darkcomet | c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f

Analysis

max time kernel
165s
max time network
166s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Size

1.3MB
MD5

826524e401929fbfd99e5673645409ba
SHA1

eccefa5723029b948cbdd2b3a73043d698225c58
SHA256

c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f
SHA512

3245f5901b8c0f26af74c81323ab9e7eb5796370292c4434b73a55a69acff8a93b6486703271bbfeb14e5efdda6173c4371fab81ef5890bd11c9bae4bef66e77
SSDEEP

24576:LSQR4/RS1aLniNRAGmhXpZLB082X2osKR8vzQfP1qCdRAR90D3c0HbWal5ho5tP/:+QR4JSgLn+iJ28Kr/6QfP1/AR90jHbbS

Score

10^/10

darkcomet evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe

Executes dropped EXE 1 IoCs

pid	Process
1720	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
640	attrib.exe
1360	attrib.exe

Deletes itself 1 IoCs

pid	Process
636	notepad.exe

Loads dropped DLL 2 IoCs

pid	Process
960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Î¢ÐÍ¸üÐÂ = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Î¢ÐÍ¸üÐÂ = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
1720	msdcsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1720	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeSecurityPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeTakeOwnershipPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeLoadDriverPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeSystemProfilePrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeSystemtimePrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeProfSingleProcessPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeIncBasePriorityPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeCreatePagefilePrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeBackupPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeRestorePrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeShutdownPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeDebugPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeSystemEnvironmentPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeChangeNotifyPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeRemoteShutdownPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeUndockPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeManageVolumePrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeImpersonatePrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeCreateGlobalPrivilege	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: 33	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: 34	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: 35	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
Token: SeIncreaseQuotaPrivilege	1720	msdcsc.exe
Token: SeSecurityPrivilege	1720	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1720	msdcsc.exe
Token: SeLoadDriverPrivilege	1720	msdcsc.exe
Token: SeSystemProfilePrivilege	1720	msdcsc.exe
Token: SeSystemtimePrivilege	1720	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1720	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1720	msdcsc.exe
Token: SeCreatePagefilePrivilege	1720	msdcsc.exe
Token: SeBackupPrivilege	1720	msdcsc.exe
Token: SeRestorePrivilege	1720	msdcsc.exe
Token: SeShutdownPrivilege	1720	msdcsc.exe
Token: SeDebugPrivilege	1720	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1720	msdcsc.exe
Token: SeChangeNotifyPrivilege	1720	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1720	msdcsc.exe
Token: SeUndockPrivilege	1720	msdcsc.exe
Token: SeManageVolumePrivilege	1720	msdcsc.exe
Token: SeImpersonatePrivilege	1720	msdcsc.exe
Token: SeCreateGlobalPrivilege	1720	msdcsc.exe
Token: 33	1720	msdcsc.exe
Token: 34	1720	msdcsc.exe
Token: 35	1720	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 892	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	28
PID 960 wrote to memory of 892	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	28
PID 960 wrote to memory of 892	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	28
PID 960 wrote to memory of 892	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	28
PID 960 wrote to memory of 592	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	30
PID 960 wrote to memory of 592	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	30
PID 960 wrote to memory of 592	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	30
PID 960 wrote to memory of 592	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	30
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 960 wrote to memory of 636	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	31
PID 892 wrote to memory of 640	892	cmd.exe	33
PID 892 wrote to memory of 640	892	cmd.exe	33
PID 892 wrote to memory of 640	892	cmd.exe	33
PID 892 wrote to memory of 640	892	cmd.exe	33
PID 592 wrote to memory of 1360	592	cmd.exe	34
PID 592 wrote to memory of 1360	592	cmd.exe	34
PID 592 wrote to memory of 1360	592	cmd.exe	34
PID 592 wrote to memory of 1360	592	cmd.exe	34
PID 960 wrote to memory of 1720	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	35
PID 960 wrote to memory of 1720	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	35
PID 960 wrote to memory of 1720	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	35
PID 960 wrote to memory of 1720	960	c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe	35
PID 1720 wrote to memory of 1448	1720	msdcsc.exe	36
PID 1720 wrote to memory of 1448	1720	msdcsc.exe	36
PID 1720 wrote to memory of 1448	1720	msdcsc.exe	36
PID 1720 wrote to memory of 1448	1720	msdcsc.exe	36
PID 1720 wrote to memory of 1972	1720	msdcsc.exe	37
PID 1720 wrote to memory of 1972	1720	msdcsc.exe	37
PID 1720 wrote to memory of 1972	1720	msdcsc.exe	37
PID 1720 wrote to memory of 1972	1720	msdcsc.exe	37
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38
PID 1720 wrote to memory of 1076	1720	msdcsc.exe	38

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
640	attrib.exe
1360	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe
"C:\Users\Admin\AppData\Local\Temp\c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1360
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  PID:636
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    PID:1448
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.3MB

MD5
826524e401929fbfd99e5673645409ba

SHA1
eccefa5723029b948cbdd2b3a73043d698225c58

SHA256
c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f

SHA512
3245f5901b8c0f26af74c81323ab9e7eb5796370292c4434b73a55a69acff8a93b6486703271bbfeb14e5efdda6173c4371fab81ef5890bd11c9bae4bef66e77

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.3MB

MD5
826524e401929fbfd99e5673645409ba

SHA1
eccefa5723029b948cbdd2b3a73043d698225c58

SHA256
c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f

SHA512
3245f5901b8c0f26af74c81323ab9e7eb5796370292c4434b73a55a69acff8a93b6486703271bbfeb14e5efdda6173c4371fab81ef5890bd11c9bae4bef66e77

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.3MB

MD5
826524e401929fbfd99e5673645409ba

SHA1
eccefa5723029b948cbdd2b3a73043d698225c58

SHA256
c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f

SHA512
3245f5901b8c0f26af74c81323ab9e7eb5796370292c4434b73a55a69acff8a93b6486703271bbfeb14e5efdda6173c4371fab81ef5890bd11c9bae4bef66e77

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.3MB

MD5
826524e401929fbfd99e5673645409ba

SHA1
eccefa5723029b948cbdd2b3a73043d698225c58

SHA256
c8be4bba9389e78ff09045395e9525199b10b7793f5403f818e2657c95dbf44f

SHA512
3245f5901b8c0f26af74c81323ab9e7eb5796370292c4434b73a55a69acff8a93b6486703271bbfeb14e5efdda6173c4371fab81ef5890bd11c9bae4bef66e77

Download Submit
memory/960-74-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/960-72-0x0000000005040000-0x000000000532F000-memory.dmp

Filesize
2.9MB

Download
memory/960-55-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/960-56-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/960-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1720-69-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1720-73-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1720-75-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download