darkcomet | 820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7

General

Target

820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Size

690KB
MD5

3de246eb9d010063ce300153818e5be1
SHA1

0917adce4af364967ce71d4c9d3c206273045e83
SHA256

820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7
SHA512

f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130
SSDEEP

12288:l9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hBB:vZ1xuVVjfFoynPaVBUR8f+kN10EBV

Score

10^/10

darkcomet hacker evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hacker

C2

docteurkkk.sytes.net:80

docteurkkk.sytes.net:81

jpasta.servemp3.com:81

jpasta.servemp3.com:80

Mutex

DC_MUTEX-E0APM9B

Attributes

InstallPath
MSDCSC\msdsc.exe
gencode
uREkEp3UCJUZ
install
true
offline_keylogger
true
password
sqd654
persistence
true
reg_key
rundll32

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdsc.exe"	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

msdsc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdsc.exe

Executes dropped EXE 1 IoCs

Processes:

msdsc.exe

pid process

1628 msdsc.exe

pid	process
1628	msdsc.exe

Loads dropped DLL 2 IoCs

Processes:

820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe

pid	process
1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exemsdsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdsc.exe"	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdsc.exe"	msdsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdsc.exe

pid process

1628 msdsc.exe

pid	process
1628	msdsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exemsdsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeSecurityPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeTakeOwnershipPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeLoadDriverPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeSystemProfilePrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeSystemtimePrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeProfSingleProcessPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeIncBasePriorityPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeCreatePagefilePrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeBackupPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeRestorePrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeShutdownPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeDebugPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeSystemEnvironmentPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeChangeNotifyPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeRemoteShutdownPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeUndockPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeManageVolumePrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeImpersonatePrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeCreateGlobalPrivilege	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: 33	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: 34	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: 35	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
Token: SeIncreaseQuotaPrivilege	1628	msdsc.exe
Token: SeSecurityPrivilege	1628	msdsc.exe
Token: SeTakeOwnershipPrivilege	1628	msdsc.exe
Token: SeLoadDriverPrivilege	1628	msdsc.exe
Token: SeSystemProfilePrivilege	1628	msdsc.exe
Token: SeSystemtimePrivilege	1628	msdsc.exe
Token: SeProfSingleProcessPrivilege	1628	msdsc.exe
Token: SeIncBasePriorityPrivilege	1628	msdsc.exe
Token: SeCreatePagefilePrivilege	1628	msdsc.exe
Token: SeBackupPrivilege	1628	msdsc.exe
Token: SeRestorePrivilege	1628	msdsc.exe
Token: SeShutdownPrivilege	1628	msdsc.exe
Token: SeDebugPrivilege	1628	msdsc.exe
Token: SeSystemEnvironmentPrivilege	1628	msdsc.exe
Token: SeChangeNotifyPrivilege	1628	msdsc.exe
Token: SeRemoteShutdownPrivilege	1628	msdsc.exe
Token: SeUndockPrivilege	1628	msdsc.exe
Token: SeManageVolumePrivilege	1628	msdsc.exe
Token: SeImpersonatePrivilege	1628	msdsc.exe
Token: SeCreateGlobalPrivilege	1628	msdsc.exe
Token: 33	1628	msdsc.exe
Token: 34	1628	msdsc.exe
Token: 35	1628	msdsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdsc.exe

pid process

1628 msdsc.exe

pid	process
1628	msdsc.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exemsdsc.exe

description	pid	process	target process
PID 1208 wrote to memory of 1628	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe	msdsc.exe
PID 1208 wrote to memory of 1628	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe	msdsc.exe
PID 1208 wrote to memory of 1628	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe	msdsc.exe
PID 1208 wrote to memory of 1628	1208	820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe	msdsc.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe
PID 1628 wrote to memory of 1404	1628	msdsc.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe
"C:\Users\Admin\AppData\Local\Temp\820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exe"
2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exe
Filesize
690KB

MD5
3de246eb9d010063ce300153818e5be1

SHA1
0917adce4af364967ce71d4c9d3c206273045e83

SHA256
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7

SHA512
f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exe
Filesize
690KB

MD5
3de246eb9d010063ce300153818e5be1

SHA1
0917adce4af364967ce71d4c9d3c206273045e83

SHA256
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7

SHA512
f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exe
Filesize
690KB

MD5
3de246eb9d010063ce300153818e5be1

SHA1
0917adce4af364967ce71d4c9d3c206273045e83

SHA256
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7

SHA512
f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdsc.exe
Filesize
690KB

MD5
3de246eb9d010063ce300153818e5be1

SHA1
0917adce4af364967ce71d4c9d3c206273045e83

SHA256
820ec01001e41115ae20b367113decd3aa549652d6f0eb677ecf44519f0d70b7

SHA512
f2bf5669287b2c4baad50ace30f971317dc254b713a2d516cf2049444590469c30c919bab8caf8043cf0a84d6f233cfd00ee71c14b1ba798b04a5c089ffef130

Download Submit
memory/1208-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1404-61-0x0000000000000000-mapping.dmp

Download
memory/1628-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads