darkcomet | a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79

General

Target

a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Size

377KB
MD5

6feaab979663244eca21c62008b09202
SHA1

89da90563896e8af51b1613b7848db8af17ae615
SHA256

a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79
SHA512

c3aebe6cb7a9f2c8a6069953d68a31e2e40ce007ef2a0f3bf94cd2ffb107d46d16ce281a8127d8661e778eeccfab47096839c9053f178815cd142ac3a60b6a4a
SSDEEP

6144:IcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37mO4EqXoetQGqvvoB:IcW7KEZlPzCy37mO4iGqvw

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.0.210:1604

Mutex

DC_MUTEX-JNPFFAB

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
asWjgGEaR2qG
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1100 msdcsc.exe

pid	process
1100	msdcsc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1676-132-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral2/memory/1676-133-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe	upx
behavioral2/memory/1100-138-0x0000000000400000-0x00000000004DF000-memory.dmp	upx
behavioral2/memory/1676-139-0x0000000000400000-0x00000000004DF000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeSecurityPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeTakeOwnershipPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeLoadDriverPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeSystemProfilePrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeSystemtimePrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeProfSingleProcessPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeIncBasePriorityPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeCreatePagefilePrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeBackupPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeRestorePrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeShutdownPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeDebugPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeSystemEnvironmentPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeChangeNotifyPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeRemoteShutdownPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeUndockPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeManageVolumePrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeImpersonatePrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: SeCreateGlobalPrivilege	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: 33	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: 34	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: 35	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
Token: 36	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe

description	pid	process	target process
PID 1676 wrote to memory of 1100	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe	msdcsc.exe
PID 1676 wrote to memory of 1100	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe	msdcsc.exe
PID 1676 wrote to memory of 1100	1676	a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe
"C:\Users\Admin\AppData\Local\Temp\a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jI82l\PCGWIN32.LI5
Filesize
2KB

MD5
c0623cf06a5fb615d72064c320c990ef

SHA1
11940e7f73bf9a2864d046bd719c66211a810196

SHA256
1fbfcb960a9606bc3cab19cf90045c3035d77d676e835eec659dce3df24512e1

SHA512
85972333bce830fa8c32bbd5bc4bc4ffdde0bd536ba97968d3494aac8e6e48af99dbf6a9932130c36304d081626d0eca1059f5521305331034ec062bdf6c6a72

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
377KB

MD5
6feaab979663244eca21c62008b09202

SHA1
89da90563896e8af51b1613b7848db8af17ae615

SHA256
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79

SHA512
c3aebe6cb7a9f2c8a6069953d68a31e2e40ce007ef2a0f3bf94cd2ffb107d46d16ce281a8127d8661e778eeccfab47096839c9053f178815cd142ac3a60b6a4a

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
377KB

MD5
6feaab979663244eca21c62008b09202

SHA1
89da90563896e8af51b1613b7848db8af17ae615

SHA256
a1a8ab6332f0fe7aca4250d5454bb3db623debd45151373b9263db436ca42c79

SHA512
c3aebe6cb7a9f2c8a6069953d68a31e2e40ce007ef2a0f3bf94cd2ffb107d46d16ce281a8127d8661e778eeccfab47096839c9053f178815cd142ac3a60b6a4a

Download Submit
memory/1100-134-0x0000000000000000-mapping.dmp

Download
memory/1100-138-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1676-132-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1676-133-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1676-139-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads