darkcomet | 12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687

General

Target

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Size

736KB
MD5

444b043b54a70aa68bce3cd8a48fbf02
SHA1

4ac6078a960f858bfa9ed7d5a94d7fb54b06f628
SHA256

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687
SHA512

9ae87b25e615ace26787abc3a0593f6e64766b661ebbde1bea098609fa257af9d3808974f9c2ab38232a0fba26852469473c1788596e6ade19133aaa8e5c26bd

Score

10^/10

darkcomet hf persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HF

C2

179.43.150.105:1606

Mutex

DC_MUTEX-CNAFSEW

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Q9rRWez1PrbJ
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Executes dropped EXE 2 IoCs

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exemsdcsc.exe

pid process

1112 12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
1612 msdcsc.exe

pid	process
1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
1612	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

description	pid	process	target process
PID 1496 set thread context of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

description	pid	process
Token: SeDebugPrivilege	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeIncreaseQuotaPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeSecurityPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeTakeOwnershipPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeLoadDriverPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeSystemProfilePrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeSystemtimePrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeProfSingleProcessPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeIncBasePriorityPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeCreatePagefilePrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeBackupPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeRestorePrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeShutdownPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeDebugPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeSystemEnvironmentPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeChangeNotifyPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeRemoteShutdownPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeUndockPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeManageVolumePrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeImpersonatePrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: SeCreateGlobalPrivilege	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: 33	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: 34	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: 35	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Token: 36	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe

C:\Users\Admin\AppData\Local\Temp\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
"C:\Users\Admin\AppData\Local\Temp\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Roaming\Microsoft\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
4KB

MD5
e1190859ab4f21e58d1873afc1b3cff2

SHA1
50d4f9f444dba70b9918c4b812b5d9a098e0f867

SHA256
9b6f8344738cd1b954066a8099333dfa46c360700d8113312e8f1f6f22afcb73

SHA512
f3924e6b6002e9122c9465d23ff5a574268800078e9fe6011e0d62dca6113ffaf786fa46338a02288d8059e09ef0e79ac96d004dacabcb708291cf4376294a38

Download Submit
memory/1112-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-150-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-138-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-158-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-135-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-144-0x000000000048F888-mapping.dmp

Download
memory/1112-134-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-147-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-148-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1112-154-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1496-152-0x00007FFC2D760000-0x00007FFC2E644000-memory.dmp

Filesize
14.9MB

Download
memory/1496-153-0x00007FFC2CD20000-0x00007FFC2D756000-memory.dmp

Filesize
10.2MB

Download
memory/1496-151-0x00007FFC2CD20000-0x00007FFC2D756000-memory.dmp

Filesize
10.2MB

Download
memory/1496-133-0x00007FFC2D760000-0x00007FFC2E644000-memory.dmp

Filesize
14.9MB

Download
memory/1496-132-0x00007FFC2CD20000-0x00007FFC2D756000-memory.dmp

Filesize
10.2MB

Download
memory/1496-130-0x00007FFC2D760000-0x00007FFC2E644000-memory.dmp

Filesize
14.9MB

Download
memory/1612-155-0x0000000000000000-mapping.dmp

Download
memory/1612-159-0x0000000073440000-0x00000000739F1000-memory.dmp

Filesize
5.7MB

Download
memory/1612-160-0x0000000073440000-0x00000000739F1000-memory.dmp

Filesize
5.7MB

Download
memory/1612-161-0x0000000073E50000-0x0000000074950000-memory.dmp

Filesize
11.0MB

Download
memory/1612-162-0x0000000073E50000-0x0000000074950000-memory.dmp

Filesize
11.0MB

Download

description	pid	process	target process
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1496 wrote to memory of 1112	1496	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe
PID 1112 wrote to memory of 1612	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	msdcsc.exe
PID 1112 wrote to memory of 1612	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	msdcsc.exe
PID 1112 wrote to memory of 1612	1112	12b85bcb0245b64c46003af12413079fb940fb307aeacad8533e442b988a8687.exe	msdcsc.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads