darkcomet | 12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687

General

Target

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Size

736KB
MD5

444b043b54a70aa68bce3cd8a48fbf02
SHA1

4ac6078a960f858bfa9ed7d5a94d7fb54b06f628
SHA256

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687
SHA512

9ae87b25e615ace26787abc3a0593f6e64766b661ebbde1bea098609fa257af9d3808974f9c2ab38232a0fba26852469473c1788596e6ade19133aaa8e5c26bd

Score

10^/10

darkcomet hf persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

179.43.150.105:1606

Mutex

DC_MUTEX-CNAFSEW

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Q9rRWez1PrbJ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Executes dropped EXE 2 IoCs

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exemsdcsc.exe

pid process

1124 12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
1724 msdcsc.exe

Loads dropped DLL 2 IoCs

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

pid	process
1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

description	pid	process	target process
PID 860 set thread context of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeSecurityPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeTakeOwnershipPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeLoadDriverPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeSystemProfilePrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeSystemtimePrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeProfSingleProcessPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeIncBasePriorityPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeCreatePagefilePrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeBackupPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeRestorePrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeShutdownPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeDebugPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeSystemEnvironmentPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeChangeNotifyPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeRemoteShutdownPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeUndockPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeManageVolumePrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeImpersonatePrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeCreateGlobalPrivilege	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: 33	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: 34	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: 35	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeDebugPrivilege	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

C:\Users\Admin\AppData\Local\Temp\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
"C:\Users\Admin\AppData\Local\Temp\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Roaming\Microsoft\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
memory/860-65-0x000007FEED6C0000-0x000007FEEE756000-memory.dmp

Filesize
16.6MB

Download
memory/860-60-0x000007FEF6010000-0x000007FEF6247000-memory.dmp

Filesize
2.2MB

Download
memory/860-54-0x000007FEF2940000-0x000007FEF3363000-memory.dmp

Filesize
10.1MB

Download
memory/860-102-0x000007FEED6C0000-0x000007FEEE756000-memory.dmp

Filesize
16.6MB

Download
memory/860-101-0x000007FEF6010000-0x000007FEF6247000-memory.dmp

Filesize
2.2MB

Download
memory/860-100-0x000007FEF2940000-0x000007FEF3363000-memory.dmp

Filesize
10.1MB

Download
memory/860-99-0x000007FEF3370000-0x000007FEF424C000-memory.dmp

Filesize
14.9MB

Download
memory/860-55-0x000007FEED6C0000-0x000007FEEE756000-memory.dmp

Filesize
16.6MB

Download
memory/860-56-0x000007FEF3370000-0x000007FEF424C000-memory.dmp

Filesize
14.9MB

Download
memory/860-57-0x000007FEF2940000-0x000007FEF3363000-memory.dmp

Filesize
10.1MB

Download
memory/1124-88-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-94-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-87-0x0000000074C81000-0x0000000074C83000-memory.dmp

Filesize
8KB

Download
memory/1124-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-86-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-84-0x000000000048F888-mapping.dmp

Download
memory/1124-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1124-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1724-98-0x0000000072890000-0x0000000073388000-memory.dmp

Filesize
11.0MB

Download
memory/1724-97-0x0000000073960000-0x0000000073F0B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-92-0x0000000000000000-mapping.dmp

Download

pid	process
1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
1724	msdcsc.exe

description	pid	process	target process
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 860 wrote to memory of 1124	860	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1124 wrote to memory of 1724	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	msdcsc.exe
PID 1124 wrote to memory of 1724	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	msdcsc.exe
PID 1124 wrote to memory of 1724	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	msdcsc.exe
PID 1124 wrote to memory of 1724	1124	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	msdcsc.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads