darkcomet | 8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5

General

Target

8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Size

658KB
MD5

f979bb14551c7b5166c2564f0cb81b17
SHA1

8ee1be6c76d7a2a1179564bd0e12bb94a603402c
SHA256

8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5
SHA512

232f74ea88561f67e5a3095b83681e4f35e49e5c877e81c23cf9b04994a299e8fd981e2efae97297e6f4226ad7d7f49bd2ee4eb4d0d9a4162f22dd2749e8af23

Score

10^/10

darkcomet all evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

All

C2

192.168.0.102:1604

192.168.0.102:81

Mutex

DC_MUTEX-GRA2N0X

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
jqHg0YaebT2u
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe

Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1792 msdcsc.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
1792	msdcsc.exe

Loads dropped DLL 2 IoCs

Processes:

8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe

pid	process
2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.exe

pid process

1792 msdcsc.exe

pid	process
1792	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeSecurityPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeTakeOwnershipPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeLoadDriverPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeSystemProfilePrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeSystemtimePrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeProfSingleProcessPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeIncBasePriorityPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeCreatePagefilePrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeBackupPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeRestorePrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeShutdownPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeDebugPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeSystemEnvironmentPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeChangeNotifyPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeRemoteShutdownPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeUndockPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeManageVolumePrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeImpersonatePrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeCreateGlobalPrivilege	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: 33	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: 34	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: 35	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
Token: SeIncreaseQuotaPrivilege	1792	msdcsc.exe
Token: SeSecurityPrivilege	1792	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1792	msdcsc.exe
Token: SeLoadDriverPrivilege	1792	msdcsc.exe
Token: SeSystemProfilePrivilege	1792	msdcsc.exe
Token: SeSystemtimePrivilege	1792	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1792	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1792	msdcsc.exe
Token: SeCreatePagefilePrivilege	1792	msdcsc.exe
Token: SeBackupPrivilege	1792	msdcsc.exe
Token: SeRestorePrivilege	1792	msdcsc.exe
Token: SeShutdownPrivilege	1792	msdcsc.exe
Token: SeDebugPrivilege	1792	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1792	msdcsc.exe
Token: SeChangeNotifyPrivilege	1792	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1792	msdcsc.exe
Token: SeUndockPrivilege	1792	msdcsc.exe
Token: SeManageVolumePrivilege	1792	msdcsc.exe
Token: SeImpersonatePrivilege	1792	msdcsc.exe
Token: SeCreateGlobalPrivilege	1792	msdcsc.exe
Token: 33	1792	msdcsc.exe
Token: 34	1792	msdcsc.exe
Token: 35	1792	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1792 msdcsc.exe

pid	process
1792	msdcsc.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.execmd.execmd.exemsdcsc.exe

description	pid	process	target process
PID 2004 wrote to memory of 1168	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	cmd.exe
PID 2004 wrote to memory of 1168	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	cmd.exe
PID 2004 wrote to memory of 1168	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	cmd.exe
PID 2004 wrote to memory of 1168	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	cmd.exe
PID 2004 wrote to memory of 1636	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	cmd.exe
PID 2004 wrote to memory of 1636	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	cmd.exe
PID 2004 wrote to memory of 1636	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	cmd.exe
PID 2004 wrote to memory of 1636	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	cmd.exe
PID 1636 wrote to memory of 1596	1636	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1596	1636	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1596	1636	cmd.exe	attrib.exe
PID 1636 wrote to memory of 1596	1636	cmd.exe	attrib.exe
PID 1168 wrote to memory of 1740	1168	cmd.exe	attrib.exe
PID 1168 wrote to memory of 1740	1168	cmd.exe	attrib.exe
PID 1168 wrote to memory of 1740	1168	cmd.exe	attrib.exe
PID 1168 wrote to memory of 1740	1168	cmd.exe	attrib.exe
PID 2004 wrote to memory of 1792	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	msdcsc.exe
PID 2004 wrote to memory of 1792	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	msdcsc.exe
PID 2004 wrote to memory of 1792	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	msdcsc.exe
PID 2004 wrote to memory of 1792	2004	8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe	msdcsc.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe
PID 1792 wrote to memory of 1692	1792	msdcsc.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1596 attrib.exe
1740 attrib.exe

pid	process
1596	attrib.exe
1740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe
"C:\Users\Admin\AppData\Local\Temp\8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5.exe" +s +h
3⤵
- Views/modifies file attributes
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:1596

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
MD5
f979bb14551c7b5166c2564f0cb81b17

SHA1
8ee1be6c76d7a2a1179564bd0e12bb94a603402c

SHA256
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5

SHA512
232f74ea88561f67e5a3095b83681e4f35e49e5c877e81c23cf9b04994a299e8fd981e2efae97297e6f4226ad7d7f49bd2ee4eb4d0d9a4162f22dd2749e8af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
MD5
f979bb14551c7b5166c2564f0cb81b17

SHA1
8ee1be6c76d7a2a1179564bd0e12bb94a603402c

SHA256
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5

SHA512
232f74ea88561f67e5a3095b83681e4f35e49e5c877e81c23cf9b04994a299e8fd981e2efae97297e6f4226ad7d7f49bd2ee4eb4d0d9a4162f22dd2749e8af23

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
MD5
f979bb14551c7b5166c2564f0cb81b17

SHA1
8ee1be6c76d7a2a1179564bd0e12bb94a603402c

SHA256
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5

SHA512
232f74ea88561f67e5a3095b83681e4f35e49e5c877e81c23cf9b04994a299e8fd981e2efae97297e6f4226ad7d7f49bd2ee4eb4d0d9a4162f22dd2749e8af23

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
MD5
f979bb14551c7b5166c2564f0cb81b17

SHA1
8ee1be6c76d7a2a1179564bd0e12bb94a603402c

SHA256
8644f9c0bdda59237eddd3272a41a41633abaeff3668ddcd71a54610456288b5

SHA512
232f74ea88561f67e5a3095b83681e4f35e49e5c877e81c23cf9b04994a299e8fd981e2efae97297e6f4226ad7d7f49bd2ee4eb4d0d9a4162f22dd2749e8af23

Download Submit
memory/1168-60-0x0000000000000000-mapping.dmp

Download
memory/1596-62-0x0000000000000000-mapping.dmp

Download
memory/1636-61-0x0000000000000000-mapping.dmp

Download
memory/1692-71-0x0000000000000000-mapping.dmp

Download
memory/1692-74-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1740-63-0x0000000000000000-mapping.dmp

Download
memory/1792-67-0x0000000000000000-mapping.dmp

Download
memory/1792-73-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2004-64-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2004-59-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads