darkcomet | 183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf

Analysis

max time kernel
35s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe
Size

1.5MB
MD5

82e3cf33fc4de1705596d7eb0fdc0f46
SHA1

7a5128fc9608abab93b88eacee30942e8db26b52
SHA256

183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf
SHA512

fdea881a4900bdfabdd859535e40b93e6b95c6108389e9584cf47b41c42030cf9ebd7554383551d78e4b3e573a8482d08a3904ffcdd42823b404e0b81e4ec0a8
SSDEEP

24576:j2O/GlCNpZbBlZu6Ih60nGgAkaabxRrDwusN7TBIwMxXVbIK+QrFWILCTLiL2:VBXu960nGu7brDBwjkZIP8FWIL7L2

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

r1x3r.no-ip.info:1604

Mutex

DC_MUTEX-L1K5118

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
9wAm8SRjtSJo
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	RegSvcs.exe

Executes dropped EXE 3 IoCs

pid	Process
1360	FPCTL.exe
620	FPCTL.exe
1656	msdcsc.exe

Loads dropped DLL 3 IoCs

pid	Process
1620	WScript.exe
1360	FPCTL.exe
1168	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 1168	620	FPCTL.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1168	RegSvcs.exe
Token: SeSecurityPrivilege	1168	RegSvcs.exe
Token: SeTakeOwnershipPrivilege	1168	RegSvcs.exe
Token: SeLoadDriverPrivilege	1168	RegSvcs.exe
Token: SeSystemProfilePrivilege	1168	RegSvcs.exe
Token: SeSystemtimePrivilege	1168	RegSvcs.exe
Token: SeProfSingleProcessPrivilege	1168	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1168	RegSvcs.exe
Token: SeCreatePagefilePrivilege	1168	RegSvcs.exe
Token: SeBackupPrivilege	1168	RegSvcs.exe
Token: SeRestorePrivilege	1168	RegSvcs.exe
Token: SeShutdownPrivilege	1168	RegSvcs.exe
Token: SeDebugPrivilege	1168	RegSvcs.exe
Token: SeSystemEnvironmentPrivilege	1168	RegSvcs.exe
Token: SeChangeNotifyPrivilege	1168	RegSvcs.exe
Token: SeRemoteShutdownPrivilege	1168	RegSvcs.exe
Token: SeUndockPrivilege	1168	RegSvcs.exe
Token: SeManageVolumePrivilege	1168	RegSvcs.exe
Token: SeImpersonatePrivilege	1168	RegSvcs.exe
Token: SeCreateGlobalPrivilege	1168	RegSvcs.exe
Token: 33	1168	RegSvcs.exe
Token: 34	1168	RegSvcs.exe
Token: 35	1168	RegSvcs.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1620	1044	183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe	28
PID 1044 wrote to memory of 1620	1044	183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe	28
PID 1044 wrote to memory of 1620	1044	183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe	28
PID 1044 wrote to memory of 1620	1044	183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe	28
PID 1044 wrote to memory of 1620	1044	183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe	28
PID 1044 wrote to memory of 1620	1044	183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe	28
PID 1044 wrote to memory of 1620	1044	183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe	28
PID 1620 wrote to memory of 1360	1620	WScript.exe	29
PID 1620 wrote to memory of 1360	1620	WScript.exe	29
PID 1620 wrote to memory of 1360	1620	WScript.exe	29
PID 1620 wrote to memory of 1360	1620	WScript.exe	29
PID 1620 wrote to memory of 1360	1620	WScript.exe	29
PID 1620 wrote to memory of 1360	1620	WScript.exe	29
PID 1620 wrote to memory of 1360	1620	WScript.exe	29
PID 1360 wrote to memory of 620	1360	FPCTL.exe	31
PID 1360 wrote to memory of 620	1360	FPCTL.exe	31
PID 1360 wrote to memory of 620	1360	FPCTL.exe	31
PID 1360 wrote to memory of 620	1360	FPCTL.exe	31
PID 1360 wrote to memory of 620	1360	FPCTL.exe	31
PID 1360 wrote to memory of 620	1360	FPCTL.exe	31
PID 1360 wrote to memory of 620	1360	FPCTL.exe	31
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 620 wrote to memory of 1168	620	FPCTL.exe	32
PID 1168 wrote to memory of 1656	1168	RegSvcs.exe	33
PID 1168 wrote to memory of 1656	1168	RegSvcs.exe	33
PID 1168 wrote to memory of 1656	1168	RegSvcs.exe	33
PID 1168 wrote to memory of 1656	1168	RegSvcs.exe	33
PID 1168 wrote to memory of 1656	1168	RegSvcs.exe	33
PID 1168 wrote to memory of 1656	1168	RegSvcs.exe	33
PID 1168 wrote to memory of 1656	1168	RegSvcs.exe	33

C:\Users\Admin\AppData\Local\Temp\183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe
"C:\Users\Admin\AppData\Local\Temp\183d900a7a155c3a65c15ea0e7afc396a621e970907ea5a6a9280623d64290cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\BKZEX\JVGDNRLKJT-MKUSC-MYREMDCYGO.vbe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\BKZEX\FPCTL.exe
    "C:\Users\Admin\BKZEX\FPCTL.exe" C:\Users\Admin\BKZEX\FIIVR
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Users\Admin\BKZEX\FPCTL.exe
      C:\Users\Admin\BKZEX\FPCTL.exe C:\Users\Admin\BKZEX\KPADT
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Modifies WinLogon for persistence
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Executes dropped EXE
        
        PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\BKZEX\FIIVR

Filesize
2KB

MD5
a749a4ebad5c07536782d2fcbdf5ecab

SHA1
e9092e86fcaff96c88dd479170b8a39eb308affc

SHA256
671459b1aff08e2b7ed6be4861d54131f9947deac2e8515bac3755897cbc9d48

SHA512
ded6e50a513c3f843f791d24cc7215abc62edc14bc4271d45bca08752adb30c1c01e5c64b2826fe584a833c5d719c0331a1d49ca66a253595a91e2ba0e6a26c1

Download Submit
C:\Users\Admin\BKZEX\FPCTL.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\BKZEX\FPCTL.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\BKZEX\FPCTL.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\BKZEX\JVGDNRLKJT-MKUSC-MYREMDCYGO.vbe

Filesize
1.5MB

MD5
774f30eacaf59fa577af47a3f17a4590

SHA1
0b8dd7f83f3c7b1c7138867bffbaf26e4e3cab2e

SHA256
1ef4bec581fa034a39bfa077bb67f15c760a58c3ba57ea29b9d5925d1dc4be1f

SHA512
5ec963c1c4ba0cde67bf22035060f0fb6400c981755291b76a12acf8686e69a0f9568dc576be9646f2f7f84e452faa6b794f434b40b46f709c12b51db7cd2f16

Download Submit
C:\Users\Admin\BKZEX\KPADT

Filesize
23KB

MD5
c7ad1dca24f05b6082e1f1a02b06ebaa

SHA1
573498d0231f34fe0c9f4b63fd52cb77f4dec3ca

SHA256
60f700d53cb0a8e4739864c667ee89407463c58ce8e978014ce5e533cc72d222

SHA512
d4f5ceb238ec258c558a034a093cc8be82ac9cd3632582566f5573d809d3e9447bd5f6091301cc694c3b00465db4192cf1ce5eabdf50815aac99f758e51bd808

Download Submit
C:\Users\Admin\BKZEX\PFNOH

Filesize
658KB

MD5
3c80e4ba45f298b275b2b830fc052459

SHA1
a29f84c87047967b43b04db9b66e682fe9c0479d

SHA256
36d59a6149564c2987dfdfe6e444cfeac37ddd7855bef747e0eb10e993686e36

SHA512
a644a2a3a148fed289cd426a414949bfb51f0944039f3558c874e3c38707571936144a3a4e43331c22741eabcdf2d79a2b4aa2214fe4b4c6f7af5040a6576ba1

Download Submit
C:\Users\Admin\BKZEX\YMQGIX

Filesize
31KB

MD5
51896e596c27403c9eb42f2a3d52af93

SHA1
5bfe582f77583eed39848c3eabfb9d82b36e3201

SHA256
7c9f9945544a657953fefb6dc2dddea17093605d63a5a9e8034c6820e6106b70

SHA512
c318955d08cd9c1d5638ba72d116106ea8ea6957397850559ac220e180a5822fda6cae40bb4a34bfb10fdc47c56ba9aabcc6a32d5a745131678b98c43d3be1ef

Download Submit
C:\Users\Admin\BKZEX\YYSLH

Filesize
32KB

MD5
4972adeb635709bf63017f4ceaaafa5b

SHA1
7ea31906abf11031cb3936237d8dbbc611a94427

SHA256
1f2f853a6faa2c8693aeddd7c9ca7fb7d431aec2b946898a6a5e2911fd39098a

SHA512
11d22f2af39cfd4e58f5836ba0e027b89c8c49388da5cab63e600d775c34f6ba87051d21a15e928abe3bdc48c0c4f38fa53e9427cdc82967f82fb8454eb98073

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
\Users\Admin\BKZEX\FPCTL.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\BKZEX\FPCTL.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
32KB

MD5
d79f070423fdd3f01ce8c2ba3fbbc8ed

SHA1
2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8

SHA256
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a

SHA512
47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

Download Submit
memory/620-67-0x0000000000000000-mapping.dmp

Download
memory/1044-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1168-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-88-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-86-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-87-0x000000000048F888-mapping.dmp

Download
memory/1168-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-90-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-92-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1168-98-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1360-59-0x0000000000000000-mapping.dmp

Download
memory/1620-55-0x0000000000000000-mapping.dmp

Download
memory/1656-94-0x0000000000000000-mapping.dmp

Download
memory/1656-99-0x0000000073340000-0x00000000738EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads