darkcomet | 65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6

General

Target

65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Size

748KB
MD5

83ee51d85cd4ff8e04993585fa2ffdd4
SHA1

2b3001d66cc2a502975f7e0c4688f297ba729e2d
SHA256

65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6
SHA512

715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140
SSDEEP

12288:dk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+rqMd0QZp:u0QRWoJEfg0oChGdJQbjPbNW5tYeP+Gq

Score

10^/10

darkcomet mobd evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

mobd

C2

72.78.91.89:1604

Mutex

DC_MUTEX-F54S21D

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
jhly2TMuqK8k
install
true
offline_keylogger
false
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe"	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdcsc.exeiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	iexplore.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

msdcsc.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe

Drops file in Drivers directory 1 IoCs

Processes:

65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

544 msdcsc.exe

pid	process
544	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

msdcsc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exemsdcsc.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe"	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe"	iexplore.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 544 set thread context of 4876 544 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3480 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4876 iexplore.exe

description	pid	process	target process
PID 544 set thread context of 4876	544	msdcsc.exe	iexplore.exe

pid	process
3480	PING.EXE

pid	process
4876	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeSecurityPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeTakeOwnershipPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeLoadDriverPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeSystemProfilePrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeSystemtimePrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeProfSingleProcessPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeIncBasePriorityPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeCreatePagefilePrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeBackupPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeRestorePrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeShutdownPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeDebugPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeSystemEnvironmentPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeChangeNotifyPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeRemoteShutdownPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeUndockPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeManageVolumePrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeImpersonatePrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeCreateGlobalPrivilege	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: 33	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: 34	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: 35	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: 36	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
Token: SeIncreaseQuotaPrivilege	544	msdcsc.exe
Token: SeSecurityPrivilege	544	msdcsc.exe
Token: SeTakeOwnershipPrivilege	544	msdcsc.exe
Token: SeLoadDriverPrivilege	544	msdcsc.exe
Token: SeSystemProfilePrivilege	544	msdcsc.exe
Token: SeSystemtimePrivilege	544	msdcsc.exe
Token: SeProfSingleProcessPrivilege	544	msdcsc.exe
Token: SeIncBasePriorityPrivilege	544	msdcsc.exe
Token: SeCreatePagefilePrivilege	544	msdcsc.exe
Token: SeBackupPrivilege	544	msdcsc.exe
Token: SeRestorePrivilege	544	msdcsc.exe
Token: SeShutdownPrivilege	544	msdcsc.exe
Token: SeDebugPrivilege	544	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	544	msdcsc.exe
Token: SeChangeNotifyPrivilege	544	msdcsc.exe
Token: SeRemoteShutdownPrivilege	544	msdcsc.exe
Token: SeUndockPrivilege	544	msdcsc.exe
Token: SeManageVolumePrivilege	544	msdcsc.exe
Token: SeImpersonatePrivilege	544	msdcsc.exe
Token: SeCreateGlobalPrivilege	544	msdcsc.exe
Token: 33	544	msdcsc.exe
Token: 34	544	msdcsc.exe
Token: 35	544	msdcsc.exe
Token: 36	544	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4876	iexplore.exe
Token: SeSecurityPrivilege	4876	iexplore.exe
Token: SeTakeOwnershipPrivilege	4876	iexplore.exe
Token: SeLoadDriverPrivilege	4876	iexplore.exe
Token: SeSystemProfilePrivilege	4876	iexplore.exe
Token: SeSystemtimePrivilege	4876	iexplore.exe
Token: SeProfSingleProcessPrivilege	4876	iexplore.exe
Token: SeIncBasePriorityPrivilege	4876	iexplore.exe
Token: SeCreatePagefilePrivilege	4876	iexplore.exe
Token: SeBackupPrivilege	4876	iexplore.exe
Token: SeRestorePrivilege	4876	iexplore.exe
Token: SeShutdownPrivilege	4876	iexplore.exe
Token: SeDebugPrivilege	4876	iexplore.exe
Token: SeSystemEnvironmentPrivilege	4876	iexplore.exe
Token: SeChangeNotifyPrivilege	4876	iexplore.exe
Token: SeRemoteShutdownPrivilege	4876	iexplore.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.execmd.exemsdcsc.exe

description	pid	process	target process
PID 5016 wrote to memory of 5024	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe	cmd.exe
PID 5016 wrote to memory of 5024	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe	cmd.exe
PID 5016 wrote to memory of 5024	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe	cmd.exe
PID 5016 wrote to memory of 544	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe	msdcsc.exe
PID 5016 wrote to memory of 544	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe	msdcsc.exe
PID 5016 wrote to memory of 544	5016	65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe	msdcsc.exe
PID 5024 wrote to memory of 3480	5024	cmd.exe	PING.EXE
PID 5024 wrote to memory of 3480	5024	cmd.exe	PING.EXE
PID 5024 wrote to memory of 3480	5024	cmd.exe	PING.EXE
PID 544 wrote to memory of 4876	544	msdcsc.exe	iexplore.exe
PID 544 wrote to memory of 4876	544	msdcsc.exe	iexplore.exe
PID 544 wrote to memory of 4876	544	msdcsc.exe	iexplore.exe
PID 544 wrote to memory of 4876	544	msdcsc.exe	iexplore.exe
PID 544 wrote to memory of 4876	544	msdcsc.exe	iexplore.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

msdcsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe
"C:\Users\Admin\AppData\Local\Temp\65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:3480

C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe
"C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"
2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:544

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Modifies security service
- Windows security bypass
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

6

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe
Filesize
748KB

MD5
83ee51d85cd4ff8e04993585fa2ffdd4

SHA1
2b3001d66cc2a502975f7e0c4688f297ba729e2d

SHA256
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6

SHA512
715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140

Download Submit
C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe
Filesize
748KB

MD5
83ee51d85cd4ff8e04993585fa2ffdd4

SHA1
2b3001d66cc2a502975f7e0c4688f297ba729e2d

SHA256
65b1c2b02f95d0cdda9636d6e337bf6440ec000ce592cd30140ee2eeb9f34ea6

SHA512
715ca23574b7c3ec0882b11f241133386bd86d5f2e2845d7cb488262dfce3c160ccff91bad5baa26fa952eddf024cc8ad9839085dcc22f2b51d0c1cb989fe140

Download Submit
memory/544-133-0x0000000000000000-mapping.dmp

Download
memory/3480-136-0x0000000000000000-mapping.dmp

Download
memory/5024-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads