darkcomet | 9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661

General

Target

9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Size

579KB
MD5

68a54e3adbf81b3b808c11da8ce7c68a
SHA1

c7e1f952fd870d31508e69e41adc9f625781e34e
SHA256

9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661
SHA512

9ccfbf2dacf6994c0f87e1fb32571c8e50085cd10e14860684e2ea421dd4ebd59884c5a5d6fe98fdee22ddd8e89c40e4962f776032dc730d0f163a6bdf3c808d
SSDEEP

12288:nVDHFNzdkfqQNQECtK/lGRgOUqmq9kR6lhKXrJjpfmOnX/M:VDHFNBkyQNQ9tK/cRgOnmq9g6QXnE

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

alankaboot.no-ip.biz:1604

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
JbvaliXHAQvv
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

2036 msdcsc.exe

pid	process
2036	msdcsc.exe

Loads dropped DLL 2 IoCs

Processes:

9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe

pid	process
2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 2036 set thread context of 1552 2036 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2036 set thread context of 1552	2036	msdcsc.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeSecurityPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeTakeOwnershipPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeLoadDriverPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeSystemProfilePrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeSystemtimePrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeProfSingleProcessPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeIncBasePriorityPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeCreatePagefilePrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeBackupPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeRestorePrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeShutdownPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeDebugPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeSystemEnvironmentPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeChangeNotifyPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeRemoteShutdownPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeUndockPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeManageVolumePrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeImpersonatePrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeCreateGlobalPrivilege	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: 33	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: 34	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: 35	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
Token: SeIncreaseQuotaPrivilege	2036	msdcsc.exe
Token: SeSecurityPrivilege	2036	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2036	msdcsc.exe
Token: SeLoadDriverPrivilege	2036	msdcsc.exe
Token: SeSystemProfilePrivilege	2036	msdcsc.exe
Token: SeSystemtimePrivilege	2036	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2036	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2036	msdcsc.exe
Token: SeCreatePagefilePrivilege	2036	msdcsc.exe
Token: SeBackupPrivilege	2036	msdcsc.exe
Token: SeRestorePrivilege	2036	msdcsc.exe
Token: SeShutdownPrivilege	2036	msdcsc.exe
Token: SeDebugPrivilege	2036	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2036	msdcsc.exe
Token: SeChangeNotifyPrivilege	2036	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2036	msdcsc.exe
Token: SeUndockPrivilege	2036	msdcsc.exe
Token: SeManageVolumePrivilege	2036	msdcsc.exe
Token: SeImpersonatePrivilege	2036	msdcsc.exe
Token: SeCreateGlobalPrivilege	2036	msdcsc.exe
Token: 33	2036	msdcsc.exe
Token: 34	2036	msdcsc.exe
Token: 35	2036	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1552	iexplore.exe
Token: SeSecurityPrivilege	1552	iexplore.exe
Token: SeTakeOwnershipPrivilege	1552	iexplore.exe
Token: SeLoadDriverPrivilege	1552	iexplore.exe
Token: SeSystemProfilePrivilege	1552	iexplore.exe
Token: SeSystemtimePrivilege	1552	iexplore.exe
Token: SeProfSingleProcessPrivilege	1552	iexplore.exe
Token: SeIncBasePriorityPrivilege	1552	iexplore.exe
Token: SeCreatePagefilePrivilege	1552	iexplore.exe
Token: SeBackupPrivilege	1552	iexplore.exe
Token: SeRestorePrivilege	1552	iexplore.exe
Token: SeShutdownPrivilege	1552	iexplore.exe
Token: SeDebugPrivilege	1552	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1552	iexplore.exe
Token: SeChangeNotifyPrivilege	1552	iexplore.exe
Token: SeRemoteShutdownPrivilege	1552	iexplore.exe
Token: SeUndockPrivilege	1552	iexplore.exe
Token: SeManageVolumePrivilege	1552	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

1552 iexplore.exe

pid	process
1552	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exemsdcsc.exe

description	pid	process	target process
PID 2000 wrote to memory of 2036	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe	msdcsc.exe
PID 2000 wrote to memory of 2036	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe	msdcsc.exe
PID 2000 wrote to memory of 2036	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe	msdcsc.exe
PID 2000 wrote to memory of 2036	2000	9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe	msdcsc.exe
PID 2036 wrote to memory of 1552	2036	msdcsc.exe	iexplore.exe
PID 2036 wrote to memory of 1552	2036	msdcsc.exe	iexplore.exe
PID 2036 wrote to memory of 1552	2036	msdcsc.exe	iexplore.exe
PID 2036 wrote to memory of 1552	2036	msdcsc.exe	iexplore.exe
PID 2036 wrote to memory of 1552	2036	msdcsc.exe	iexplore.exe
PID 2036 wrote to memory of 1552	2036	msdcsc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe
"C:\Users\Admin\AppData\Local\Temp\9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
579KB

MD5
68a54e3adbf81b3b808c11da8ce7c68a

SHA1
c7e1f952fd870d31508e69e41adc9f625781e34e

SHA256
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661

SHA512
9ccfbf2dacf6994c0f87e1fb32571c8e50085cd10e14860684e2ea421dd4ebd59884c5a5d6fe98fdee22ddd8e89c40e4962f776032dc730d0f163a6bdf3c808d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
579KB

MD5
68a54e3adbf81b3b808c11da8ce7c68a

SHA1
c7e1f952fd870d31508e69e41adc9f625781e34e

SHA256
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661

SHA512
9ccfbf2dacf6994c0f87e1fb32571c8e50085cd10e14860684e2ea421dd4ebd59884c5a5d6fe98fdee22ddd8e89c40e4962f776032dc730d0f163a6bdf3c808d

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
579KB

MD5
68a54e3adbf81b3b808c11da8ce7c68a

SHA1
c7e1f952fd870d31508e69e41adc9f625781e34e

SHA256
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661

SHA512
9ccfbf2dacf6994c0f87e1fb32571c8e50085cd10e14860684e2ea421dd4ebd59884c5a5d6fe98fdee22ddd8e89c40e4962f776032dc730d0f163a6bdf3c808d

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
579KB

MD5
68a54e3adbf81b3b808c11da8ce7c68a

SHA1
c7e1f952fd870d31508e69e41adc9f625781e34e

SHA256
9802c5876d0742a696675d5f8643e54bc4867f912c7b0a1d30b7c2de11ec0661

SHA512
9ccfbf2dacf6994c0f87e1fb32571c8e50085cd10e14860684e2ea421dd4ebd59884c5a5d6fe98fdee22ddd8e89c40e4962f776032dc730d0f163a6bdf3c808d

Download Submit
memory/2000-60-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2000-61-0x0000000001E50000-0x0000000001EB0000-memory.dmp

Filesize
384KB

Download
memory/2000-63-0x00000000032A0000-0x00000000033A0000-memory.dmp

Filesize
1024KB

Download
memory/2000-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/2000-68-0x00000000032A0000-0x00000000033A0000-memory.dmp

Filesize
1024KB

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download
memory/2036-62-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2036-65-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/2036-66-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2036-67-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads