darkcomet | 22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b

Resubmissions

05/02/2025, 07:33

250205-jdh62axrhj 10

05/02/2025, 07:10

250205-hzr6dsxlfj 10

01/10/2022, 21:44

221001-1ljwzaabcj 10

Analysis

max time kernel
153s
max time network
63s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe
Size

753KB
MD5

6164b89fb1038bc271cad23b75b8bcda
SHA1

9e8a1becd54a69adc7367e0c98cd33041f5e1ed5
SHA256

22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b
SHA512

7766a0c3ea22e7d4a440e9a687c6ee2f0e200035ce54cbd3ebe51dca1714dac74b1409ad7991965072b30f35d8c8ebc9a7f00d2acd8cd1c4f5cef7fa6ef680c1
SSDEEP

12288:K4bUx79HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h:KJZ1xuVVjfFoynPaVBUR8f+kN10EB

Score

10^/10

darkcomet new persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

new

serverexe.no-ip.org:5112

Mutex

DC_MUTEX-79PF79N

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
oYlexrzdlPwE
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	TEST.EXE

Executes dropped EXE 2 IoCs

pid	Process
1988	TEST.EXE
1984	msdcsc.exe

Loads dropped DLL 4 IoCs

pid	Process
916	22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe
916	22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe
1988	TEST.EXE
1988	TEST.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 688	1984	msdcsc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1988	TEST.EXE
Token: SeSecurityPrivilege	1988	TEST.EXE
Token: SeTakeOwnershipPrivilege	1988	TEST.EXE
Token: SeLoadDriverPrivilege	1988	TEST.EXE
Token: SeSystemProfilePrivilege	1988	TEST.EXE
Token: SeSystemtimePrivilege	1988	TEST.EXE
Token: SeProfSingleProcessPrivilege	1988	TEST.EXE
Token: SeIncBasePriorityPrivilege	1988	TEST.EXE
Token: SeCreatePagefilePrivilege	1988	TEST.EXE
Token: SeBackupPrivilege	1988	TEST.EXE
Token: SeRestorePrivilege	1988	TEST.EXE
Token: SeShutdownPrivilege	1988	TEST.EXE
Token: SeDebugPrivilege	1988	TEST.EXE
Token: SeSystemEnvironmentPrivilege	1988	TEST.EXE
Token: SeChangeNotifyPrivilege	1988	TEST.EXE
Token: SeRemoteShutdownPrivilege	1988	TEST.EXE
Token: SeUndockPrivilege	1988	TEST.EXE
Token: SeManageVolumePrivilege	1988	TEST.EXE
Token: SeImpersonatePrivilege	1988	TEST.EXE
Token: SeCreateGlobalPrivilege	1988	TEST.EXE
Token: 33	1988	TEST.EXE
Token: 34	1988	TEST.EXE
Token: 35	1988	TEST.EXE
Token: SeIncreaseQuotaPrivilege	1984	msdcsc.exe
Token: SeSecurityPrivilege	1984	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1984	msdcsc.exe
Token: SeLoadDriverPrivilege	1984	msdcsc.exe
Token: SeSystemProfilePrivilege	1984	msdcsc.exe
Token: SeSystemtimePrivilege	1984	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1984	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1984	msdcsc.exe
Token: SeCreatePagefilePrivilege	1984	msdcsc.exe
Token: SeBackupPrivilege	1984	msdcsc.exe
Token: SeRestorePrivilege	1984	msdcsc.exe
Token: SeShutdownPrivilege	1984	msdcsc.exe
Token: SeDebugPrivilege	1984	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1984	msdcsc.exe
Token: SeChangeNotifyPrivilege	1984	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1984	msdcsc.exe
Token: SeUndockPrivilege	1984	msdcsc.exe
Token: SeManageVolumePrivilege	1984	msdcsc.exe
Token: SeImpersonatePrivilege	1984	msdcsc.exe
Token: SeCreateGlobalPrivilege	1984	msdcsc.exe
Token: 33	1984	msdcsc.exe
Token: 34	1984	msdcsc.exe
Token: 35	1984	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	688	iexplore.exe
Token: SeSecurityPrivilege	688	iexplore.exe
Token: SeTakeOwnershipPrivilege	688	iexplore.exe
Token: SeLoadDriverPrivilege	688	iexplore.exe
Token: SeSystemProfilePrivilege	688	iexplore.exe
Token: SeSystemtimePrivilege	688	iexplore.exe
Token: SeProfSingleProcessPrivilege	688	iexplore.exe
Token: SeIncBasePriorityPrivilege	688	iexplore.exe
Token: SeCreatePagefilePrivilege	688	iexplore.exe
Token: SeBackupPrivilege	688	iexplore.exe
Token: SeRestorePrivilege	688	iexplore.exe
Token: SeShutdownPrivilege	688	iexplore.exe
Token: SeDebugPrivilege	688	iexplore.exe
Token: SeSystemEnvironmentPrivilege	688	iexplore.exe
Token: SeChangeNotifyPrivilege	688	iexplore.exe
Token: SeRemoteShutdownPrivilege	688	iexplore.exe
Token: SeUndockPrivilege	688	iexplore.exe
Token: SeManageVolumePrivilege	688	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2040	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
688	iexplore.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1988	916	22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe	28
PID 916 wrote to memory of 1988	916	22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe	28
PID 916 wrote to memory of 1988	916	22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe	28
PID 916 wrote to memory of 1988	916	22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe	28
PID 1988 wrote to memory of 1984	1988	TEST.EXE	29
PID 1988 wrote to memory of 1984	1988	TEST.EXE	29
PID 1988 wrote to memory of 1984	1988	TEST.EXE	29
PID 1988 wrote to memory of 1984	1988	TEST.EXE	29
PID 1984 wrote to memory of 688	1984	msdcsc.exe	30
PID 1984 wrote to memory of 688	1984	msdcsc.exe	30
PID 1984 wrote to memory of 688	1984	msdcsc.exe	30
PID 1984 wrote to memory of 688	1984	msdcsc.exe	30
PID 1984 wrote to memory of 688	1984	msdcsc.exe	30
PID 1984 wrote to memory of 688	1984	msdcsc.exe	30

C:\Users\Admin\AppData\Local\Temp\22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe
"C:\Users\Admin\AppData\Local\Temp\22681287fe40149600120243ba97cadc242600d8fb9190adf98efccbf89c064b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\TEST.EXE
  "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
    "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IMAGE00013.JPG

Filesize
42KB

MD5
d946eb56bce70b75b4fa83f847abbc87

SHA1
d2ffff122f3fe858505717cdbc1b2ff919452011

SHA256
e2ab1b493d4f912786f1af76966da0eb0844471674a365cc3548a93da9e20b6e

SHA512
46bc596a5f33c2756abe86b063abe3cd1497741caeb4e6c0a9fd3dbaff5c46687592cc2ac0707b7198d6da525df7aa67324ec6468d299e0c4efeaff9ee3605d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
3432fe314b8cb640b283998d08f9c71a

SHA1
d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

SHA256
cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

SHA512
2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
3432fe314b8cb640b283998d08f9c71a

SHA1
d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

SHA256
cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

SHA512
2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEST.EXE

Filesize
658KB

MD5
3432fe314b8cb640b283998d08f9c71a

SHA1
d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

SHA256
cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

SHA512
2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEST.EXE

Filesize
658KB

MD5
3432fe314b8cb640b283998d08f9c71a

SHA1
d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

SHA256
cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

SHA512
2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
3432fe314b8cb640b283998d08f9c71a

SHA1
d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

SHA256
cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

SHA512
2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
3432fe314b8cb640b283998d08f9c71a

SHA1
d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

SHA256
cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

SHA512
2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

Download Submit
\Users\Admin\AppData\Local\Temp\TEST.EXE

Filesize
658KB

MD5
3432fe314b8cb640b283998d08f9c71a

SHA1
d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

SHA256
cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

SHA512
2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

Download Submit
\Users\Admin\AppData\Local\Temp\TEST.EXE

Filesize
658KB

MD5
3432fe314b8cb640b283998d08f9c71a

SHA1
d4b6a3c0757dddcb1c4b3798ef1ca60860861d13

SHA256
cdf9667cc91e01e213236ece900c9ff8074b4b0d784b8cd0fb188ecf2b7d7551

SHA512
2aee193cb4b1675248867cc15b03d9d6c429ffa18097493849ec3d06c0ebd0043a7b6869223192226accd11b7717320e024593111af49ebf94d2a16133fde398

Download Submit
memory/916-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads