darkcomet | dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1

General

Target

dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Size

285KB
MD5

4c4b6cd307cd62ff89d28a5aa750d4c4
SHA1

46d2345b3d46b7561e48bae5fb229681dcff0c59
SHA256

dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1
SHA512

f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183
SSDEEP

6144:Tlb6SDOiIN4o2cOMayarS0IjX7n6wXmzbBFXPE:T0Siiu2cOMayaZerXXmhFXPE

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\mshhdcsc.exe"	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe

Executes dropped EXE 1 IoCs

Processes:

mshhdcsc.exe

pid process

592 mshhdcsc.exe

pid	process
592	mshhdcsc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Documents\MSDCSC\mshhdcsc.exe	upx
\Users\Admin\Documents\MSDCSC\mshhdcsc.exe	upx
C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe	upx
behavioral1/memory/1004-60-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe	upx
behavioral1/memory/592-62-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe

pid	process
1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdateii = "C:\\Users\\Admin\\Documents\\MSDCSC\\mshhdcsc.exe"	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mshhdcsc.exe

description pid process target process

PID 592 set thread context of 1908 592 mshhdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 592 set thread context of 1908	592	mshhdcsc.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exemshhdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeSecurityPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeTakeOwnershipPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeLoadDriverPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeSystemProfilePrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeSystemtimePrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeProfSingleProcessPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeIncBasePriorityPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeCreatePagefilePrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeBackupPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeRestorePrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeShutdownPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeDebugPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeSystemEnvironmentPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeChangeNotifyPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeRemoteShutdownPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeUndockPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeManageVolumePrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeImpersonatePrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeCreateGlobalPrivilege	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: 33	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: 34	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: 35	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Token: SeIncreaseQuotaPrivilege	592	mshhdcsc.exe
Token: SeSecurityPrivilege	592	mshhdcsc.exe
Token: SeTakeOwnershipPrivilege	592	mshhdcsc.exe
Token: SeLoadDriverPrivilege	592	mshhdcsc.exe
Token: SeSystemProfilePrivilege	592	mshhdcsc.exe
Token: SeSystemtimePrivilege	592	mshhdcsc.exe
Token: SeProfSingleProcessPrivilege	592	mshhdcsc.exe
Token: SeIncBasePriorityPrivilege	592	mshhdcsc.exe
Token: SeCreatePagefilePrivilege	592	mshhdcsc.exe
Token: SeBackupPrivilege	592	mshhdcsc.exe
Token: SeRestorePrivilege	592	mshhdcsc.exe
Token: SeShutdownPrivilege	592	mshhdcsc.exe
Token: SeDebugPrivilege	592	mshhdcsc.exe
Token: SeSystemEnvironmentPrivilege	592	mshhdcsc.exe
Token: SeChangeNotifyPrivilege	592	mshhdcsc.exe
Token: SeRemoteShutdownPrivilege	592	mshhdcsc.exe
Token: SeUndockPrivilege	592	mshhdcsc.exe
Token: SeManageVolumePrivilege	592	mshhdcsc.exe
Token: SeImpersonatePrivilege	592	mshhdcsc.exe
Token: SeCreateGlobalPrivilege	592	mshhdcsc.exe
Token: 33	592	mshhdcsc.exe
Token: 34	592	mshhdcsc.exe
Token: 35	592	mshhdcsc.exe
Token: SeIncreaseQuotaPrivilege	1908	iexplore.exe
Token: SeSecurityPrivilege	1908	iexplore.exe
Token: SeTakeOwnershipPrivilege	1908	iexplore.exe
Token: SeLoadDriverPrivilege	1908	iexplore.exe
Token: SeSystemProfilePrivilege	1908	iexplore.exe
Token: SeSystemtimePrivilege	1908	iexplore.exe
Token: SeProfSingleProcessPrivilege	1908	iexplore.exe
Token: SeIncBasePriorityPrivilege	1908	iexplore.exe
Token: SeCreatePagefilePrivilege	1908	iexplore.exe
Token: SeBackupPrivilege	1908	iexplore.exe
Token: SeRestorePrivilege	1908	iexplore.exe
Token: SeShutdownPrivilege	1908	iexplore.exe
Token: SeDebugPrivilege	1908	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1908	iexplore.exe
Token: SeChangeNotifyPrivilege	1908	iexplore.exe
Token: SeRemoteShutdownPrivilege	1908	iexplore.exe
Token: SeUndockPrivilege	1908	iexplore.exe
Token: SeManageVolumePrivilege	1908	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

1908 iexplore.exe

pid	process
1908	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exemshhdcsc.exe

description	pid	process	target process
PID 1004 wrote to memory of 592	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe	mshhdcsc.exe
PID 1004 wrote to memory of 592	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe	mshhdcsc.exe
PID 1004 wrote to memory of 592	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe	mshhdcsc.exe
PID 1004 wrote to memory of 592	1004	dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe	mshhdcsc.exe
PID 592 wrote to memory of 1908	592	mshhdcsc.exe	iexplore.exe
PID 592 wrote to memory of 1908	592	mshhdcsc.exe	iexplore.exe
PID 592 wrote to memory of 1908	592	mshhdcsc.exe	iexplore.exe
PID 592 wrote to memory of 1908	592	mshhdcsc.exe	iexplore.exe
PID 592 wrote to memory of 1908	592	mshhdcsc.exe	iexplore.exe
PID 592 wrote to memory of 1908	592	mshhdcsc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
"C:\Users\Admin\AppData\Local\Temp\dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe
Filesize
285KB

MD5
4c4b6cd307cd62ff89d28a5aa750d4c4

SHA1
46d2345b3d46b7561e48bae5fb229681dcff0c59

SHA256
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1

SHA512
f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183

Download Submit
C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe
Filesize
285KB

MD5
4c4b6cd307cd62ff89d28a5aa750d4c4

SHA1
46d2345b3d46b7561e48bae5fb229681dcff0c59

SHA256
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1

SHA512
f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183

Download Submit
\Users\Admin\Documents\MSDCSC\mshhdcsc.exe
Filesize
285KB

MD5
4c4b6cd307cd62ff89d28a5aa750d4c4

SHA1
46d2345b3d46b7561e48bae5fb229681dcff0c59

SHA256
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1

SHA512
f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183

Download Submit
\Users\Admin\Documents\MSDCSC\mshhdcsc.exe
Filesize
285KB

MD5
4c4b6cd307cd62ff89d28a5aa750d4c4

SHA1
46d2345b3d46b7561e48bae5fb229681dcff0c59

SHA256
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1

SHA512
f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183

Download Submit
memory/592-57-0x0000000000000000-mapping.dmp

Download
memory/592-62-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1004-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1004-60-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads