darkcomet | c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843

General

Target

c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Size

283KB
MD5

3e2ce7ab165ab57cf04cfe8ae1583813
SHA1

1b43d9fb051b69ea883590f554b7d11495459977
SHA256

c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843
SHA512

88c7c570a5969e3f6d938e9b66286b81774de42aea8ae593f5d39874536049cd6d7d1fa19439348ae53f3a4a733b6653c6846de3dc0d92996b199d538bd198c9

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1016 msdcsc.exe

pid	process
1016	msdcsc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3244 notepad.exe

pid	process
3244	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeSecurityPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeTakeOwnershipPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeLoadDriverPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeSystemProfilePrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeSystemtimePrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeProfSingleProcessPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeIncBasePriorityPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeCreatePagefilePrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeBackupPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeRestorePrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeShutdownPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeDebugPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeSystemEnvironmentPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeChangeNotifyPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeRemoteShutdownPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeUndockPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeManageVolumePrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeImpersonatePrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeCreateGlobalPrivilege	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: 33	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: 34	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: 35	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: 36	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
Token: SeIncreaseQuotaPrivilege	1016	msdcsc.exe
Token: SeSecurityPrivilege	1016	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1016	msdcsc.exe
Token: SeLoadDriverPrivilege	1016	msdcsc.exe
Token: SeSystemProfilePrivilege	1016	msdcsc.exe
Token: SeSystemtimePrivilege	1016	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1016	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1016	msdcsc.exe
Token: SeCreatePagefilePrivilege	1016	msdcsc.exe
Token: SeBackupPrivilege	1016	msdcsc.exe
Token: SeRestorePrivilege	1016	msdcsc.exe
Token: SeShutdownPrivilege	1016	msdcsc.exe
Token: SeDebugPrivilege	1016	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1016	msdcsc.exe
Token: SeChangeNotifyPrivilege	1016	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1016	msdcsc.exe
Token: SeUndockPrivilege	1016	msdcsc.exe
Token: SeManageVolumePrivilege	1016	msdcsc.exe
Token: SeImpersonatePrivilege	1016	msdcsc.exe
Token: SeCreateGlobalPrivilege	1016	msdcsc.exe
Token: 33	1016	msdcsc.exe
Token: 34	1016	msdcsc.exe
Token: 35	1016	msdcsc.exe
Token: 36	1016	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1016 msdcsc.exe

pid	process
1016	msdcsc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe

description	pid	process	target process
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 3244	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	notepad.exe
PID 672 wrote to memory of 1016	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	msdcsc.exe
PID 672 wrote to memory of 1016	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	msdcsc.exe
PID 672 wrote to memory of 1016	672	c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe
"C:\Users\Admin\AppData\Local\Temp\c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:3244

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
MD5
3e2ce7ab165ab57cf04cfe8ae1583813

SHA1
1b43d9fb051b69ea883590f554b7d11495459977

SHA256
c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843

SHA512
88c7c570a5969e3f6d938e9b66286b81774de42aea8ae593f5d39874536049cd6d7d1fa19439348ae53f3a4a733b6653c6846de3dc0d92996b199d538bd198c9

Download Submit
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe
MD5
3e2ce7ab165ab57cf04cfe8ae1583813

SHA1
1b43d9fb051b69ea883590f554b7d11495459977

SHA256
c71d85fa9976fc49b3bd3eceb8aeaade3167a9a61a12cd0efee58218189e4843

SHA512
88c7c570a5969e3f6d938e9b66286b81774de42aea8ae593f5d39874536049cd6d7d1fa19439348ae53f3a4a733b6653c6846de3dc0d92996b199d538bd198c9

Download Submit
memory/672-114-0x0000000000A90000-0x0000000000BCC000-memory.dmp

Filesize
1.2MB

Download
memory/1016-117-0x0000000000000000-mapping.dmp

Download
memory/1016-120-0x0000000000620000-0x000000000076A000-memory.dmp

Filesize
1.3MB

Download
memory/3244-115-0x0000000000000000-mapping.dmp

Download
memory/3244-116-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads