darkcomet | a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c

General

Target

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Size

742KB
MD5

7b4ad9815aa9ffb197aa5ba3a545136e
SHA1

811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6
SHA256

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c
SHA512

adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28

Score

10^/10

darkcomet sazan persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Sazan

C2

192.168.1.105:1604

Mutex

DC_MUTEX-KWRE19J

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
dhFX5VGm1dAU
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

3616 msdcsc.exe

pid	process
3616	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeSecurityPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeTakeOwnershipPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeLoadDriverPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeSystemProfilePrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeSystemtimePrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeProfSingleProcessPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeIncBasePriorityPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeCreatePagefilePrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeBackupPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeRestorePrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeShutdownPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeDebugPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeSystemEnvironmentPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeChangeNotifyPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeRemoteShutdownPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeUndockPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeManageVolumePrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeImpersonatePrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeCreateGlobalPrivilege	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: 33	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: 34	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: 35	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: 36	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
Token: SeIncreaseQuotaPrivilege	3616	msdcsc.exe
Token: SeSecurityPrivilege	3616	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3616	msdcsc.exe
Token: SeLoadDriverPrivilege	3616	msdcsc.exe
Token: SeSystemProfilePrivilege	3616	msdcsc.exe
Token: SeSystemtimePrivilege	3616	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3616	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3616	msdcsc.exe
Token: SeCreatePagefilePrivilege	3616	msdcsc.exe
Token: SeBackupPrivilege	3616	msdcsc.exe
Token: SeRestorePrivilege	3616	msdcsc.exe
Token: SeShutdownPrivilege	3616	msdcsc.exe
Token: SeDebugPrivilege	3616	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3616	msdcsc.exe
Token: SeChangeNotifyPrivilege	3616	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3616	msdcsc.exe
Token: SeUndockPrivilege	3616	msdcsc.exe
Token: SeManageVolumePrivilege	3616	msdcsc.exe
Token: SeImpersonatePrivilege	3616	msdcsc.exe
Token: SeCreateGlobalPrivilege	3616	msdcsc.exe
Token: 33	3616	msdcsc.exe
Token: 34	3616	msdcsc.exe
Token: 35	3616	msdcsc.exe
Token: 36	3616	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

3616 msdcsc.exe

pid	process
3616	msdcsc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe

description	pid	process	target process
PID 2204 wrote to memory of 3616	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe	msdcsc.exe
PID 2204 wrote to memory of 3616	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe	msdcsc.exe
PID 2204 wrote to memory of 3616	2204	a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe
"C:\Users\Admin\AppData\Local\Temp\a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
742KB

MD5
7b4ad9815aa9ffb197aa5ba3a545136e

SHA1
811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6

SHA256
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c

SHA512
adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
742KB

MD5
7b4ad9815aa9ffb197aa5ba3a545136e

SHA1
811fc574e57f7d4de796d8e3e1b090f7fb8a3ff6

SHA256
a404b48584bf31dce8ddd6eda479abad10abd78b90d7905d2d2064155729d70c

SHA512
adf05818c131811f40b6b24c376a4861d5e292144647b5d1383d110a6db9120e92a4847b0ab2363378ff1aead7b9281e546e600049b98d7297bdb8cdf1cfbe28

Download Submit
memory/3616-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads