darkcomet | 691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842

General

Target

691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Size

669KB
MD5

13a3abab1f3ca40b9bc4f4ff2b558a03
SHA1

726b227683170247215d4b166a9300b184bee157
SHA256

691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842
SHA512

4c99b45a6bc1ed6db443bac9454db3c3964084b0f74eb013b3eb097701ef0881f40972f32583bb00b962058db57ee29cdff624fe20acb878caa7250c17294715
SSDEEP

12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hdog:eZ1xuVVjfFoynPaVBUR8f+kN10EBHog

Score

10^/10

darkcomet omegle spread persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Omegle Spread

C2

imagineworms.servegame.com:25444

Mutex

DC_MUTEX-PPDVM7L

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
eVap6A2UW66f
install
true
offline_keylogger
true
persistence
true
reg_key
MicrosoftMalisusProgramsRemovalTool

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1180 msdcsc.exe

pid	process
1180	msdcsc.exe

Loads dropped DLL 2 IoCs

Processes:

691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe

pid	process
940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exemsdcsc.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftMalisusProgramsRemovalTool = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftMalisusProgramsRemovalTool = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftMalisusProgramsRemovalTool = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 1180 set thread context of 928 1180 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1180 set thread context of 928	1180	msdcsc.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeSecurityPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeTakeOwnershipPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeLoadDriverPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeSystemProfilePrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeSystemtimePrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeProfSingleProcessPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeIncBasePriorityPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeCreatePagefilePrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeBackupPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeRestorePrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeShutdownPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeDebugPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeSystemEnvironmentPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeChangeNotifyPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeRemoteShutdownPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeUndockPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeManageVolumePrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeImpersonatePrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeCreateGlobalPrivilege	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: 33	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: 34	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: 35	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
Token: SeIncreaseQuotaPrivilege	1180	msdcsc.exe
Token: SeSecurityPrivilege	1180	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1180	msdcsc.exe
Token: SeLoadDriverPrivilege	1180	msdcsc.exe
Token: SeSystemProfilePrivilege	1180	msdcsc.exe
Token: SeSystemtimePrivilege	1180	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1180	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1180	msdcsc.exe
Token: SeCreatePagefilePrivilege	1180	msdcsc.exe
Token: SeBackupPrivilege	1180	msdcsc.exe
Token: SeRestorePrivilege	1180	msdcsc.exe
Token: SeShutdownPrivilege	1180	msdcsc.exe
Token: SeDebugPrivilege	1180	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1180	msdcsc.exe
Token: SeChangeNotifyPrivilege	1180	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1180	msdcsc.exe
Token: SeUndockPrivilege	1180	msdcsc.exe
Token: SeManageVolumePrivilege	1180	msdcsc.exe
Token: SeImpersonatePrivilege	1180	msdcsc.exe
Token: SeCreateGlobalPrivilege	1180	msdcsc.exe
Token: 33	1180	msdcsc.exe
Token: 34	1180	msdcsc.exe
Token: 35	1180	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	928	iexplore.exe
Token: SeSecurityPrivilege	928	iexplore.exe
Token: SeTakeOwnershipPrivilege	928	iexplore.exe
Token: SeLoadDriverPrivilege	928	iexplore.exe
Token: SeSystemProfilePrivilege	928	iexplore.exe
Token: SeSystemtimePrivilege	928	iexplore.exe
Token: SeProfSingleProcessPrivilege	928	iexplore.exe
Token: SeIncBasePriorityPrivilege	928	iexplore.exe
Token: SeCreatePagefilePrivilege	928	iexplore.exe
Token: SeBackupPrivilege	928	iexplore.exe
Token: SeRestorePrivilege	928	iexplore.exe
Token: SeShutdownPrivilege	928	iexplore.exe
Token: SeDebugPrivilege	928	iexplore.exe
Token: SeSystemEnvironmentPrivilege	928	iexplore.exe
Token: SeChangeNotifyPrivilege	928	iexplore.exe
Token: SeRemoteShutdownPrivilege	928	iexplore.exe
Token: SeUndockPrivilege	928	iexplore.exe
Token: SeManageVolumePrivilege	928	iexplore.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

DllHost.exe

pid process

268 DllHost.exe
268 DllHost.exe
268 DllHost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplore.exe

pid process

928 iexplore.exe

pid	process
268	DllHost.exe
268	DllHost.exe
268	DllHost.exe

pid	process
928	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exemsdcsc.exe

description	pid	process	target process
PID 940 wrote to memory of 1180	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe	msdcsc.exe
PID 940 wrote to memory of 1180	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe	msdcsc.exe
PID 940 wrote to memory of 1180	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe	msdcsc.exe
PID 940 wrote to memory of 1180	940	691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe	msdcsc.exe
PID 1180 wrote to memory of 928	1180	msdcsc.exe	iexplore.exe
PID 1180 wrote to memory of 928	1180	msdcsc.exe	iexplore.exe
PID 1180 wrote to memory of 928	1180	msdcsc.exe	iexplore.exe
PID 1180 wrote to memory of 928	1180	msdcsc.exe	iexplore.exe
PID 1180 wrote to memory of 928	1180	msdcsc.exe	iexplore.exe
PID 1180 wrote to memory of 928	1180	msdcsc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe
"C:\Users\Admin\AppData\Local\Temp\691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MY PORN PROFILE PICTURE.JPEG

Filesize
10KB

MD5
bb09d2e5e97bddb4c66a8f573f39f9e0

SHA1
d10696a2a8a8634192dc0b71fd04ea640ff28847

SHA256
e806d648e632aa979793c49833537e12e1ff6ac8a13705dd6802c9c51bf1f828

SHA512
0e3e6f4c0758f5be0c181b042712c5a895c7d61c4df16ac9525d4dd5f633a563fd470ac5f47ee5f615a3d9f660bf3d9cc10b5756894efe7e36df8d4b21fed4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MY PORN PROFILE PICTURE.JPEG

Filesize
10KB

MD5
bb09d2e5e97bddb4c66a8f573f39f9e0

SHA1
d10696a2a8a8634192dc0b71fd04ea640ff28847

SHA256
e806d648e632aa979793c49833537e12e1ff6ac8a13705dd6802c9c51bf1f828

SHA512
0e3e6f4c0758f5be0c181b042712c5a895c7d61c4df16ac9525d4dd5f633a563fd470ac5f47ee5f615a3d9f660bf3d9cc10b5756894efe7e36df8d4b21fed4f9

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
669KB

MD5
13a3abab1f3ca40b9bc4f4ff2b558a03

SHA1
726b227683170247215d4b166a9300b184bee157

SHA256
691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842

SHA512
4c99b45a6bc1ed6db443bac9454db3c3964084b0f74eb013b3eb097701ef0881f40972f32583bb00b962058db57ee29cdff624fe20acb878caa7250c17294715

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
669KB

MD5
13a3abab1f3ca40b9bc4f4ff2b558a03

SHA1
726b227683170247215d4b166a9300b184bee157

SHA256
691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842

SHA512
4c99b45a6bc1ed6db443bac9454db3c3964084b0f74eb013b3eb097701ef0881f40972f32583bb00b962058db57ee29cdff624fe20acb878caa7250c17294715

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
669KB

MD5
13a3abab1f3ca40b9bc4f4ff2b558a03

SHA1
726b227683170247215d4b166a9300b184bee157

SHA256
691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842

SHA512
4c99b45a6bc1ed6db443bac9454db3c3964084b0f74eb013b3eb097701ef0881f40972f32583bb00b962058db57ee29cdff624fe20acb878caa7250c17294715

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
669KB

MD5
13a3abab1f3ca40b9bc4f4ff2b558a03

SHA1
726b227683170247215d4b166a9300b184bee157

SHA256
691c93715ef612042db053b78ee413e91151869a53d8b4431ae0db9e1087b842

SHA512
4c99b45a6bc1ed6db443bac9454db3c3964084b0f74eb013b3eb097701ef0881f40972f32583bb00b962058db57ee29cdff624fe20acb878caa7250c17294715

Download Submit
memory/940-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1180-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads