darkcomet | aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee

General

Target

aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Size

690KB
MD5

2194793f9dcc7cc77d208c1f2b1e7e2c
SHA1

bbfe71946bcc3e94eb7032485da79a1186981e6b
SHA256

aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee
SHA512

41c2c41b2ab78c8c9df63d4ebe5eb7cc927422324b744a8734caf633a7fbfba6c5063fd8807d47417228aa81e04664901444e9cbcb224f80e646b3b598176e7a

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.1.4:1604

Mutex

DC_MUTEX-PZNKCGY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
AQtHj77eZQcF
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

3436 msdcsc.exe

pid	process
3436	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeSecurityPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeTakeOwnershipPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeLoadDriverPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeSystemProfilePrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeSystemtimePrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeProfSingleProcessPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeIncBasePriorityPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeCreatePagefilePrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeBackupPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeRestorePrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeShutdownPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeDebugPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeSystemEnvironmentPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeChangeNotifyPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeRemoteShutdownPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeUndockPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeManageVolumePrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeImpersonatePrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeCreateGlobalPrivilege	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: 33	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: 34	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: 35	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: 36	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
Token: SeIncreaseQuotaPrivilege	3436	msdcsc.exe
Token: SeSecurityPrivilege	3436	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3436	msdcsc.exe
Token: SeLoadDriverPrivilege	3436	msdcsc.exe
Token: SeSystemProfilePrivilege	3436	msdcsc.exe
Token: SeSystemtimePrivilege	3436	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3436	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3436	msdcsc.exe
Token: SeCreatePagefilePrivilege	3436	msdcsc.exe
Token: SeBackupPrivilege	3436	msdcsc.exe
Token: SeRestorePrivilege	3436	msdcsc.exe
Token: SeShutdownPrivilege	3436	msdcsc.exe
Token: SeDebugPrivilege	3436	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3436	msdcsc.exe
Token: SeChangeNotifyPrivilege	3436	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3436	msdcsc.exe
Token: SeUndockPrivilege	3436	msdcsc.exe
Token: SeManageVolumePrivilege	3436	msdcsc.exe
Token: SeImpersonatePrivilege	3436	msdcsc.exe
Token: SeCreateGlobalPrivilege	3436	msdcsc.exe
Token: 33	3436	msdcsc.exe
Token: 34	3436	msdcsc.exe
Token: 35	3436	msdcsc.exe
Token: 36	3436	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

3436 msdcsc.exe

pid	process
3436	msdcsc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe

description	pid	process	target process
PID 4324 wrote to memory of 3436	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe	msdcsc.exe
PID 4324 wrote to memory of 3436	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe	msdcsc.exe
PID 4324 wrote to memory of 3436	4324	aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe
"C:\Users\Admin\AppData\Local\Temp\aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
2194793f9dcc7cc77d208c1f2b1e7e2c

SHA1
bbfe71946bcc3e94eb7032485da79a1186981e6b

SHA256
aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee

SHA512
41c2c41b2ab78c8c9df63d4ebe5eb7cc927422324b744a8734caf633a7fbfba6c5063fd8807d47417228aa81e04664901444e9cbcb224f80e646b3b598176e7a

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
2194793f9dcc7cc77d208c1f2b1e7e2c

SHA1
bbfe71946bcc3e94eb7032485da79a1186981e6b

SHA256
aad73bfd7a30fb114cec0596fdd818edb7ddda1d27856682cf3134dcc3de0eee

SHA512
41c2c41b2ab78c8c9df63d4ebe5eb7cc927422324b744a8734caf633a7fbfba6c5063fd8807d47417228aa81e04664901444e9cbcb224f80e646b3b598176e7a

Download Submit
memory/3436-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads