darkcomet | 77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d

General

Target

77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Size

392KB
MD5

78015ac78c3ad87fdadd6ed4488c4ac0
SHA1

0c4219868261b460dc4f126bd796f96e8b23e770
SHA256

77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d
SHA512

0d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf
SSDEEP

6144:pcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37UMEFhG9KOUH0c7FT8EXN3BsV/0:pcW7KEZlPzCy37T0GEtD7FB3B

Score

10^/10

darkcomet guest16 evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

hack6969.zapto.org:1604

Btrev.ddns.net:1336

Mutex

DC_MUTEX-N1UFMN8

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
3396looGFZlq
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\svchost.exe"	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe

Executes dropped EXE 2 IoCs

Processes:

AMIGO DO CS.EXEsvchost.exe

pid process

544 AMIGO DO CS.EXE
860 svchost.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

520 attrib.exe
1916 attrib.exe

pid	process
544	AMIGO DO CS.EXE
860	svchost.exe

pid	process
520	attrib.exe
1916	attrib.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/960-62-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe	upx
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe	upx
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe	upx
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe	upx
behavioral1/memory/860-72-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral1/memory/960-73-0x0000000000400000-0x00000000004DB000-memory.dmp	upx
behavioral1/memory/860-74-0x0000000000400000-0x00000000004DB000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe

pid	process
960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\svchost.exe"	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AMIGO DO CS.EXE

pid process

544 AMIGO DO CS.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

860 svchost.exe

pid	process
544	AMIGO DO CS.EXE

pid	process
860	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exesvchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeSecurityPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeTakeOwnershipPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeLoadDriverPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeSystemProfilePrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeSystemtimePrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeProfSingleProcessPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeIncBasePriorityPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeCreatePagefilePrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeBackupPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeRestorePrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeShutdownPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeDebugPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeSystemEnvironmentPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeChangeNotifyPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeRemoteShutdownPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeUndockPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeManageVolumePrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeImpersonatePrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeCreateGlobalPrivilege	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: 33	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: 34	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: 35	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemProfilePrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeProfSingleProcessPrivilege	860	svchost.exe
Token: SeIncBasePriorityPrivilege	860	svchost.exe
Token: SeCreatePagefilePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeDebugPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeChangeNotifyPrivilege	860	svchost.exe
Token: SeRemoteShutdownPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeImpersonatePrivilege	860	svchost.exe
Token: SeCreateGlobalPrivilege	860	svchost.exe
Token: 33	860	svchost.exe
Token: 34	860	svchost.exe
Token: 35	860	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

860 svchost.exe

pid	process
860	svchost.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 960 wrote to memory of 1868	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	cmd.exe
PID 960 wrote to memory of 1868	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	cmd.exe
PID 960 wrote to memory of 1868	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	cmd.exe
PID 960 wrote to memory of 1868	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	cmd.exe
PID 960 wrote to memory of 1760	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	cmd.exe
PID 960 wrote to memory of 1760	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	cmd.exe
PID 960 wrote to memory of 1760	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	cmd.exe
PID 960 wrote to memory of 1760	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	cmd.exe
PID 960 wrote to memory of 544	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	AMIGO DO CS.EXE
PID 960 wrote to memory of 544	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	AMIGO DO CS.EXE
PID 960 wrote to memory of 544	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	AMIGO DO CS.EXE
PID 960 wrote to memory of 544	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	AMIGO DO CS.EXE
PID 1868 wrote to memory of 520	1868	cmd.exe	attrib.exe
PID 1868 wrote to memory of 520	1868	cmd.exe	attrib.exe
PID 1868 wrote to memory of 520	1868	cmd.exe	attrib.exe
PID 1868 wrote to memory of 520	1868	cmd.exe	attrib.exe
PID 1760 wrote to memory of 1916	1760	cmd.exe	attrib.exe
PID 1760 wrote to memory of 1916	1760	cmd.exe	attrib.exe
PID 1760 wrote to memory of 1916	1760	cmd.exe	attrib.exe
PID 1760 wrote to memory of 1916	1760	cmd.exe	attrib.exe
PID 960 wrote to memory of 860	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	svchost.exe
PID 960 wrote to memory of 860	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	svchost.exe
PID 960 wrote to memory of 860	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	svchost.exe
PID 960 wrote to memory of 860	960	77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe	svchost.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe
PID 860 wrote to memory of 1040	860	svchost.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

520 attrib.exe
1916 attrib.exe

pid	process
520	attrib.exe
1916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe
"C:\Users\Admin\AppData\Local\Temp\77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1916

C:\Users\Admin\AppData\Local\Temp\AMIGO DO CS.EXE
"C:\Users\Admin\AppData\Local\Temp\AMIGO DO CS.EXE"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe
Filesize
392KB

MD5
78015ac78c3ad87fdadd6ed4488c4ac0

SHA1
0c4219868261b460dc4f126bd796f96e8b23e770

SHA256
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d

SHA512
0d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe
Filesize
392KB

MD5
78015ac78c3ad87fdadd6ed4488c4ac0

SHA1
0c4219868261b460dc4f126bd796f96e8b23e770

SHA256
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d

SHA512
0d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIGO DO CS.EXE
Filesize
144KB

MD5
a93149d40e9107d7fcbc61b561643fdb

SHA1
e344cb449844e3e218c264ae6a41d2d01cea8917

SHA256
616f7b59e63ec6cb84f3c1f037673681fd367046d37292749a4da119cdeb3a87

SHA512
3965226d540b9f9b0a00dab9397a7dca7ba35949d2e987a60d7eb25c7e6a21c09102c1e33c6d0c7eb242234b21e500165eb7b7de62e9e52f7bdebd35b41b1f6a

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe
Filesize
392KB

MD5
78015ac78c3ad87fdadd6ed4488c4ac0

SHA1
0c4219868261b460dc4f126bd796f96e8b23e770

SHA256
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d

SHA512
0d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\svchost.exe
Filesize
392KB

MD5
78015ac78c3ad87fdadd6ed4488c4ac0

SHA1
0c4219868261b460dc4f126bd796f96e8b23e770

SHA256
77c08522a979d835a04e0e6be7567d5ce58f27b6939f5d491c05680f60af670d

SHA512
0d1aa3696cc03b795a954fd04e5ab13762c17d02222f2a49d6ec94873ce3ea5a53ccddf78b5f18662eae0a535754e50d8998e54b4877136285a356832c53fecf

Download Submit
\Users\Admin\AppData\Local\Temp\AMIGO DO CS.EXE
Filesize
144KB

MD5
a93149d40e9107d7fcbc61b561643fdb

SHA1
e344cb449844e3e218c264ae6a41d2d01cea8917

SHA256
616f7b59e63ec6cb84f3c1f037673681fd367046d37292749a4da119cdeb3a87

SHA512
3965226d540b9f9b0a00dab9397a7dca7ba35949d2e987a60d7eb25c7e6a21c09102c1e33c6d0c7eb242234b21e500165eb7b7de62e9e52f7bdebd35b41b1f6a

Download Submit
memory/520-60-0x0000000000000000-mapping.dmp

Download
memory/544-58-0x0000000000000000-mapping.dmp

Download
memory/860-74-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/860-72-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/860-65-0x0000000000000000-mapping.dmp

Download
memory/960-71-0x0000000005030000-0x000000000510B000-memory.dmp

Filesize
876KB

Download
memory/960-62-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/960-73-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1040-69-0x0000000000000000-mapping.dmp

Download
memory/1760-56-0x0000000000000000-mapping.dmp

Download
memory/1868-55-0x0000000000000000-mapping.dmp

Download
memory/1916-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads