darkcomet | fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935

General

Target

fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe
Size

3.0MB
MD5

6f6614d8d57607da94626df2a6f6115d
SHA1

50bcecaca1aff978d6f79b76fcf7d974cbbdce32
SHA256

fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935
SHA512

1e854ca45b7854874ef28aa84a42d31931018adb0239655b6eb37af6f32d1a55dc301fd5b378b65d2869e3831452418aae3705af0a3290979ee801b6631bb178
SSDEEP

24576:Ihqg3a11e7FXE61jqAdc9DH/73df8XoxZlYscJsLn1D4L4oSnJRxEkQq77GraUDN:IhqoRXE6GtU4hYse+n1kcMGCYVoOPA

Score

10^/10

darkcomet main evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Main

C2

leinuo2rat.no-ip.biz:1604

Mutex

DC_MUTEX-ZPESHXD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
KlPD5oRnmTw4
install
true
offline_keylogger
true
persistence
false
reg_key
Updata

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 2 IoCs

Processes:

Minecraft.exemsdcsc.exe

pid process

4288 Minecraft.exe
5112 msdcsc.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4260 attrib.exe
3544 attrib.exe

pid	process
4288	Minecraft.exe
5112	msdcsc.exe

pid	process
4260	attrib.exe
3544	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exefc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updata = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindosU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindosU.exe"	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe

description	ioc	process
File created	D:\autorun.inf	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe
File opened for modification	D:\autorun.inf	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe
File created	C:\autorun.inf	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe
File opened for modification	C:\autorun.inf	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe

description pid process target process

PID 2696 set thread context of 404 2696 fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe vbc.exe

description	pid	process	target process
PID 2696 set thread context of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	404	vbc.exe
Token: SeSecurityPrivilege	404	vbc.exe
Token: SeTakeOwnershipPrivilege	404	vbc.exe
Token: SeLoadDriverPrivilege	404	vbc.exe
Token: SeSystemProfilePrivilege	404	vbc.exe
Token: SeSystemtimePrivilege	404	vbc.exe
Token: SeProfSingleProcessPrivilege	404	vbc.exe
Token: SeIncBasePriorityPrivilege	404	vbc.exe
Token: SeCreatePagefilePrivilege	404	vbc.exe
Token: SeBackupPrivilege	404	vbc.exe
Token: SeRestorePrivilege	404	vbc.exe
Token: SeShutdownPrivilege	404	vbc.exe
Token: SeDebugPrivilege	404	vbc.exe
Token: SeSystemEnvironmentPrivilege	404	vbc.exe
Token: SeChangeNotifyPrivilege	404	vbc.exe
Token: SeRemoteShutdownPrivilege	404	vbc.exe
Token: SeUndockPrivilege	404	vbc.exe
Token: SeManageVolumePrivilege	404	vbc.exe
Token: SeImpersonatePrivilege	404	vbc.exe
Token: SeCreateGlobalPrivilege	404	vbc.exe
Token: 33	404	vbc.exe
Token: 34	404	vbc.exe
Token: 35	404	vbc.exe
Token: 36	404	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exevbc.execmd.execmd.exe

description	pid	process	target process
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 2696 wrote to memory of 404	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	vbc.exe
PID 404 wrote to memory of 3976	404	vbc.exe	cmd.exe
PID 404 wrote to memory of 3976	404	vbc.exe	cmd.exe
PID 404 wrote to memory of 3976	404	vbc.exe	cmd.exe
PID 2696 wrote to memory of 4288	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	Minecraft.exe
PID 2696 wrote to memory of 4288	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	Minecraft.exe
PID 2696 wrote to memory of 4288	2696	fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe	Minecraft.exe
PID 404 wrote to memory of 1440	404	vbc.exe	cmd.exe
PID 404 wrote to memory of 1440	404	vbc.exe	cmd.exe
PID 404 wrote to memory of 1440	404	vbc.exe	cmd.exe
PID 404 wrote to memory of 5112	404	vbc.exe	msdcsc.exe
PID 404 wrote to memory of 5112	404	vbc.exe	msdcsc.exe
PID 404 wrote to memory of 5112	404	vbc.exe	msdcsc.exe
PID 3976 wrote to memory of 3544	3976	cmd.exe	attrib.exe
PID 3976 wrote to memory of 3544	3976	cmd.exe	attrib.exe
PID 3976 wrote to memory of 3544	3976	cmd.exe	attrib.exe
PID 1440 wrote to memory of 4260	1440	cmd.exe	attrib.exe
PID 1440 wrote to memory of 4260	1440	cmd.exe	attrib.exe
PID 1440 wrote to memory of 4260	1440	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3544 attrib.exe
4260 attrib.exe

pid	process
3544	attrib.exe
4260	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe
"C:\Users\Admin\AppData\Local\Temp\fc466c67d5dc728321932882dc9440317cfb73e9c6554c3807e1ddab6b444935.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:3544

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:5112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4260

C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft.exe"
2⤵
- Executes dropped EXE
PID:4288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
Filesize
679KB

MD5
605a171c61a0607bdcf6be80ed07cf95

SHA1
477d4391b0d84406127e43ead289a3596ac1e5e5

SHA256
09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9

SHA512
3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minecraft.exe
Filesize
679KB

MD5
605a171c61a0607bdcf6be80ed07cf95

SHA1
477d4391b0d84406127e43ead289a3596ac1e5e5

SHA256
09b78dc85713ca0f27f17d94c939cc606a59847c1f2b5cdd281b52a48cdaeab9

SHA512
3b32197d76951d0e1cd7043758af9b33be12b30c03df00a3ef36078205fa95b1582f65bdf4437a1b879a922d2950868e905bcd2227ce3816d5437556b103d338

Download Submit
memory/404-136-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/404-133-0x0000000000000000-mapping.dmp

Download
memory/404-137-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/404-145-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/404-134-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/404-135-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1440-142-0x0000000000000000-mapping.dmp

Download
memory/2696-132-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2696-149-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3544-147-0x0000000000000000-mapping.dmp

Download
memory/3976-138-0x0000000000000000-mapping.dmp

Download
memory/4260-148-0x0000000000000000-mapping.dmp

Download
memory/4288-139-0x0000000000000000-mapping.dmp

Download
memory/5112-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads