darkcomet | c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74

General

Target

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Size

690KB
MD5

867fdf47b1f21ee81d355a155d82944c
SHA1

b20b41787ff9663c28f77e2ed80a81e0288ff682
SHA256

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74
SHA512

de44f8b7c25133045c84557c9fd375a272342029b83de3e8c2f879599355c0e6086b326fcb5817cfb94a37ec81057c4d7ece73df0b3f76b9a32b9a40f66a92bf
SSDEEP

12288:Z9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hML:jZ1xuVVjfFoynPaVBUR8f+kN10EBs

Score

10^/10

darkcomet 2 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

2

C2

simstest123.no-ip.org:1604

Mutex

DC_MUTEX-CWSWDQX

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
mvzAYJj1V4Wx
install
true
offline_keylogger
true
persistence
true
reg_key
serives1f

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1728 msdcsc.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1092 notepad.exe

pid	process
1728	msdcsc.exe

pid	process
1092	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

pid	process
908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\serives1f = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\serives1f = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeSecurityPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeTakeOwnershipPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeLoadDriverPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeSystemProfilePrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeSystemtimePrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeProfSingleProcessPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeIncBasePriorityPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeCreatePagefilePrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeBackupPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeRestorePrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeShutdownPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeDebugPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeSystemEnvironmentPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeChangeNotifyPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeRemoteShutdownPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeUndockPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeManageVolumePrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeImpersonatePrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeCreateGlobalPrivilege	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: 33	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: 34	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: 35	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeIncreaseQuotaPrivilege	1728	msdcsc.exe
Token: SeSecurityPrivilege	1728	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1728	msdcsc.exe
Token: SeLoadDriverPrivilege	1728	msdcsc.exe
Token: SeSystemProfilePrivilege	1728	msdcsc.exe
Token: SeSystemtimePrivilege	1728	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1728	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1728	msdcsc.exe
Token: SeCreatePagefilePrivilege	1728	msdcsc.exe
Token: SeBackupPrivilege	1728	msdcsc.exe
Token: SeRestorePrivilege	1728	msdcsc.exe
Token: SeShutdownPrivilege	1728	msdcsc.exe
Token: SeDebugPrivilege	1728	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1728	msdcsc.exe
Token: SeChangeNotifyPrivilege	1728	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1728	msdcsc.exe
Token: SeUndockPrivilege	1728	msdcsc.exe
Token: SeManageVolumePrivilege	1728	msdcsc.exe
Token: SeImpersonatePrivilege	1728	msdcsc.exe
Token: SeCreateGlobalPrivilege	1728	msdcsc.exe
Token: 33	1728	msdcsc.exe
Token: 34	1728	msdcsc.exe
Token: 35	1728	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1728 msdcsc.exe

pid	process
1728	msdcsc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

description	pid	process	target process
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1092	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 908 wrote to memory of 1728	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	msdcsc.exe
PID 908 wrote to memory of 1728	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	msdcsc.exe
PID 908 wrote to memory of 1728	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	msdcsc.exe
PID 908 wrote to memory of 1728	908	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
"C:\Users\Admin\AppData\Local\Temp\c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:1092

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
867fdf47b1f21ee81d355a155d82944c

SHA1
b20b41787ff9663c28f77e2ed80a81e0288ff682

SHA256
c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74

SHA512
de44f8b7c25133045c84557c9fd375a272342029b83de3e8c2f879599355c0e6086b326fcb5817cfb94a37ec81057c4d7ece73df0b3f76b9a32b9a40f66a92bf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
867fdf47b1f21ee81d355a155d82944c

SHA1
b20b41787ff9663c28f77e2ed80a81e0288ff682

SHA256
c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74

SHA512
de44f8b7c25133045c84557c9fd375a272342029b83de3e8c2f879599355c0e6086b326fcb5817cfb94a37ec81057c4d7ece73df0b3f76b9a32b9a40f66a92bf

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
867fdf47b1f21ee81d355a155d82944c

SHA1
b20b41787ff9663c28f77e2ed80a81e0288ff682

SHA256
c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74

SHA512
de44f8b7c25133045c84557c9fd375a272342029b83de3e8c2f879599355c0e6086b326fcb5817cfb94a37ec81057c4d7ece73df0b3f76b9a32b9a40f66a92bf

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
867fdf47b1f21ee81d355a155d82944c

SHA1
b20b41787ff9663c28f77e2ed80a81e0288ff682

SHA256
c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74

SHA512
de44f8b7c25133045c84557c9fd375a272342029b83de3e8c2f879599355c0e6086b326fcb5817cfb94a37ec81057c4d7ece73df0b3f76b9a32b9a40f66a92bf

Download Submit
memory/908-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1092-55-0x0000000000000000-mapping.dmp

Download
memory/1728-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads