darkcomet | c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74

General

Target

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Size

690KB
MD5

867fdf47b1f21ee81d355a155d82944c
SHA1

b20b41787ff9663c28f77e2ed80a81e0288ff682
SHA256

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74
SHA512

de44f8b7c25133045c84557c9fd375a272342029b83de3e8c2f879599355c0e6086b326fcb5817cfb94a37ec81057c4d7ece73df0b3f76b9a32b9a40f66a92bf
SSDEEP

12288:Z9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hML:jZ1xuVVjfFoynPaVBUR8f+kN10EBs

Score

10^/10

darkcomet 2 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

2

C2

simstest123.no-ip.org:1604

Mutex

DC_MUTEX-CWSWDQX

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
mvzAYJj1V4Wx
install
true
offline_keylogger
true
persistence
true
reg_key
serives1f

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

3436 msdcsc.exe

pid	process
3436	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\serives1f = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\serives1f = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeSecurityPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeTakeOwnershipPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeLoadDriverPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeSystemProfilePrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeSystemtimePrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeProfSingleProcessPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeIncBasePriorityPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeCreatePagefilePrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeBackupPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeRestorePrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeShutdownPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeDebugPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeSystemEnvironmentPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeChangeNotifyPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeRemoteShutdownPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeUndockPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeManageVolumePrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeImpersonatePrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeCreateGlobalPrivilege	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: 33	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: 34	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: 35	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: 36	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
Token: SeIncreaseQuotaPrivilege	3436	msdcsc.exe
Token: SeSecurityPrivilege	3436	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3436	msdcsc.exe
Token: SeLoadDriverPrivilege	3436	msdcsc.exe
Token: SeSystemProfilePrivilege	3436	msdcsc.exe
Token: SeSystemtimePrivilege	3436	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3436	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3436	msdcsc.exe
Token: SeCreatePagefilePrivilege	3436	msdcsc.exe
Token: SeBackupPrivilege	3436	msdcsc.exe
Token: SeRestorePrivilege	3436	msdcsc.exe
Token: SeShutdownPrivilege	3436	msdcsc.exe
Token: SeDebugPrivilege	3436	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3436	msdcsc.exe
Token: SeChangeNotifyPrivilege	3436	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3436	msdcsc.exe
Token: SeUndockPrivilege	3436	msdcsc.exe
Token: SeManageVolumePrivilege	3436	msdcsc.exe
Token: SeImpersonatePrivilege	3436	msdcsc.exe
Token: SeCreateGlobalPrivilege	3436	msdcsc.exe
Token: 33	3436	msdcsc.exe
Token: 34	3436	msdcsc.exe
Token: 35	3436	msdcsc.exe
Token: 36	3436	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

3436 msdcsc.exe

pid	process
3436	msdcsc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe

description	pid	process	target process
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3756	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	notepad.exe
PID 4776 wrote to memory of 3436	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	msdcsc.exe
PID 4776 wrote to memory of 3436	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	msdcsc.exe
PID 4776 wrote to memory of 3436	4776	c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe
"C:\Users\Admin\AppData\Local\Temp\c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:3756

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
867fdf47b1f21ee81d355a155d82944c

SHA1
b20b41787ff9663c28f77e2ed80a81e0288ff682

SHA256
c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74

SHA512
de44f8b7c25133045c84557c9fd375a272342029b83de3e8c2f879599355c0e6086b326fcb5817cfb94a37ec81057c4d7ece73df0b3f76b9a32b9a40f66a92bf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
Filesize
690KB

MD5
867fdf47b1f21ee81d355a155d82944c

SHA1
b20b41787ff9663c28f77e2ed80a81e0288ff682

SHA256
c5be3c9e53ef194830f4e848edc65151b489c0b36ff87d4436ce2659e6268f74

SHA512
de44f8b7c25133045c84557c9fd375a272342029b83de3e8c2f879599355c0e6086b326fcb5817cfb94a37ec81057c4d7ece73df0b3f76b9a32b9a40f66a92bf

Download Submit
memory/3436-133-0x0000000000000000-mapping.dmp

Download
memory/3756-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads