darkcomet | 5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe
Size

789KB
MD5

3edfe9c6538b2641f1f1520a870103cf
SHA1

48655b65f93a60f2c423461babdd790521e94568
SHA256

5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80
SHA512

7ea2205c554246a16a72d5ca7e9198d9a2e9ab41f30658ebbf2936688169a9bf8b3e2ef260a92371f5c6a8af793a55e50cdd4620a0290980ef35f252d1d16031
SSDEEP

12288:0cZFvui3LIZwvmSIXCPRcJE9+Fvui3LIZwvmSIXCPRcJE9K:DyqL+1SIouJc7qL+1SIouJcK

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

dchost.zapto.org:1604

Mutex

DC_MUTEX-EBBC7HD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
JWCbWkrm13xd
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	tmp789.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe

Executes dropped EXE 2 IoCs

pid	Process
3104	tmp789.exe
4856	msdcsc.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp789.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	tmp789.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tmp789.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4856	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3104	tmp789.exe
Token: SeSecurityPrivilege	3104	tmp789.exe
Token: SeTakeOwnershipPrivilege	3104	tmp789.exe
Token: SeLoadDriverPrivilege	3104	tmp789.exe
Token: SeSystemProfilePrivilege	3104	tmp789.exe
Token: SeSystemtimePrivilege	3104	tmp789.exe
Token: SeProfSingleProcessPrivilege	3104	tmp789.exe
Token: SeIncBasePriorityPrivilege	3104	tmp789.exe
Token: SeCreatePagefilePrivilege	3104	tmp789.exe
Token: SeBackupPrivilege	3104	tmp789.exe
Token: SeRestorePrivilege	3104	tmp789.exe
Token: SeShutdownPrivilege	3104	tmp789.exe
Token: SeDebugPrivilege	3104	tmp789.exe
Token: SeSystemEnvironmentPrivilege	3104	tmp789.exe
Token: SeChangeNotifyPrivilege	3104	tmp789.exe
Token: SeRemoteShutdownPrivilege	3104	tmp789.exe
Token: SeUndockPrivilege	3104	tmp789.exe
Token: SeManageVolumePrivilege	3104	tmp789.exe
Token: SeImpersonatePrivilege	3104	tmp789.exe
Token: SeCreateGlobalPrivilege	3104	tmp789.exe
Token: 33	3104	tmp789.exe
Token: 34	3104	tmp789.exe
Token: 35	3104	tmp789.exe
Token: 36	3104	tmp789.exe
Token: SeIncreaseQuotaPrivilege	4856	msdcsc.exe
Token: SeSecurityPrivilege	4856	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4856	msdcsc.exe
Token: SeLoadDriverPrivilege	4856	msdcsc.exe
Token: SeSystemProfilePrivilege	4856	msdcsc.exe
Token: SeSystemtimePrivilege	4856	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4856	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4856	msdcsc.exe
Token: SeCreatePagefilePrivilege	4856	msdcsc.exe
Token: SeBackupPrivilege	4856	msdcsc.exe
Token: SeRestorePrivilege	4856	msdcsc.exe
Token: SeShutdownPrivilege	4856	msdcsc.exe
Token: SeDebugPrivilege	4856	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4856	msdcsc.exe
Token: SeChangeNotifyPrivilege	4856	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4856	msdcsc.exe
Token: SeUndockPrivilege	4856	msdcsc.exe
Token: SeManageVolumePrivilege	4856	msdcsc.exe
Token: SeImpersonatePrivilege	4856	msdcsc.exe
Token: SeCreateGlobalPrivilege	4856	msdcsc.exe
Token: 33	4856	msdcsc.exe
Token: 34	4856	msdcsc.exe
Token: 35	4856	msdcsc.exe
Token: 36	4856	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4856	msdcsc.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 3104	4900	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe	81
PID 4900 wrote to memory of 3104	4900	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe	81
PID 4900 wrote to memory of 3104	4900	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe	81
PID 4900 wrote to memory of 4356	4900	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe	82
PID 4900 wrote to memory of 4356	4900	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe	82
PID 4900 wrote to memory of 4356	4900	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe	82
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 3104 wrote to memory of 3752	3104	tmp789.exe	83
PID 4900 wrote to memory of 4936	4900	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe	85
PID 4900 wrote to memory of 4936	4900	5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe	85
PID 3104 wrote to memory of 4856	3104	tmp789.exe	86
PID 3104 wrote to memory of 4856	3104	tmp789.exe	86
PID 3104 wrote to memory of 4856	3104	tmp789.exe	86
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87
PID 4856 wrote to memory of 1524	4856	msdcsc.exe	87

C:\Users\Admin\AppData\Local\Temp\5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe
"C:\Users\Admin\AppData\Local\Temp\5ea16455cc0a0db053deca1a3358d31bae1840d2dfbda699188a99cbf42cea80.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\tmp789.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp789.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:3752
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:1524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp3.vbs"
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3.vbs

Filesize
355B

MD5
9b0872bf496c8cbb737433406b0ba635

SHA1
227250465958fc43303097637f71973492d1f5bb

SHA256
c19c640e6adf7395444d2f29a3b356d1d0919a584c5b3fb07483ce61093b695f

SHA512
216bfe5a8b49ff4f0d905ef0965beaae0db9832facefa85505d9bd4339116c9b1e79def78f756deacdae881654064fd05c1230ba557a60167e45134a8547086a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp789.exe

Filesize
332KB

MD5
01c3d00542eacf9ddf26a49c2b9c5e7c

SHA1
1ea0383dc7869858b2f76edc0258d0294e65b03f

SHA256
0ff83221f736ecc91f6a6c5f7ba9c5b4f54ca034436cd9447a014d4341b8c658

SHA512
d50ce010c14a1a8b48b4a817188e2b42e2c5ea06d15db67ed76662d532c2cf498f6e1c6abb1788bc95eed771c435d2cef818d532da6569710ddeb1a321f77f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp789.exe

Filesize
332KB

MD5
01c3d00542eacf9ddf26a49c2b9c5e7c

SHA1
1ea0383dc7869858b2f76edc0258d0294e65b03f

SHA256
0ff83221f736ecc91f6a6c5f7ba9c5b4f54ca034436cd9447a014d4341b8c658

SHA512
d50ce010c14a1a8b48b4a817188e2b42e2c5ea06d15db67ed76662d532c2cf498f6e1c6abb1788bc95eed771c435d2cef818d532da6569710ddeb1a321f77f29

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
332KB

MD5
01c3d00542eacf9ddf26a49c2b9c5e7c

SHA1
1ea0383dc7869858b2f76edc0258d0294e65b03f

SHA256
0ff83221f736ecc91f6a6c5f7ba9c5b4f54ca034436cd9447a014d4341b8c658

SHA512
d50ce010c14a1a8b48b4a817188e2b42e2c5ea06d15db67ed76662d532c2cf498f6e1c6abb1788bc95eed771c435d2cef818d532da6569710ddeb1a321f77f29

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
332KB

MD5
01c3d00542eacf9ddf26a49c2b9c5e7c

SHA1
1ea0383dc7869858b2f76edc0258d0294e65b03f

SHA256
0ff83221f736ecc91f6a6c5f7ba9c5b4f54ca034436cd9447a014d4341b8c658

SHA512
d50ce010c14a1a8b48b4a817188e2b42e2c5ea06d15db67ed76662d532c2cf498f6e1c6abb1788bc95eed771c435d2cef818d532da6569710ddeb1a321f77f29

Download Submit
memory/3104-138-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4856-144-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4856-145-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads