darkcomet | e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2

General

Target

e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
Size

1.5MB
MD5

f548e99a9e0b219930e28696a0979619
SHA1

fc09b9c82ac761f28a04c2d4d3bdf07b000d6b47
SHA256

e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2
SHA512

bf875c949a83a1babd1f6c91fc707aac7e759cfa043f7289c96ff1ebdee30ea423277896cd2ebabfaf206d4a8e81a708aa93cdbe2d6255487582ff85d50aded7

Score

10^/10

darkcomet sazan evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

127.0.0.1:1604

Mutex

DC_MUTEX-SWYB0HA

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
jA5Q6JBljsdN
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1232 msdcsc.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

2024 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1232	msdcsc.exe

pid	process
2024	vbc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exevbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft@Service = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe"	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe

description	pid	process	target process
PID 1112 set thread context of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319	attrib.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2024	vbc.exe
Token: SeSecurityPrivilege	2024	vbc.exe
Token: SeTakeOwnershipPrivilege	2024	vbc.exe
Token: SeLoadDriverPrivilege	2024	vbc.exe
Token: SeSystemProfilePrivilege	2024	vbc.exe
Token: SeSystemtimePrivilege	2024	vbc.exe
Token: SeProfSingleProcessPrivilege	2024	vbc.exe
Token: SeIncBasePriorityPrivilege	2024	vbc.exe
Token: SeCreatePagefilePrivilege	2024	vbc.exe
Token: SeBackupPrivilege	2024	vbc.exe
Token: SeRestorePrivilege	2024	vbc.exe
Token: SeShutdownPrivilege	2024	vbc.exe
Token: SeDebugPrivilege	2024	vbc.exe
Token: SeSystemEnvironmentPrivilege	2024	vbc.exe
Token: SeChangeNotifyPrivilege	2024	vbc.exe
Token: SeRemoteShutdownPrivilege	2024	vbc.exe
Token: SeUndockPrivilege	2024	vbc.exe
Token: SeManageVolumePrivilege	2024	vbc.exe
Token: SeImpersonatePrivilege	2024	vbc.exe
Token: SeCreateGlobalPrivilege	2024	vbc.exe
Token: 33	2024	vbc.exe
Token: 34	2024	vbc.exe
Token: 35	2024	vbc.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe

pid	process
1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe

pid	process
1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exevbc.execmd.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 1112 wrote to memory of 2024	1112	e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe	vbc.exe
PID 2024 wrote to memory of 1580	2024	vbc.exe	cmd.exe
PID 2024 wrote to memory of 1580	2024	vbc.exe	cmd.exe
PID 2024 wrote to memory of 1580	2024	vbc.exe	cmd.exe
PID 2024 wrote to memory of 1580	2024	vbc.exe	cmd.exe
PID 2024 wrote to memory of 1556	2024	vbc.exe	cmd.exe
PID 2024 wrote to memory of 1556	2024	vbc.exe	cmd.exe
PID 2024 wrote to memory of 1556	2024	vbc.exe	cmd.exe
PID 2024 wrote to memory of 1556	2024	vbc.exe	cmd.exe
PID 1580 wrote to memory of 1480	1580	cmd.exe	attrib.exe
PID 1580 wrote to memory of 1480	1580	cmd.exe	attrib.exe
PID 1580 wrote to memory of 1480	1580	cmd.exe	attrib.exe
PID 1580 wrote to memory of 1480	1580	cmd.exe	attrib.exe
PID 1556 wrote to memory of 1904	1556	cmd.exe	attrib.exe
PID 1556 wrote to memory of 1904	1556	cmd.exe	attrib.exe
PID 1556 wrote to memory of 1904	1556	cmd.exe	attrib.exe
PID 1556 wrote to memory of 1904	1556	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1232	2024	vbc.exe	msdcsc.exe
PID 2024 wrote to memory of 1232	2024	vbc.exe	msdcsc.exe
PID 2024 wrote to memory of 1232	2024	vbc.exe	msdcsc.exe
PID 2024 wrote to memory of 1232	2024	vbc.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1904 attrib.exe
1480 attrib.exe

pid	process
1904	attrib.exe
1480	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe
"C:\Users\Admin\AppData\Local\Temp\e0380fd96474eebdde85471abc553c688cef21db70120fb7352151ad58c954a2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" +s +h
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v4.0.30319" +s +h
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1904

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1232

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
memory/1112-54-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1232-65-0x0000000000000000-mapping.dmp

Download
memory/1480-60-0x0000000000000000-mapping.dmp

Download
memory/1556-59-0x0000000000000000-mapping.dmp

Download
memory/1580-58-0x0000000000000000-mapping.dmp

Download
memory/1904-61-0x0000000000000000-mapping.dmp

Download
memory/2024-63-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2024-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2024-56-0x000000000048F888-mapping.dmp

Download
memory/2024-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads