	cmd.exe
PID 1048 wrote to memory of 2796	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	cmd.exe
PID 1048 wrote to memory of 2796	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	cmd.exe
PID 1048 wrote to memory of 2880	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	cmd.exe
PID 1048 wrote to memory of 2880	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	cmd.exe
PID 1048 wrote to memory of 2880	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	cmd.exe
PID 1048 wrote to memory of 996	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	LEGIT.EXE
PID 1048 wrote to memory of 996	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	LEGIT.EXE
PID 1048 wrote to memory of 996	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	LEGIT.EXE
PID 2880 wrote to memory of 3016	2880	cmd.exe	attrib.exe
PID 2880 wrote to memory of 3016	2880	cmd.exe	attrib.exe
PID 2880 wrote to memory of 3016	2880	cmd.exe	attrib.exe
PID 2796 wrote to memory of 2192	2796	cmd.exe	attrib.exe
PID 2796 wrote to memory of 2192	2796	cmd.exe	attrib.exe
PID 2796 wrote to memory of 2192	2796	cmd.exe	attrib.exe
PID 1048 wrote to memory of 2844	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	msdcsc.exe
PID 1048 wrote to memory of 2844	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	msdcsc.exe
PID 1048 wrote to memory of 2844	1048	bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe	msdcsc.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe
PID 2844 wrote to memory of 420	2844	msdcsc.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3016 attrib.exe
2192 attrib.exe

pid	process
3016	attrib.exe
2192	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe
"C:\Users\Admin\AppData\Local\Temp\bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32.exe" +s +h
3⤵
- Views/modifies file attributes
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:3016

C:\Users\Admin\AppData\Local\Temp\LEGIT.EXE
"C:\Users\Admin\AppData\Local\Temp\LEGIT.EXE"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LEGIT.EXE
MD5
5f7ab5d237a07802284d31cd63badce1

SHA1
607efffa330ffadcd869f5a69bc912e4f49841a3

SHA256
55f44e8df73184a7efb2ef53531637171221f47963060df1a455662fa4cf63d6

SHA512
428e802c318cd92d3ad0b2a2ede3cd2ed4bf1c0dc517ded1911b32bbfeb6b93be83d6be32b9ace6acea3f5dd386e15db8d3ae5b0924ddebabe8dda58e88c87a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEGIT.EXE
MD5
5f7ab5d237a07802284d31cd63badce1

SHA1
607efffa330ffadcd869f5a69bc912e4f49841a3

SHA256
55f44e8df73184a7efb2ef53531637171221f47963060df1a455662fa4cf63d6

SHA512
428e802c318cd92d3ad0b2a2ede3cd2ed4bf1c0dc517ded1911b32bbfeb6b93be83d6be32b9ace6acea3f5dd386e15db8d3ae5b0924ddebabe8dda58e88c87a9

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
0033390156302419d1c2443fb91b3b7d

SHA1
d1f62d7c700090f9d19a534109e783d13fd4ff48

SHA256
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32

SHA512
17b88128a27d2ac444b71c31019eeda32dadd7ff14806e5210f33220eede8921c3fb2a1115fde157e33e1f87794420b6f720d347418d99cbeeeb30df6bec4b0d

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
0033390156302419d1c2443fb91b3b7d

SHA1
d1f62d7c700090f9d19a534109e783d13fd4ff48

SHA256
bf5450720dc7a16cf3a0a1555db7f297d01c30468b3d780b2cd17fc17e54fe32

SHA512
17b88128a27d2ac444b71c31019eeda32dadd7ff14806e5210f33220eede8921c3fb2a1115fde157e33e1f87794420b6f720d347418d99cbeeeb30df6bec4b0d

Download Submit
memory/420-16-0x0000000000000000-mapping.dmp

Download
memory/420-17-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/996-5-0x0000000000000000-mapping.dmp

Download
memory/996-10-0x0000000072080000-0x000000007276E000-memory.dmp

Filesize
6.9MB

Download
memory/996-11-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1048-2-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2192-8-0x0000000000000000-mapping.dmp

Download
memory/2796-3-0x0000000000000000-mapping.dmp

Download
memory/2844-13-0x0000000000000000-mapping.dmp

Download
memory/2844-18-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2880-4-0x0000000000000000-mapping.dmp

Download
memory/3016-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads