darkcomet | a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c

General

Target

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Size

742KB
MD5

7b4ad9815aa9ffb197aa5ba3a545136e
SHA1

811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
SHA256

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
SHA512

adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28

Score

10^/10

darkcomet sazan persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

192.168.1.105:1604

Mutex

DC_MUTEX-KWRE19J

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
dhFX5VGm1dAU
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1964 msdcsc.exe

pid	process
1964	msdcsc.exe

Loads dropped DLL 2 IoCs

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

pid	process
1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeSecurityPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeTakeOwnershipPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeLoadDriverPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeSystemProfilePrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeSystemtimePrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeProfSingleProcessPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeIncBasePriorityPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeCreatePagefilePrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeBackupPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeRestorePrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeShutdownPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeDebugPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeSystemEnvironmentPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeChangeNotifyPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeRemoteShutdownPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeUndockPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeManageVolumePrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeImpersonatePrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeCreateGlobalPrivilege	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: 33	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: 34	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: 35	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeIncreaseQuotaPrivilege	1964	msdcsc.exe
Token: SeSecurityPrivilege	1964	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1964	msdcsc.exe
Token: SeLoadDriverPrivilege	1964	msdcsc.exe
Token: SeSystemProfilePrivilege	1964	msdcsc.exe
Token: SeSystemtimePrivilege	1964	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1964	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1964	msdcsc.exe
Token: SeCreatePagefilePrivilege	1964	msdcsc.exe
Token: SeBackupPrivilege	1964	msdcsc.exe
Token: SeRestorePrivilege	1964	msdcsc.exe
Token: SeShutdownPrivilege	1964	msdcsc.exe
Token: SeDebugPrivilege	1964	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1964	msdcsc.exe
Token: SeChangeNotifyPrivilege	1964	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1964	msdcsc.exe
Token: SeUndockPrivilege	1964	msdcsc.exe
Token: SeManageVolumePrivilege	1964	msdcsc.exe
Token: SeImpersonatePrivilege	1964	msdcsc.exe
Token: SeCreateGlobalPrivilege	1964	msdcsc.exe
Token: 33	1964	msdcsc.exe
Token: 34	1964	msdcsc.exe
Token: 35	1964	msdcsc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

972 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1964 msdcsc.exe

pid	process
972	DllHost.exe

pid	process
1964	msdcsc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

description	pid	process	target process
PID 1504 wrote to memory of 1964	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe	msdcsc.exe
PID 1504 wrote to memory of 1964	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe	msdcsc.exe
PID 1504 wrote to memory of 1964	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe	msdcsc.exe
PID 1504 wrote to memory of 1964	1504	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
"C:\Users\Admin\AppData\Local\Temp\a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MAXRESDEFAULT.JPG
Filesize
84KB

MD5
4fc9cda82e170c79dec1ace4c512801c

SHA1
077fc47cc9ff408747bb9823c18ad0e2833eac55

SHA256
9aed45e811acdb42763323e60dfa9b1e28fc6df520cc5a525c013335d82cebba

SHA512
3ca4ce50fd1a938225cd60fa15efd31007c7ccfb6ea2bc05cda499414ba35213a13e9631678690aaf2d8b1940993cfa34f42353ea4f0d7970f67acc48a572e17

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
742KB

MD5
7b4ad9815aa9ffb197aa5ba3a545136e

SHA1
811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6

SHA256
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c

SHA512
adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
742KB

MD5
7b4ad9815aa9ffb197aa5ba3a545136e

SHA1
811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6

SHA256
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c

SHA512
adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
742KB

MD5
7b4ad9815aa9ffb197aa5ba3a545136e

SHA1
811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6

SHA256
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c

SHA512
adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
742KB

MD5
7b4ad9815aa9ffb197aa5ba3a545136e

SHA1
811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6

SHA256
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c

SHA512
adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28

Download Submit
memory/1504-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1964-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads