darkcomet | bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9

General

Target

bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Size

690KB
MD5

2461a56cc107723c2bbbf1ca4531cda0
SHA1

c995b848906006b28a87ad7e6eeda3e7009d7d6d
SHA256

bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9
SHA512

ec00f0bed2ac52f374c2e84bcfa6cdf990ed7d02d8ede549e69c2c85b8d57858863f65753cc24a3e719597d3d14f5361a92aa1eb80660e85fbbe0a5edb5c4417
SSDEEP

12288:p9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hi8:zZ1xuVVjfFoynPaVBUR8f+kN10EBR

Score

10^/10

darkcomet hack evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hack

C2

masakalasosas.no-ip.biz:1604

Mutex

DC_MUTEX-WWW0WYT

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
lUw27RbiEGYV
install
true
offline_keylogger
true
persistence
true
reg_key
rundl32

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exeiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	iexplore.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

iexplore.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

iexplore.exemsdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

4204 msdcsc.exe

pid	process
4204	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exemsdcsc.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundl32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundl32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundl32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 4204 set thread context of 4324 4204 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4204 set thread context of 4324	4204	msdcsc.exe	iexplore.exe

Modifies registry class 1 IoCs

Processes:

bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeSecurityPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeTakeOwnershipPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeLoadDriverPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeSystemProfilePrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeSystemtimePrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeProfSingleProcessPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeIncBasePriorityPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeCreatePagefilePrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeBackupPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeRestorePrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeShutdownPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeDebugPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeSystemEnvironmentPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeChangeNotifyPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeRemoteShutdownPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeUndockPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeManageVolumePrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeImpersonatePrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeCreateGlobalPrivilege	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: 33	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: 34	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: 35	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: 36	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
Token: SeIncreaseQuotaPrivilege	4204	msdcsc.exe
Token: SeSecurityPrivilege	4204	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4204	msdcsc.exe
Token: SeLoadDriverPrivilege	4204	msdcsc.exe
Token: SeSystemProfilePrivilege	4204	msdcsc.exe
Token: SeSystemtimePrivilege	4204	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4204	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4204	msdcsc.exe
Token: SeCreatePagefilePrivilege	4204	msdcsc.exe
Token: SeBackupPrivilege	4204	msdcsc.exe
Token: SeRestorePrivilege	4204	msdcsc.exe
Token: SeShutdownPrivilege	4204	msdcsc.exe
Token: SeDebugPrivilege	4204	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4204	msdcsc.exe
Token: SeChangeNotifyPrivilege	4204	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4204	msdcsc.exe
Token: SeUndockPrivilege	4204	msdcsc.exe
Token: SeManageVolumePrivilege	4204	msdcsc.exe
Token: SeImpersonatePrivilege	4204	msdcsc.exe
Token: SeCreateGlobalPrivilege	4204	msdcsc.exe
Token: 33	4204	msdcsc.exe
Token: 34	4204	msdcsc.exe
Token: 35	4204	msdcsc.exe
Token: 36	4204	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4324	iexplore.exe
Token: SeSecurityPrivilege	4324	iexplore.exe
Token: SeTakeOwnershipPrivilege	4324	iexplore.exe
Token: SeLoadDriverPrivilege	4324	iexplore.exe
Token: SeSystemProfilePrivilege	4324	iexplore.exe
Token: SeSystemtimePrivilege	4324	iexplore.exe
Token: SeProfSingleProcessPrivilege	4324	iexplore.exe
Token: SeIncBasePriorityPrivilege	4324	iexplore.exe
Token: SeCreatePagefilePrivilege	4324	iexplore.exe
Token: SeBackupPrivilege	4324	iexplore.exe
Token: SeRestorePrivilege	4324	iexplore.exe
Token: SeShutdownPrivilege	4324	iexplore.exe
Token: SeDebugPrivilege	4324	iexplore.exe
Token: SeSystemEnvironmentPrivilege	4324	iexplore.exe
Token: SeChangeNotifyPrivilege	4324	iexplore.exe
Token: SeRemoteShutdownPrivilege	4324	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

4324 iexplore.exe

pid	process
4324	iexplore.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exemsdcsc.exe

description	pid	process	target process
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 640	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	notepad.exe
PID 4928 wrote to memory of 4204	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	msdcsc.exe
PID 4928 wrote to memory of 4204	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	msdcsc.exe
PID 4928 wrote to memory of 4204	4928	bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe	msdcsc.exe
PID 4204 wrote to memory of 4324	4204	msdcsc.exe	iexplore.exe
PID 4204 wrote to memory of 4324	4204	msdcsc.exe	iexplore.exe
PID 4204 wrote to memory of 4324	4204	msdcsc.exe	iexplore.exe
PID 4204 wrote to memory of 4324	4204	msdcsc.exe	iexplore.exe
PID 4204 wrote to memory of 4324	4204	msdcsc.exe	iexplore.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe
"C:\Users\Admin\AppData\Local\Temp\bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4204

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

7

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
2461a56cc107723c2bbbf1ca4531cda0

SHA1
c995b848906006b28a87ad7e6eeda3e7009d7d6d

SHA256
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9

SHA512
ec00f0bed2ac52f374c2e84bcfa6cdf990ed7d02d8ede549e69c2c85b8d57858863f65753cc24a3e719597d3d14f5361a92aa1eb80660e85fbbe0a5edb5c4417

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
2461a56cc107723c2bbbf1ca4531cda0

SHA1
c995b848906006b28a87ad7e6eeda3e7009d7d6d

SHA256
bef9fe00e494e887578ae0d9053e115bacb63c80b6cf6e6037b2441305c88ae9

SHA512
ec00f0bed2ac52f374c2e84bcfa6cdf990ed7d02d8ede549e69c2c85b8d57858863f65753cc24a3e719597d3d14f5361a92aa1eb80660e85fbbe0a5edb5c4417

Download Submit
memory/640-132-0x0000000000000000-mapping.dmp

Download
memory/4204-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads