darkcomet | c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e

General

Target

c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe
Size

1.7MB
MD5

49d1338dd124baf0102b62040d11fbad
SHA1

e06d262b039ddbc61e89787b28224aa2bf64770b
SHA256

c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e
SHA512

4bd2740e630f013d53c63f13eb34083d4892c73aa78e72d36bd0273ba8134a6eebc8b9949aaa03685f199177053254b4271a2a0be662db1b5dd43259b5e19440
SSDEEP

24576:Ooad3G11e7FXE61jqAdc9DH/73df8XoxZlYscJsLn1D4L4oSnJRB:OoaRlXE6GtU4hYse+n1kcr

Score

10^/10

darkcomet main evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Main

C2

leinuo2rat.no-ip.biz:1604

Mutex

DC_MUTEX-ZPESHXD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
KlPD5oRnmTw4
install
true
offline_keylogger
true
persistence
false
reg_key
Updata

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

856 msdcsc.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4196 attrib.exe
4840 attrib.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
856	msdcsc.exe

pid	process
4196	attrib.exe
4840	attrib.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindosU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindosU.exe"	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updata = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe

description pid process target process

PID 704 set thread context of 4928 704 c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe vbc.exe

description	pid	process	target process
PID 704 set thread context of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4928	vbc.exe
Token: SeSecurityPrivilege	4928	vbc.exe
Token: SeTakeOwnershipPrivilege	4928	vbc.exe
Token: SeLoadDriverPrivilege	4928	vbc.exe
Token: SeSystemProfilePrivilege	4928	vbc.exe
Token: SeSystemtimePrivilege	4928	vbc.exe
Token: SeProfSingleProcessPrivilege	4928	vbc.exe
Token: SeIncBasePriorityPrivilege	4928	vbc.exe
Token: SeCreatePagefilePrivilege	4928	vbc.exe
Token: SeBackupPrivilege	4928	vbc.exe
Token: SeRestorePrivilege	4928	vbc.exe
Token: SeShutdownPrivilege	4928	vbc.exe
Token: SeDebugPrivilege	4928	vbc.exe
Token: SeSystemEnvironmentPrivilege	4928	vbc.exe
Token: SeChangeNotifyPrivilege	4928	vbc.exe
Token: SeRemoteShutdownPrivilege	4928	vbc.exe
Token: SeUndockPrivilege	4928	vbc.exe
Token: SeManageVolumePrivilege	4928	vbc.exe
Token: SeImpersonatePrivilege	4928	vbc.exe
Token: SeCreateGlobalPrivilege	4928	vbc.exe
Token: 33	4928	vbc.exe
Token: 34	4928	vbc.exe
Token: 35	4928	vbc.exe
Token: 36	4928	vbc.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exevbc.execmd.execmd.exe

description	pid	process	target process
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 704 wrote to memory of 4928	704	c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe	vbc.exe
PID 4928 wrote to memory of 2312	4928	vbc.exe	cmd.exe
PID 4928 wrote to memory of 2312	4928	vbc.exe	cmd.exe
PID 4928 wrote to memory of 2312	4928	vbc.exe	cmd.exe
PID 4928 wrote to memory of 3520	4928	vbc.exe	cmd.exe
PID 4928 wrote to memory of 3520	4928	vbc.exe	cmd.exe
PID 4928 wrote to memory of 3520	4928	vbc.exe	cmd.exe
PID 4928 wrote to memory of 856	4928	vbc.exe	msdcsc.exe
PID 4928 wrote to memory of 856	4928	vbc.exe	msdcsc.exe
PID 4928 wrote to memory of 856	4928	vbc.exe	msdcsc.exe
PID 2312 wrote to memory of 4840	2312	cmd.exe	attrib.exe
PID 2312 wrote to memory of 4840	2312	cmd.exe	attrib.exe
PID 2312 wrote to memory of 4840	2312	cmd.exe	attrib.exe
PID 3520 wrote to memory of 4196	3520	cmd.exe	attrib.exe
PID 3520 wrote to memory of 4196	3520	cmd.exe	attrib.exe
PID 3520 wrote to memory of 4196	3520	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4840 attrib.exe
4196 attrib.exe

pid	process
4840	attrib.exe
4196	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe
"C:\Users\Admin\AppData\Local\Temp\c2eec1701284699343ae2acb7a659b19f9275ab1742d7f5da526a5ef37f15c2e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4196

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/704-133-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/704-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/856-141-0x0000000000000000-mapping.dmp

Download
memory/2312-139-0x0000000000000000-mapping.dmp

Download
memory/3520-140-0x0000000000000000-mapping.dmp

Download
memory/4196-145-0x0000000000000000-mapping.dmp

Download
memory/4840-143-0x0000000000000000-mapping.dmp

Download
memory/4928-135-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4928-138-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4928-144-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4928-137-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4928-136-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4928-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads