darkcomet | 5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7

Analysis

max time kernel
162s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 04:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe
Size

1.6MB
MD5

322a39f09544686e5f3f8404c8a94bd3
SHA1

bd1fa7f10ac4467c88dd6758bec9e9e8ca667db0
SHA256

5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7
SHA512

ffc99dfb3a57e78963f3bae03f1f9d3ef0d701468e00f6b32945d9edce89a6274170c6c8af8673aed7127c0ece1a649fc55a012a8f36cb3704438a2385b8ec9f
SSDEEP

24576:s5EXudrr8uAFOS7j+7IFNO8OtOx0VKvgz0zsTgy9we3hxfa7P+Z8T5ALjXWfXMGF:vXue0yjf8faz+25Xs4GnS

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
4580	msdcsc.exe
3896	msdcsc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4160 set thread context of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4580 set thread context of 4500	4580	msdcsc.exe	90

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1544	vbc.exe
Token: SeSecurityPrivilege	1544	vbc.exe
Token: SeTakeOwnershipPrivilege	1544	vbc.exe
Token: SeLoadDriverPrivilege	1544	vbc.exe
Token: SeSystemProfilePrivilege	1544	vbc.exe
Token: SeSystemtimePrivilege	1544	vbc.exe
Token: SeProfSingleProcessPrivilege	1544	vbc.exe
Token: SeIncBasePriorityPrivilege	1544	vbc.exe
Token: SeCreatePagefilePrivilege	1544	vbc.exe
Token: SeBackupPrivilege	1544	vbc.exe
Token: SeRestorePrivilege	1544	vbc.exe
Token: SeShutdownPrivilege	1544	vbc.exe
Token: SeDebugPrivilege	1544	vbc.exe
Token: SeSystemEnvironmentPrivilege	1544	vbc.exe
Token: SeChangeNotifyPrivilege	1544	vbc.exe
Token: SeRemoteShutdownPrivilege	1544	vbc.exe
Token: SeUndockPrivilege	1544	vbc.exe
Token: SeManageVolumePrivilege	1544	vbc.exe
Token: SeImpersonatePrivilege	1544	vbc.exe
Token: SeCreateGlobalPrivilege	1544	vbc.exe
Token: 33	1544	vbc.exe
Token: 34	1544	vbc.exe
Token: 35	1544	vbc.exe
Token: 36	1544	vbc.exe
Token: SeIncreaseQuotaPrivilege	4500	vbc.exe
Token: SeSecurityPrivilege	4500	vbc.exe
Token: SeTakeOwnershipPrivilege	4500	vbc.exe
Token: SeLoadDriverPrivilege	4500	vbc.exe
Token: SeSystemProfilePrivilege	4500	vbc.exe
Token: SeSystemtimePrivilege	4500	vbc.exe
Token: SeProfSingleProcessPrivilege	4500	vbc.exe
Token: SeIncBasePriorityPrivilege	4500	vbc.exe
Token: SeCreatePagefilePrivilege	4500	vbc.exe
Token: SeBackupPrivilege	4500	vbc.exe
Token: SeRestorePrivilege	4500	vbc.exe
Token: SeShutdownPrivilege	4500	vbc.exe
Token: SeDebugPrivilege	4500	vbc.exe
Token: SeSystemEnvironmentPrivilege	4500	vbc.exe
Token: SeChangeNotifyPrivilege	4500	vbc.exe
Token: SeRemoteShutdownPrivilege	4500	vbc.exe
Token: SeUndockPrivilege	4500	vbc.exe
Token: SeManageVolumePrivilege	4500	vbc.exe
Token: SeImpersonatePrivilege	4500	vbc.exe
Token: SeCreateGlobalPrivilege	4500	vbc.exe
Token: 33	4500	vbc.exe
Token: 34	4500	vbc.exe
Token: 35	4500	vbc.exe
Token: 36	4500	vbc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 4160 wrote to memory of 1544	4160	5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe	86
PID 1544 wrote to memory of 4580	1544	vbc.exe	89
PID 1544 wrote to memory of 4580	1544	vbc.exe	89
PID 1544 wrote to memory of 4580	1544	vbc.exe	89
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4580 wrote to memory of 4500	4580	msdcsc.exe	90
PID 4500 wrote to memory of 3896	4500	vbc.exe	91
PID 4500 wrote to memory of 3896	4500	vbc.exe	91
PID 4500 wrote to memory of 3896	4500	vbc.exe	91

C:\Users\Admin\AppData\Local\Temp\5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe
"C:\Users\Admin\AppData\Local\Temp\5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      Modifies WinLogon for persistence
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Executes dropped EXE
        
        PID:3896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\340X.JPG

Filesize
33KB

MD5
3b0c2fe807623fdd9c0fe1f505a88a82

SHA1
1612e0c3aa3ef46a21cce793cc84beac68a49a70

SHA256
741ea7e5bc292333841d8b3730ddd47cbb42e2f4eec5fc73137a72e0ed56b31a

SHA512
bd058103eb0f121a99757fe61253e766570ccc9418f7b85ac8e986b450f488f96d5b0af14a796c0891d11a2a1022ad4ba1f9857885fea14a4ea03be0bf2fff22

Download Submit
C:\Users\Admin\AppData\Local\Tempmaghachs

Filesize
102B

MD5
ef97c9e9e7cabc39e1a53e63809497ab

SHA1
d27fce206b3d724b3b3ead4fb2bec40ad1f294f5

SHA256
b11745e45d02626cffc32c4441594e22bde3081045570eb7466d82231495526c

SHA512
b9bb11123f39353561f3bb05c38dba1621e256451ac13f17d531f41101c802c26d2692867ec2e097061c4874bcddf1af785868bd7a666e850395f3e6b7c9491b

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.6MB

MD5
322a39f09544686e5f3f8404c8a94bd3

SHA1
bd1fa7f10ac4467c88dd6758bec9e9e8ca667db0

SHA256
5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7

SHA512
ffc99dfb3a57e78963f3bae03f1f9d3ef0d701468e00f6b32945d9edce89a6274170c6c8af8673aed7127c0ece1a649fc55a012a8f36cb3704438a2385b8ec9f

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.6MB

MD5
322a39f09544686e5f3f8404c8a94bd3

SHA1
bd1fa7f10ac4467c88dd6758bec9e9e8ca667db0

SHA256
5b2db86d7ced460a79ddc1668b5135459a03fb60416dfd6c134fec9a570853f7

SHA512
ffc99dfb3a57e78963f3bae03f1f9d3ef0d701468e00f6b32945d9edce89a6274170c6c8af8673aed7127c0ece1a649fc55a012a8f36cb3704438a2385b8ec9f

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1544-138-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1544-139-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1544-135-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1544-134-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1544-136-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4160-137-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/4160-132-0x0000000074CE0000-0x0000000075291000-memory.dmp

Filesize
5.7MB

Download
memory/4500-150-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4500-147-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4500-153-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4580-148-0x0000000073DF0000-0x00000000743A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads