darkcomet | 55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Size

1.5MB
MD5

370481138474cfcf39b8224c51f6be27
SHA1

bc5e1ba878f76bf7e5e61d8c49c00b980236c70d
SHA256

55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211
SHA512

b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b
SSDEEP

24576:jiBIGkbxqEcjsWiDxguehC2SF84fSGTEmSSautCzbqbtiEBCx6jq5Yzd5uQWQoq:mCUumo2EffYSab/qbpBCQf5Bloq

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

2.tcp.ngrok.io:17588

Mutex

DC_MUTEX-WW1H6BV

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
WSfeNvq2d8Yr
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Executes dropped EXE 1 IoCs

pid	Process
776	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
976	attrib.exe
1920	attrib.exe

Loads dropped DLL 2 IoCs

pid	Process
1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
776	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeSecurityPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeTakeOwnershipPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeLoadDriverPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeSystemProfilePrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeSystemtimePrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeProfSingleProcessPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeIncBasePriorityPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeCreatePagefilePrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeBackupPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeRestorePrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeShutdownPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeDebugPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeSystemEnvironmentPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeChangeNotifyPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeRemoteShutdownPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeUndockPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeManageVolumePrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeImpersonatePrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeCreateGlobalPrivilege	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: 33	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: 34	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: 35	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
Token: SeIncreaseQuotaPrivilege	776	msdcsc.exe
Token: SeSecurityPrivilege	776	msdcsc.exe
Token: SeTakeOwnershipPrivilege	776	msdcsc.exe
Token: SeLoadDriverPrivilege	776	msdcsc.exe
Token: SeSystemProfilePrivilege	776	msdcsc.exe
Token: SeSystemtimePrivilege	776	msdcsc.exe
Token: SeProfSingleProcessPrivilege	776	msdcsc.exe
Token: SeIncBasePriorityPrivilege	776	msdcsc.exe
Token: SeCreatePagefilePrivilege	776	msdcsc.exe
Token: SeBackupPrivilege	776	msdcsc.exe
Token: SeRestorePrivilege	776	msdcsc.exe
Token: SeShutdownPrivilege	776	msdcsc.exe
Token: SeDebugPrivilege	776	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	776	msdcsc.exe
Token: SeChangeNotifyPrivilege	776	msdcsc.exe
Token: SeRemoteShutdownPrivilege	776	msdcsc.exe
Token: SeUndockPrivilege	776	msdcsc.exe
Token: SeManageVolumePrivilege	776	msdcsc.exe
Token: SeImpersonatePrivilege	776	msdcsc.exe
Token: SeCreateGlobalPrivilege	776	msdcsc.exe
Token: 33	776	msdcsc.exe
Token: 34	776	msdcsc.exe
Token: 35	776	msdcsc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
388	DllHost.exe
388	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
776	msdcsc.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2000	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	27
PID 1884 wrote to memory of 2000	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	27
PID 1884 wrote to memory of 2000	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	27
PID 1884 wrote to memory of 2000	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	27
PID 1884 wrote to memory of 1956	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	29
PID 1884 wrote to memory of 1956	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	29
PID 1884 wrote to memory of 1956	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	29
PID 1884 wrote to memory of 1956	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	29
PID 2000 wrote to memory of 1920	2000	cmd.exe	31
PID 2000 wrote to memory of 1920	2000	cmd.exe	31
PID 2000 wrote to memory of 1920	2000	cmd.exe	31
PID 2000 wrote to memory of 1920	2000	cmd.exe	31
PID 1956 wrote to memory of 976	1956	cmd.exe	32
PID 1956 wrote to memory of 976	1956	cmd.exe	32
PID 1956 wrote to memory of 976	1956	cmd.exe	32
PID 1956 wrote to memory of 976	1956	cmd.exe	32
PID 1884 wrote to memory of 776	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	34
PID 1884 wrote to memory of 776	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	34
PID 1884 wrote to memory of 776	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	34
PID 1884 wrote to memory of 776	1884	55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe	34
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35
PID 776 wrote to memory of 968	776	msdcsc.exe	35

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
976	attrib.exe
1920	attrib.exe

C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe
"C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:976
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:968

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MUZHIK-TELEVIZOR-PROTIVOGAZ.JPG

Filesize
865KB

MD5
506559174787b83187ec34afa1f8ef71

SHA1
19bb6efcd97598be64baa9a2e708c94bbd83b4e7

SHA256
a78bca77b067ccf10ef56b4a5f0b5e88925a602a126c774d3578f5d1830f458b

SHA512
17c5926c6f8432c3661d37ac70b94d8bca268fd0c3a5caf7159dd5ea36031f71f1530c0ae856eae938fc6037c664691c8e6ad1823bc27b5b7eb87dad8ca846d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUZHIK-TELEVIZOR-PROTIVOGAZ.JPG

Filesize
865KB

MD5
506559174787b83187ec34afa1f8ef71

SHA1
19bb6efcd97598be64baa9a2e708c94bbd83b4e7

SHA256
a78bca77b067ccf10ef56b4a5f0b5e88925a602a126c774d3578f5d1830f458b

SHA512
17c5926c6f8432c3661d37ac70b94d8bca268fd0c3a5caf7159dd5ea36031f71f1530c0ae856eae938fc6037c664691c8e6ad1823bc27b5b7eb87dad8ca846d1

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.5MB

MD5
370481138474cfcf39b8224c51f6be27

SHA1
bc5e1ba878f76bf7e5e61d8c49c00b980236c70d

SHA256
55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211

SHA512
b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.5MB

MD5
370481138474cfcf39b8224c51f6be27

SHA1
bc5e1ba878f76bf7e5e61d8c49c00b980236c70d

SHA256
55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211

SHA512
b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.5MB

MD5
370481138474cfcf39b8224c51f6be27

SHA1
bc5e1ba878f76bf7e5e61d8c49c00b980236c70d

SHA256
55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211

SHA512
b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.5MB

MD5
370481138474cfcf39b8224c51f6be27

SHA1
bc5e1ba878f76bf7e5e61d8c49c00b980236c70d

SHA256
55aa5efd9cb6da6768ea30624283f7155b19274d9e042afedc722c005e7ee211

SHA512
b8c9a986eeb33aa3b8d51d1e9292dc6b400b42889d5b4e5ab413bc250769c99fb9a53174d0ff3b9bafae6da337a875683c95415ed99f1957177da556407f462b

Download Submit
memory/776-62-0x0000000000000000-mapping.dmp

Download
memory/968-67-0x0000000000000000-mapping.dmp

Download
memory/976-58-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1920-57-0x0000000000000000-mapping.dmp

Download
memory/1956-56-0x0000000000000000-mapping.dmp

Download
memory/2000-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads