darkcomet | 2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb

General

Target

2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Size

252KB
MD5

4d254669a3288a023310caae738470c8
SHA1

5ed0204f0ee83c1129119de8538c28131cb11d4c
SHA256

2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb
SHA512

c285948dd5148de045e695903f36fc4ca894ca4dfedb1d49ee322c8acc90729238b69fb5b4f08124bda7bf709dd4f1fc4d2390aff7ddab6193ec4ec87cfcfaf6

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

4724 msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

pid	process
4724	msdcsc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeSecurityPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeTakeOwnershipPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeLoadDriverPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeSystemProfilePrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeSystemtimePrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeProfSingleProcessPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeIncBasePriorityPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeCreatePagefilePrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeBackupPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeRestorePrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeShutdownPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeDebugPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeSystemEnvironmentPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeChangeNotifyPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeRemoteShutdownPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeUndockPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeManageVolumePrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeImpersonatePrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeCreateGlobalPrivilege	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: 33	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: 34	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: 35	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: 36	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
Token: SeIncreaseQuotaPrivilege	4724	msdcsc.exe
Token: SeSecurityPrivilege	4724	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4724	msdcsc.exe
Token: SeLoadDriverPrivilege	4724	msdcsc.exe
Token: SeSystemProfilePrivilege	4724	msdcsc.exe
Token: SeSystemtimePrivilege	4724	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4724	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4724	msdcsc.exe
Token: SeCreatePagefilePrivilege	4724	msdcsc.exe
Token: SeBackupPrivilege	4724	msdcsc.exe
Token: SeRestorePrivilege	4724	msdcsc.exe
Token: SeShutdownPrivilege	4724	msdcsc.exe
Token: SeDebugPrivilege	4724	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4724	msdcsc.exe
Token: SeChangeNotifyPrivilege	4724	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4724	msdcsc.exe
Token: SeUndockPrivilege	4724	msdcsc.exe
Token: SeManageVolumePrivilege	4724	msdcsc.exe
Token: SeImpersonatePrivilege	4724	msdcsc.exe
Token: SeCreateGlobalPrivilege	4724	msdcsc.exe
Token: 33	4724	msdcsc.exe
Token: 34	4724	msdcsc.exe
Token: 35	4724	msdcsc.exe
Token: 36	4724	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

4724 msdcsc.exe

pid	process
4724	msdcsc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe

description	pid	process	target process
PID 3956 wrote to memory of 4724	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe	msdcsc.exe
PID 3956 wrote to memory of 4724	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe	msdcsc.exe
PID 3956 wrote to memory of 4724	3956	2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe	msdcsc.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe
"C:\Users\Admin\AppData\Local\Temp\2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

6

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
252KB

MD5
4d254669a3288a023310caae738470c8

SHA1
5ed0204f0ee83c1129119de8538c28131cb11d4c

SHA256
2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb

SHA512
c285948dd5148de045e695903f36fc4ca894ca4dfedb1d49ee322c8acc90729238b69fb5b4f08124bda7bf709dd4f1fc4d2390aff7ddab6193ec4ec87cfcfaf6

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
252KB

MD5
4d254669a3288a023310caae738470c8

SHA1
5ed0204f0ee83c1129119de8538c28131cb11d4c

SHA256
2e7e6e2f4dfb425726c2c3a9712e3b4a37ff986181abc29c22d638bbd7b2a6fb

SHA512
c285948dd5148de045e695903f36fc4ca894ca4dfedb1d49ee322c8acc90729238b69fb5b4f08124bda7bf709dd4f1fc4d2390aff7ddab6193ec4ec87cfcfaf6

Download Submit
memory/4724-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads