darkcomet | e50cf3f7139ac7f4924b835334a98f7c426b66d0d19e986d885bd4080433d7bd

General

Target

Подключение к Cheater HAer VPsu202epdr.exe
Size

1.2MB
MD5

89819d45a907c55d273e9d4e2a64f2a9
SHA1

18db069eb82c31af3cb577ea392e4b42775d37f4
SHA256

e50cf3f7139ac7f4924b835334a98f7c426b66d0d19e986d885bd4080433d7bd
SHA512

bb2eee52e673c8e2ae44c60f0df8dc69890df2108f5278f1928f207055d5e8660fd8d8eaab9d67ee3ed950574184cbc94af77d831b601323afc31d715b9ec248

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

radgoodnow.mooo.com:7777

Mutex

DC_MUTEX-0E720ZB

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
ReysmuLVc5ah
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	RegAsm.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1796 msdcsc.exe
Loads dropped DLL 1 IoCs

Processes:

RegAsm.exe

pid process

1624 RegAsm.exe

pid	process
1796	msdcsc.exe

pid	process
1624	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Подключение к Cheater HAer VPsu202epdr.exe

description pid process target process

PID 1848 set thread context of 1624 1848 Подключение к Cheater HAer VPsu202epdr.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1848 set thread context of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1624	RegAsm.exe
Token: SeSecurityPrivilege	1624	RegAsm.exe
Token: SeTakeOwnershipPrivilege	1624	RegAsm.exe
Token: SeLoadDriverPrivilege	1624	RegAsm.exe
Token: SeSystemProfilePrivilege	1624	RegAsm.exe
Token: SeSystemtimePrivilege	1624	RegAsm.exe
Token: SeProfSingleProcessPrivilege	1624	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1624	RegAsm.exe
Token: SeCreatePagefilePrivilege	1624	RegAsm.exe
Token: SeBackupPrivilege	1624	RegAsm.exe
Token: SeRestorePrivilege	1624	RegAsm.exe
Token: SeShutdownPrivilege	1624	RegAsm.exe
Token: SeDebugPrivilege	1624	RegAsm.exe
Token: SeSystemEnvironmentPrivilege	1624	RegAsm.exe
Token: SeChangeNotifyPrivilege	1624	RegAsm.exe
Token: SeRemoteShutdownPrivilege	1624	RegAsm.exe
Token: SeUndockPrivilege	1624	RegAsm.exe
Token: SeManageVolumePrivilege	1624	RegAsm.exe
Token: SeImpersonatePrivilege	1624	RegAsm.exe
Token: SeCreateGlobalPrivilege	1624	RegAsm.exe
Token: 33	1624	RegAsm.exe
Token: 34	1624	RegAsm.exe
Token: 35	1624	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Подключение к Cheater HAer VPsu202epdr.exeRegAsm.exe

description	pid	process	target process
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1848 wrote to memory of 1624	1848	Подключение к Cheater HAer VPsu202epdr.exe	RegAsm.exe
PID 1624 wrote to memory of 1796	1624	RegAsm.exe	msdcsc.exe
PID 1624 wrote to memory of 1796	1624	RegAsm.exe	msdcsc.exe
PID 1624 wrote to memory of 1796	1624	RegAsm.exe	msdcsc.exe
PID 1624 wrote to memory of 1796	1624	RegAsm.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\Подключение к Cheater HAer VPsu202epdr.exe
"C:\Users\Admin\AppData\Local\Temp\Подключение к Cheater HAer VPsu202epdr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1624-64-0x000000000048F888-mapping.dmp

Download
memory/1624-63-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1624-65-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1624-71-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1624-72-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1796-67-0x0000000000000000-mapping.dmp

Download
memory/1796-70-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/1848-59-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/1848-62-0x0000000004940000-0x0000000004A2A000-memory.dmp

Filesize
936KB

Download
memory/1848-61-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads