darkcomet | a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d

General

Target

a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe
Size

1.2MB
MD5

a241280d074124e3fa5d05bb2cba8e6e
SHA1

44a4ee61a0f9e647ada2b858942a95b947f05c47
SHA256

a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d
SHA512

be91faeca248ce4e97cf38461b2960f834c513cfae1f8e77fa2df5d702417c256cf9fb368d26428cec1246373f5f9bbf429eeed2a4e92ebfa0df8ad35fc27a83
SSDEEP

12288:wgBvvNVR2ZI0FjCSxOpe3HJaXDngYw89UwmTYjPkgmJFxT6MPUYIAMBQaO9cOCaB:zvzRRwOpXDngYoY8j/UEFcyp0VxPN+r

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.254.104:1604

ford1981.no-ip.org:1604

Mutex

DC_MUTEX-2V3YSWB

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
aWbR1AewgYg4
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 3 IoCs

pid	Process
4968	vbc.exe
1960	GVAUGAGXKPMXSW.EXE
2016	msdcsc.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	vbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	GVAUGAGXKPMXSW.EXE

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	GVAUGAGXKPMXSW.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	GVAUGAGXKPMXSW.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Universal = "0"	GVAUGAGXKPMXSW.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3796 set thread context of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5000	sc.exe
2176	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4000	1960	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1960	GVAUGAGXKPMXSW.EXE
1960	GVAUGAGXKPMXSW.EXE
1960	GVAUGAGXKPMXSW.EXE
1960	GVAUGAGXKPMXSW.EXE

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4968	vbc.exe
Token: SeSecurityPrivilege	4968	vbc.exe
Token: SeTakeOwnershipPrivilege	4968	vbc.exe
Token: SeLoadDriverPrivilege	4968	vbc.exe
Token: SeSystemProfilePrivilege	4968	vbc.exe
Token: SeSystemtimePrivilege	4968	vbc.exe
Token: SeProfSingleProcessPrivilege	4968	vbc.exe
Token: SeIncBasePriorityPrivilege	4968	vbc.exe
Token: SeCreatePagefilePrivilege	4968	vbc.exe
Token: SeBackupPrivilege	4968	vbc.exe
Token: SeRestorePrivilege	4968	vbc.exe
Token: SeShutdownPrivilege	4968	vbc.exe
Token: SeDebugPrivilege	4968	vbc.exe
Token: SeSystemEnvironmentPrivilege	4968	vbc.exe
Token: SeChangeNotifyPrivilege	4968	vbc.exe
Token: SeRemoteShutdownPrivilege	4968	vbc.exe
Token: SeUndockPrivilege	4968	vbc.exe
Token: SeManageVolumePrivilege	4968	vbc.exe
Token: SeImpersonatePrivilege	4968	vbc.exe
Token: SeCreateGlobalPrivilege	4968	vbc.exe
Token: 33	4968	vbc.exe
Token: 34	4968	vbc.exe
Token: 35	4968	vbc.exe
Token: 36	4968	vbc.exe
Token: SeDebugPrivilege	1960	GVAUGAGXKPMXSW.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 3796 wrote to memory of 4968	3796	a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe	81
PID 4968 wrote to memory of 1960	4968	vbc.exe	82
PID 4968 wrote to memory of 1960	4968	vbc.exe	82
PID 4968 wrote to memory of 2016	4968	vbc.exe	85
PID 4968 wrote to memory of 2016	4968	vbc.exe	85
PID 4968 wrote to memory of 2016	4968	vbc.exe	85
PID 1960 wrote to memory of 5000	1960	GVAUGAGXKPMXSW.EXE	89
PID 1960 wrote to memory of 5000	1960	GVAUGAGXKPMXSW.EXE	89
PID 1960 wrote to memory of 2176	1960	GVAUGAGXKPMXSW.EXE	91
PID 1960 wrote to memory of 2176	1960	GVAUGAGXKPMXSW.EXE	91

C:\Users\Admin\AppData\Local\Temp\a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe
"C:\Users\Admin\AppData\Local\Temp\a63014dcd0ad0a29822b3d9d796c704d7458d4b088398711b5168c20095b211d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\GVAUGAGXKPMXSW.EXE
    "C:\Users\Admin\AppData\Local\Temp\GVAUGAGXKPMXSW.EXE"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies WinLogon
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SYSTEM32\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      PID:5000
  - - C:\Windows\SYSTEM32\sc.exe
      sc stop SharedAccess
      4⤵
      Launches sc.exe
      PID:2176
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1960 -s 2484
      4⤵
      Program crash
      PID:4000
- - C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
    "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    PID:2016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1960 -ip 1960
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\GVAUGAGXKPMXSW.EXE

Filesize
27KB

MD5
52ef577ace72145d21637aeb3e601a77

SHA1
596f3ed18596bf50ad196352f9b7ab93ec5b2e68

SHA256
5fb2c38d2378b1ac042eb9412169e8ab4d1b2ac08f65ce4bb4234ecc40839e0a

SHA512
355d683ab8016dc851d51d09c81755026f626259b9804ed2ff076d81d38eb3ea7eeafffcefe9db651a05bb56723e4f7a948f35247f8dfe978cde791a150f2ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GVAUGAGXKPMXSW.EXE

Filesize
27KB

MD5
52ef577ace72145d21637aeb3e601a77

SHA1
596f3ed18596bf50ad196352f9b7ab93ec5b2e68

SHA256
5fb2c38d2378b1ac042eb9412169e8ab4d1b2ac08f65ce4bb4234ecc40839e0a

SHA512
355d683ab8016dc851d51d09c81755026f626259b9804ed2ff076d81d38eb3ea7eeafffcefe9db651a05bb56723e4f7a948f35247f8dfe978cde791a150f2ec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1960-151-0x00007FFFEE150000-0x00007FFFEEC11000-memory.dmp

Filesize
10.8MB

Download
memory/1960-156-0x00007FFFEE150000-0x00007FFFEEC11000-memory.dmp

Filesize
10.8MB

Download
memory/1960-155-0x00007FFFEE150000-0x00007FFFEEC11000-memory.dmp

Filesize
10.8MB

Download
memory/1960-147-0x0000000000E10000-0x0000000000E1E000-memory.dmp

Filesize
56KB

Download
memory/3796-133-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3796-132-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/3796-142-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4968-138-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4968-135-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4968-139-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4968-143-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4968-152-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4968-141-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads