darkcomet | e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5

General

Target

e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe
Size

764KB
MD5

46a672f6e852bd37395495f7a8d7f790
SHA1

70fe5eb7f66daef78e117b3d032fdc0b5605fed4
SHA256

e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5
SHA512

8d87c50f2090f66d4fff9fa5b52c01fa4f6ca74b4ecc644b24c6a520debcbb8d1f3e044ca96f66cdd70c6224d7d4dbbd3c9002b3a4665098d4f196d3ed426c0e
SSDEEP

12288:NNxpH49zf8v8VhfmbhIYvbO0C1m4JSqsj4LQ6eBWMAI++1p:NNH49L8ShMuh1/2j4LQ1B+a

Score

10^/10

darkcomet hacked evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

HACKED

C2

njhostaddbots.no-ip.org:1604

Mutex

DC_MUTEX-5LR8UFZ

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
JQrCNZocD9Jw
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	cvtres.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

576 msdcsc.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1520 attrib.exe
484 attrib.exe
Loads dropped DLL 1 IoCs

Processes:

cvtres.exe

pid process

1580 cvtres.exe

pid	process
576	msdcsc.exe

pid	process
1520	attrib.exe
484	attrib.exe

pid	process
1580	cvtres.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe

description	pid	process	target process
PID 1224 set thread context of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

cvtres.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1580	cvtres.exe
Token: SeSecurityPrivilege	1580	cvtres.exe
Token: SeTakeOwnershipPrivilege	1580	cvtres.exe
Token: SeLoadDriverPrivilege	1580	cvtres.exe
Token: SeSystemProfilePrivilege	1580	cvtres.exe
Token: SeSystemtimePrivilege	1580	cvtres.exe
Token: SeProfSingleProcessPrivilege	1580	cvtres.exe
Token: SeIncBasePriorityPrivilege	1580	cvtres.exe
Token: SeCreatePagefilePrivilege	1580	cvtres.exe
Token: SeBackupPrivilege	1580	cvtres.exe
Token: SeRestorePrivilege	1580	cvtres.exe
Token: SeShutdownPrivilege	1580	cvtres.exe
Token: SeDebugPrivilege	1580	cvtres.exe
Token: SeSystemEnvironmentPrivilege	1580	cvtres.exe
Token: SeChangeNotifyPrivilege	1580	cvtres.exe
Token: SeRemoteShutdownPrivilege	1580	cvtres.exe
Token: SeUndockPrivilege	1580	cvtres.exe
Token: SeManageVolumePrivilege	1580	cvtres.exe
Token: SeImpersonatePrivilege	1580	cvtres.exe
Token: SeCreateGlobalPrivilege	1580	cvtres.exe
Token: 33	1580	cvtres.exe
Token: 34	1580	cvtres.exe
Token: 35	1580	cvtres.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.execvtres.execmd.execmd.exe

description	pid	process	target process
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1224 wrote to memory of 1580	1224	e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe	cvtres.exe
PID 1580 wrote to memory of 1184	1580	cvtres.exe	cmd.exe
PID 1580 wrote to memory of 1184	1580	cvtres.exe	cmd.exe
PID 1580 wrote to memory of 1184	1580	cvtres.exe	cmd.exe
PID 1580 wrote to memory of 1184	1580	cvtres.exe	cmd.exe
PID 1580 wrote to memory of 1492	1580	cvtres.exe	cmd.exe
PID 1580 wrote to memory of 1492	1580	cvtres.exe	cmd.exe
PID 1580 wrote to memory of 1492	1580	cvtres.exe	cmd.exe
PID 1580 wrote to memory of 1492	1580	cvtres.exe	cmd.exe
PID 1580 wrote to memory of 576	1580	cvtres.exe	msdcsc.exe
PID 1580 wrote to memory of 576	1580	cvtres.exe	msdcsc.exe
PID 1580 wrote to memory of 576	1580	cvtres.exe	msdcsc.exe
PID 1580 wrote to memory of 576	1580	cvtres.exe	msdcsc.exe
PID 1184 wrote to memory of 1520	1184	cmd.exe	attrib.exe
PID 1184 wrote to memory of 1520	1184	cmd.exe	attrib.exe
PID 1184 wrote to memory of 1520	1184	cmd.exe	attrib.exe
PID 1184 wrote to memory of 1520	1184	cmd.exe	attrib.exe
PID 1492 wrote to memory of 484	1492	cmd.exe	attrib.exe
PID 1492 wrote to memory of 484	1492	cmd.exe	attrib.exe
PID 1492 wrote to memory of 484	1492	cmd.exe	attrib.exe
PID 1492 wrote to memory of 484	1492	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1520 attrib.exe
484 attrib.exe

pid	process
1520	attrib.exe
484	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe
"C:\Users\Admin\AppData\Local\Temp\e9977b64d7e74740113223020df3526a75574fde5e1004e4937dd2799a290fd5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:484
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/484-81-0x0000000000000000-mapping.dmp

Download
memory/576-78-0x0000000000000000-mapping.dmp

Download
memory/1184-75-0x0000000000000000-mapping.dmp

Download
memory/1224-72-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1224-83-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1224-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1492-76-0x0000000000000000-mapping.dmp

Download
memory/1520-80-0x0000000000000000-mapping.dmp

Download
memory/1580-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-70-0x000000000048F888-mapping.dmp

Download
memory/1580-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1580-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads