darkcomet | 2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96

General

Target

2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Size

658KB
MD5

cf19f9462959aff7ccb2ad1dc9c120f4
SHA1

8629f0bef6d30ac285a67b9abba6a3951668cb77
SHA256

2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96
SHA512

74906f232c1ff409ee839606f20292318d40a7819676558781be50f8c782d8295e3694f335310cdaf2b7bb4dd31979b345ff7d956342f627825304c1511804ce
SSDEEP

12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h1:KZ1xuVVjfFoynPaVBUR8f+kN10EBH

Score

10^/10

darkcomet roblox evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Roblox

C2

themarlborough.co.vu:13666

Mutex

DC_MUTEX-JNP1KZ5

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
6yMzjHHDLNnH
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

3388 msdcsc.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

224 attrib.exe

pid	process
3388	msdcsc.exe

pid	process
224	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeSecurityPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeTakeOwnershipPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeLoadDriverPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeSystemProfilePrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeSystemtimePrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeProfSingleProcessPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeIncBasePriorityPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeCreatePagefilePrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeBackupPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeRestorePrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeShutdownPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeDebugPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeSystemEnvironmentPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeChangeNotifyPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeRemoteShutdownPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeUndockPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeManageVolumePrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeImpersonatePrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeCreateGlobalPrivilege	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: 33	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: 34	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: 35	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: 36	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
Token: SeIncreaseQuotaPrivilege	3388	msdcsc.exe
Token: SeSecurityPrivilege	3388	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3388	msdcsc.exe
Token: SeLoadDriverPrivilege	3388	msdcsc.exe
Token: SeSystemProfilePrivilege	3388	msdcsc.exe
Token: SeSystemtimePrivilege	3388	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3388	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3388	msdcsc.exe
Token: SeCreatePagefilePrivilege	3388	msdcsc.exe
Token: SeBackupPrivilege	3388	msdcsc.exe
Token: SeRestorePrivilege	3388	msdcsc.exe
Token: SeShutdownPrivilege	3388	msdcsc.exe
Token: SeDebugPrivilege	3388	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3388	msdcsc.exe
Token: SeChangeNotifyPrivilege	3388	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3388	msdcsc.exe
Token: SeUndockPrivilege	3388	msdcsc.exe
Token: SeManageVolumePrivilege	3388	msdcsc.exe
Token: SeImpersonatePrivilege	3388	msdcsc.exe
Token: SeCreateGlobalPrivilege	3388	msdcsc.exe
Token: 33	3388	msdcsc.exe
Token: 34	3388	msdcsc.exe
Token: 35	3388	msdcsc.exe
Token: 36	3388	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

3388 msdcsc.exe

pid	process
3388	msdcsc.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.execmd.exemsdcsc.exe

description	pid	process	target process
PID 4152 wrote to memory of 8	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe	cmd.exe
PID 4152 wrote to memory of 8	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe	cmd.exe
PID 4152 wrote to memory of 8	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe	cmd.exe
PID 8 wrote to memory of 224	8	cmd.exe	attrib.exe
PID 8 wrote to memory of 224	8	cmd.exe	attrib.exe
PID 8 wrote to memory of 224	8	cmd.exe	attrib.exe
PID 4152 wrote to memory of 3388	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe	msdcsc.exe
PID 4152 wrote to memory of 3388	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe	msdcsc.exe
PID 4152 wrote to memory of 3388	4152	2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe	msdcsc.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe
PID 3388 wrote to memory of 2144	3388	msdcsc.exe	notepad.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

224 attrib.exe

pid	process
224	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe
"C:\Users\Admin\AppData\Local\Temp\2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:224

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
cf19f9462959aff7ccb2ad1dc9c120f4

SHA1
8629f0bef6d30ac285a67b9abba6a3951668cb77

SHA256
2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96

SHA512
74906f232c1ff409ee839606f20292318d40a7819676558781be50f8c782d8295e3694f335310cdaf2b7bb4dd31979b345ff7d956342f627825304c1511804ce

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
cf19f9462959aff7ccb2ad1dc9c120f4

SHA1
8629f0bef6d30ac285a67b9abba6a3951668cb77

SHA256
2cdff52c6be0d1ef4cb89dea1f611e00465cc3a316e109d14aa4525f64e89f96

SHA512
74906f232c1ff409ee839606f20292318d40a7819676558781be50f8c782d8295e3694f335310cdaf2b7bb4dd31979b345ff7d956342f627825304c1511804ce

Download Submit
memory/8-132-0x0000000000000000-mapping.dmp

Download
memory/224-133-0x0000000000000000-mapping.dmp

Download
memory/2144-137-0x0000000000000000-mapping.dmp

Download
memory/3388-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads