darkcomet | 81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14

General

Target

81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Size

1004KB
MD5

a60109684df6f7ee0d7f942956464212
SHA1

4262a7dfff7827f3cc3144c5334d28bfab5c8594
SHA256

81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14
SHA512

cdf617a1825d33e0a3c32557003214f0e662f3c40709c29e21cf02c6bc6f75ce1299aea1606c9ed3c12aa5b756472285ecb34e22c33c7bb10fd7a191176b00b7
SSDEEP

24576:8Z1xuVVjfFoynPaVBUR8f+kN10EBrC8rnzJ:sQDgok30wC8h

Score

10^/10

darkcomet guest persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest

C2

rathostyes.no-ip.biz:200

Mutex

DC_MUTEX-H2N8TTG

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
SdzuEnJoJxxU
install
true
offline_keylogger
true
persistence
true
reg_key
rundll.exe

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1212 msdcsc.exe

pid	process
1212	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeSecurityPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeTakeOwnershipPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeLoadDriverPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeSystemProfilePrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeSystemtimePrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeProfSingleProcessPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeIncBasePriorityPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeCreatePagefilePrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeBackupPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeRestorePrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeShutdownPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeDebugPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeSystemEnvironmentPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeChangeNotifyPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeRemoteShutdownPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeUndockPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeManageVolumePrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeImpersonatePrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeCreateGlobalPrivilege	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: 33	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: 34	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: 35	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: 36	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
Token: SeIncreaseQuotaPrivilege	1212	msdcsc.exe
Token: SeSecurityPrivilege	1212	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1212	msdcsc.exe
Token: SeLoadDriverPrivilege	1212	msdcsc.exe
Token: SeSystemProfilePrivilege	1212	msdcsc.exe
Token: SeSystemtimePrivilege	1212	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1212	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1212	msdcsc.exe
Token: SeCreatePagefilePrivilege	1212	msdcsc.exe
Token: SeBackupPrivilege	1212	msdcsc.exe
Token: SeRestorePrivilege	1212	msdcsc.exe
Token: SeShutdownPrivilege	1212	msdcsc.exe
Token: SeDebugPrivilege	1212	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1212	msdcsc.exe
Token: SeChangeNotifyPrivilege	1212	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1212	msdcsc.exe
Token: SeUndockPrivilege	1212	msdcsc.exe
Token: SeManageVolumePrivilege	1212	msdcsc.exe
Token: SeImpersonatePrivilege	1212	msdcsc.exe
Token: SeCreateGlobalPrivilege	1212	msdcsc.exe
Token: 33	1212	msdcsc.exe
Token: 34	1212	msdcsc.exe
Token: 35	1212	msdcsc.exe
Token: 36	1212	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1212 msdcsc.exe

pid	process
1212	msdcsc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe

description	pid	process	target process
PID 4964 wrote to memory of 1212	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe	msdcsc.exe
PID 4964 wrote to memory of 1212	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe	msdcsc.exe
PID 4964 wrote to memory of 1212	4964	81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe
"C:\Users\Admin\AppData\Local\Temp\81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
1004KB

MD5
a60109684df6f7ee0d7f942956464212

SHA1
4262a7dfff7827f3cc3144c5334d28bfab5c8594

SHA256
81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14

SHA512
cdf617a1825d33e0a3c32557003214f0e662f3c40709c29e21cf02c6bc6f75ce1299aea1606c9ed3c12aa5b756472285ecb34e22c33c7bb10fd7a191176b00b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
1004KB

MD5
a60109684df6f7ee0d7f942956464212

SHA1
4262a7dfff7827f3cc3144c5334d28bfab5c8594

SHA256
81c0798a953e92757be93a26186fc240ed0a0c5e9c8787b549b0bc877e5e5f14

SHA512
cdf617a1825d33e0a3c32557003214f0e662f3c40709c29e21cf02c6bc6f75ce1299aea1606c9ed3c12aa5b756472285ecb34e22c33c7bb10fd7a191176b00b7

Download Submit
memory/1212-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads