darkcomet | d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9

Analysis

max time kernel
137s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe
Size

1.1MB
MD5

137319b57917990ab6f6194ce1e1bddb
SHA1

81bf8fa08378780f518daebc73d0d75131551d59
SHA256

d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9
SHA512

92ddf23265a9c631ee421590d44fc19483cda59c7c93d055c434aad41a14d394797d5dd0765fb5baf67cf512ae336d7115215dfec9754e8d4ace7b514c8b335e
SSDEEP

24576:tY3l3nbWmJVJFwSddIXvfhqbiaxvRxq9DmS+s+:tYxamdZdcBYJs+

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	LocalLzafYSOLLn.exe

Executes dropped EXE 2 IoCs

pid	Process
1292	LocalLzafYSOLLn.exe
568	msdcsc.exe

Loads dropped DLL 2 IoCs

pid	Process
1292	LocalLzafYSOLLn.exe
1292	LocalLzafYSOLLn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	LocalLzafYSOLLn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 568 set thread context of 1524	568	msdcsc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeSecurityPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeTakeOwnershipPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeLoadDriverPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeSystemProfilePrivilege	1292	LocalLzafYSOLLn.exe
Token: SeSystemtimePrivilege	1292	LocalLzafYSOLLn.exe
Token: SeProfSingleProcessPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeIncBasePriorityPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeCreatePagefilePrivilege	1292	LocalLzafYSOLLn.exe
Token: SeBackupPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeRestorePrivilege	1292	LocalLzafYSOLLn.exe
Token: SeShutdownPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeDebugPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeSystemEnvironmentPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeChangeNotifyPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeRemoteShutdownPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeUndockPrivilege	1292	LocalLzafYSOLLn.exe
Token: SeManageVolumePrivilege	1292	LocalLzafYSOLLn.exe
Token: SeImpersonatePrivilege	1292	LocalLzafYSOLLn.exe
Token: SeCreateGlobalPrivilege	1292	LocalLzafYSOLLn.exe
Token: 33	1292	LocalLzafYSOLLn.exe
Token: 34	1292	LocalLzafYSOLLn.exe
Token: 35	1292	LocalLzafYSOLLn.exe
Token: SeIncreaseQuotaPrivilege	568	msdcsc.exe
Token: SeSecurityPrivilege	568	msdcsc.exe
Token: SeTakeOwnershipPrivilege	568	msdcsc.exe
Token: SeLoadDriverPrivilege	568	msdcsc.exe
Token: SeSystemProfilePrivilege	568	msdcsc.exe
Token: SeSystemtimePrivilege	568	msdcsc.exe
Token: SeProfSingleProcessPrivilege	568	msdcsc.exe
Token: SeIncBasePriorityPrivilege	568	msdcsc.exe
Token: SeCreatePagefilePrivilege	568	msdcsc.exe
Token: SeBackupPrivilege	568	msdcsc.exe
Token: SeRestorePrivilege	568	msdcsc.exe
Token: SeShutdownPrivilege	568	msdcsc.exe
Token: SeDebugPrivilege	568	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	568	msdcsc.exe
Token: SeChangeNotifyPrivilege	568	msdcsc.exe
Token: SeRemoteShutdownPrivilege	568	msdcsc.exe
Token: SeUndockPrivilege	568	msdcsc.exe
Token: SeManageVolumePrivilege	568	msdcsc.exe
Token: SeImpersonatePrivilege	568	msdcsc.exe
Token: SeCreateGlobalPrivilege	568	msdcsc.exe
Token: 33	568	msdcsc.exe
Token: 34	568	msdcsc.exe
Token: 35	568	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1524	iexplore.exe
Token: SeSecurityPrivilege	1524	iexplore.exe
Token: SeTakeOwnershipPrivilege	1524	iexplore.exe
Token: SeLoadDriverPrivilege	1524	iexplore.exe
Token: SeSystemProfilePrivilege	1524	iexplore.exe
Token: SeSystemtimePrivilege	1524	iexplore.exe
Token: SeProfSingleProcessPrivilege	1524	iexplore.exe
Token: SeIncBasePriorityPrivilege	1524	iexplore.exe
Token: SeCreatePagefilePrivilege	1524	iexplore.exe
Token: SeBackupPrivilege	1524	iexplore.exe
Token: SeRestorePrivilege	1524	iexplore.exe
Token: SeShutdownPrivilege	1524	iexplore.exe
Token: SeDebugPrivilege	1524	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1524	iexplore.exe
Token: SeChangeNotifyPrivilege	1524	iexplore.exe
Token: SeRemoteShutdownPrivilege	1524	iexplore.exe
Token: SeUndockPrivilege	1524	iexplore.exe
Token: SeManageVolumePrivilege	1524	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1524	iexplore.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1292	1416	d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe	27
PID 1416 wrote to memory of 1292	1416	d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe	27
PID 1416 wrote to memory of 1292	1416	d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe	27
PID 1416 wrote to memory of 1292	1416	d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe	27
PID 1292 wrote to memory of 568	1292	LocalLzafYSOLLn.exe	29
PID 1292 wrote to memory of 568	1292	LocalLzafYSOLLn.exe	29
PID 1292 wrote to memory of 568	1292	LocalLzafYSOLLn.exe	29
PID 1292 wrote to memory of 568	1292	LocalLzafYSOLLn.exe	29
PID 568 wrote to memory of 1524	568	msdcsc.exe	30
PID 568 wrote to memory of 1524	568	msdcsc.exe	30
PID 568 wrote to memory of 1524	568	msdcsc.exe	30
PID 568 wrote to memory of 1524	568	msdcsc.exe	30
PID 568 wrote to memory of 1524	568	msdcsc.exe	30
PID 568 wrote to memory of 1524	568	msdcsc.exe	30

C:\Users\Admin\AppData\Local\Temp\d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe
"C:\Users\Admin\AppData\Local\Temp\d6127652881b3b5458a520c3a310af7fca6a062f82c8b7949955a0d556d898b9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\LocalLzafYSOLLn.exe
  "C:\Users\Admin\AppData\LocalLzafYSOLLn.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
    "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
723KB

MD5
f302d36bd8d7f3f84fe74ed6fdafaf0a

SHA1
634bf8474a6c38772190ade14a8e6a56451d3fe6

SHA256
a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468

SHA512
d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
723KB

MD5
f302d36bd8d7f3f84fe74ed6fdafaf0a

SHA1
634bf8474a6c38772190ade14a8e6a56451d3fe6

SHA256
a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468

SHA512
d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483

Download Submit
C:\Users\Admin\AppData\LocalLzafYSOLLn.exe

Filesize
723KB

MD5
f302d36bd8d7f3f84fe74ed6fdafaf0a

SHA1
634bf8474a6c38772190ade14a8e6a56451d3fe6

SHA256
a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468

SHA512
d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483

Download Submit
C:\Users\Admin\AppData\LocalLzafYSOLLn.exe

Filesize
723KB

MD5
f302d36bd8d7f3f84fe74ed6fdafaf0a

SHA1
634bf8474a6c38772190ade14a8e6a56451d3fe6

SHA256
a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468

SHA512
d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
723KB

MD5
f302d36bd8d7f3f84fe74ed6fdafaf0a

SHA1
634bf8474a6c38772190ade14a8e6a56451d3fe6

SHA256
a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468

SHA512
d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
723KB

MD5
f302d36bd8d7f3f84fe74ed6fdafaf0a

SHA1
634bf8474a6c38772190ade14a8e6a56451d3fe6

SHA256
a463d36d76190c6b4b2a21aeb1a30e1d647f70cfaa33718dd4c55d3076754468

SHA512
d329d3c1f8524c411917e838e45c22b04097eab8feb46c40136233703726a5e81a8fcd7113776db0cc9fff70dd81c5b89ab70b7714f3a03cf9c9a8fde87be483

Download Submit
memory/1292-58-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1416-54-0x000007FEF4000000-0x000007FEF4A23000-memory.dmp

Filesize
10.1MB

Download
memory/1416-55-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

Filesize
8KB

Download
memory/1416-59-0x000000001AF80000-0x000000001AF90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads