darkcomet | ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c

General

Target

ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe
Size

1.2MB
MD5

33fdbcf3a82778a8ea00249107bc8fe5
SHA1

202fa6601456532d10ffe3060d5a7ad92b53c072
SHA256

ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c
SHA512

0ec581b76f5a7ba20ccdabdda7ab4a4df79e4e99bbf7c6b60118965b271025a1d2c9ed57661cdc7fdbcd05f1a4e83d3e64444b18bbe312460b5f1168f8ab624a
SSDEEP

12288:lMEybYDzia5HqVG2Xc9cRYBfoozHwC1qgdB/Cfv2XyTkKORtRWAsENB0GSEMkN91:C9XHR0Q4/CGXyTn7AsENBprMMNvX5

Score

10^/10

darkcomet zombie evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Zombie

C2

anonymous-hr.zapto.org:5150

127.0.0.1:5150

Mutex

DC_MUTEX-A7UL2P5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
5dY8i3S9M0Ys
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	cf.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exeiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	iexplore.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe

Executes dropped EXE 2 IoCs

Processes:

cf.exemsdcsc.exe

pid process

276 cf.exe
1936 msdcsc.exe
Loads dropped DLL 2 IoCs

Processes:

cf.exe

pid process

276 cf.exe
276 cf.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

msdcsc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe

pid	process
276	cf.exe
1936	msdcsc.exe

pid	process
276	cf.exe
276	cf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	cf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 1936 set thread context of 524 1936 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1936 set thread context of 524	1936	msdcsc.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.execf.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	1492	ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe
Token: SeIncreaseQuotaPrivilege	276	cf.exe
Token: SeSecurityPrivilege	276	cf.exe
Token: SeTakeOwnershipPrivilege	276	cf.exe
Token: SeLoadDriverPrivilege	276	cf.exe
Token: SeSystemProfilePrivilege	276	cf.exe
Token: SeSystemtimePrivilege	276	cf.exe
Token: SeProfSingleProcessPrivilege	276	cf.exe
Token: SeIncBasePriorityPrivilege	276	cf.exe
Token: SeCreatePagefilePrivilege	276	cf.exe
Token: SeBackupPrivilege	276	cf.exe
Token: SeRestorePrivilege	276	cf.exe
Token: SeShutdownPrivilege	276	cf.exe
Token: SeDebugPrivilege	276	cf.exe
Token: SeSystemEnvironmentPrivilege	276	cf.exe
Token: SeChangeNotifyPrivilege	276	cf.exe
Token: SeRemoteShutdownPrivilege	276	cf.exe
Token: SeUndockPrivilege	276	cf.exe
Token: SeManageVolumePrivilege	276	cf.exe
Token: SeImpersonatePrivilege	276	cf.exe
Token: SeCreateGlobalPrivilege	276	cf.exe
Token: 33	276	cf.exe
Token: 34	276	cf.exe
Token: 35	276	cf.exe
Token: SeIncreaseQuotaPrivilege	1936	msdcsc.exe
Token: SeSecurityPrivilege	1936	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1936	msdcsc.exe
Token: SeLoadDriverPrivilege	1936	msdcsc.exe
Token: SeSystemProfilePrivilege	1936	msdcsc.exe
Token: SeSystemtimePrivilege	1936	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1936	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1936	msdcsc.exe
Token: SeCreatePagefilePrivilege	1936	msdcsc.exe
Token: SeBackupPrivilege	1936	msdcsc.exe
Token: SeRestorePrivilege	1936	msdcsc.exe
Token: SeShutdownPrivilege	1936	msdcsc.exe
Token: SeDebugPrivilege	1936	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1936	msdcsc.exe
Token: SeChangeNotifyPrivilege	1936	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1936	msdcsc.exe
Token: SeUndockPrivilege	1936	msdcsc.exe
Token: SeManageVolumePrivilege	1936	msdcsc.exe
Token: SeImpersonatePrivilege	1936	msdcsc.exe
Token: SeCreateGlobalPrivilege	1936	msdcsc.exe
Token: 33	1936	msdcsc.exe
Token: 34	1936	msdcsc.exe
Token: 35	1936	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	524	iexplore.exe
Token: SeSecurityPrivilege	524	iexplore.exe
Token: SeTakeOwnershipPrivilege	524	iexplore.exe
Token: SeLoadDriverPrivilege	524	iexplore.exe
Token: SeSystemProfilePrivilege	524	iexplore.exe
Token: SeSystemtimePrivilege	524	iexplore.exe
Token: SeProfSingleProcessPrivilege	524	iexplore.exe
Token: SeIncBasePriorityPrivilege	524	iexplore.exe
Token: SeCreatePagefilePrivilege	524	iexplore.exe
Token: SeBackupPrivilege	524	iexplore.exe
Token: SeRestorePrivilege	524	iexplore.exe
Token: SeShutdownPrivilege	524	iexplore.exe
Token: SeDebugPrivilege	524	iexplore.exe
Token: SeSystemEnvironmentPrivilege	524	iexplore.exe
Token: SeChangeNotifyPrivilege	524	iexplore.exe
Token: SeRemoteShutdownPrivilege	524	iexplore.exe
Token: SeUndockPrivilege	524	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

524 iexplore.exe

pid	process
524	iexplore.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.execf.exemsdcsc.exe

description	pid	process	target process
PID 1492 wrote to memory of 276	1492	ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe	cf.exe
PID 1492 wrote to memory of 276	1492	ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe	cf.exe
PID 1492 wrote to memory of 276	1492	ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe	cf.exe
PID 1492 wrote to memory of 276	1492	ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe	cf.exe
PID 276 wrote to memory of 1936	276	cf.exe	msdcsc.exe
PID 276 wrote to memory of 1936	276	cf.exe	msdcsc.exe
PID 276 wrote to memory of 1936	276	cf.exe	msdcsc.exe
PID 276 wrote to memory of 1936	276	cf.exe	msdcsc.exe
PID 1936 wrote to memory of 524	1936	msdcsc.exe	iexplore.exe
PID 1936 wrote to memory of 524	1936	msdcsc.exe	iexplore.exe
PID 1936 wrote to memory of 524	1936	msdcsc.exe	iexplore.exe
PID 1936 wrote to memory of 524	1936	msdcsc.exe	iexplore.exe
PID 1936 wrote to memory of 524	1936	msdcsc.exe	iexplore.exe
PID 1936 wrote to memory of 524	1936	msdcsc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe
"C:\Users\Admin\AppData\Local\Temp\ba8047a4d2173823a99c4ca93ec07ecf94e7f50b0c0169ef9f654ba111e8b82c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\cf.exe
"C:\Users\Admin\AppData\Local\Temp\cf.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cf.exe
Filesize
681KB

MD5
6b652684ca5fab95cbf89f217b501f6b

SHA1
eb1462c14cbc60e8ebb82c611e523d3fc85e6959

SHA256
570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa

SHA512
ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf.exe
Filesize
681KB

MD5
6b652684ca5fab95cbf89f217b501f6b

SHA1
eb1462c14cbc60e8ebb82c611e523d3fc85e6959

SHA256
570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa

SHA512
ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
681KB

MD5
6b652684ca5fab95cbf89f217b501f6b

SHA1
eb1462c14cbc60e8ebb82c611e523d3fc85e6959

SHA256
570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa

SHA512
ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
681KB

MD5
6b652684ca5fab95cbf89f217b501f6b

SHA1
eb1462c14cbc60e8ebb82c611e523d3fc85e6959

SHA256
570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa

SHA512
ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
681KB

MD5
6b652684ca5fab95cbf89f217b501f6b

SHA1
eb1462c14cbc60e8ebb82c611e523d3fc85e6959

SHA256
570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa

SHA512
ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
681KB

MD5
6b652684ca5fab95cbf89f217b501f6b

SHA1
eb1462c14cbc60e8ebb82c611e523d3fc85e6959

SHA256
570b93789988900fddb7587135dbf50d8252795116d1ecd5cd0180213bba32fa

SHA512
ea7fdcd57dffc3b279ce19222ffaef1d9ced64cf6f0c645f2efb8bca8f4d63aefe5a6cf5d99e6a60b66a699f5c96a1a10dda4de6784311b6e99fffc86d6d89bb

Download Submit
memory/276-56-0x0000000000000000-mapping.dmp

Download
memory/276-58-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-54-0x000007FEF49D0000-0x000007FEF53F3000-memory.dmp

Filesize
10.1MB

Download
memory/1492-55-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download
memory/1936-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads