darkcomet | c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d

Analysis

max time kernel
150s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Size

744KB
MD5

ec9b8f4b0af5befd5558ffeb0ecc88a6
SHA1

9bb0f2e8322288ed4e2612496d7de2340dcb5173
SHA256

c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d
SHA512

6cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137
SSDEEP

12288:z8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixW:QUKoN0bUxgGa/pfBHDb+y1HgZ

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe"	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe

Executes dropped EXE 1 IoCs

pid	Process
336	msdcsc.exe

Deletes itself 1 IoCs

pid	Process
516	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe"	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 336 set thread context of 1840	336	msdcsc.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1488	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeSecurityPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeTakeOwnershipPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeLoadDriverPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeSystemProfilePrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeSystemtimePrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeProfSingleProcessPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeIncBasePriorityPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeCreatePagefilePrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeBackupPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeRestorePrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeShutdownPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeDebugPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeSystemEnvironmentPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeChangeNotifyPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeRemoteShutdownPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeUndockPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeManageVolumePrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeImpersonatePrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeCreateGlobalPrivilege	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: 33	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: 34	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: 35	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
Token: SeIncreaseQuotaPrivilege	336	msdcsc.exe
Token: SeSecurityPrivilege	336	msdcsc.exe
Token: SeTakeOwnershipPrivilege	336	msdcsc.exe
Token: SeLoadDriverPrivilege	336	msdcsc.exe
Token: SeSystemProfilePrivilege	336	msdcsc.exe
Token: SeSystemtimePrivilege	336	msdcsc.exe
Token: SeProfSingleProcessPrivilege	336	msdcsc.exe
Token: SeIncBasePriorityPrivilege	336	msdcsc.exe
Token: SeCreatePagefilePrivilege	336	msdcsc.exe
Token: SeBackupPrivilege	336	msdcsc.exe
Token: SeRestorePrivilege	336	msdcsc.exe
Token: SeShutdownPrivilege	336	msdcsc.exe
Token: SeDebugPrivilege	336	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	336	msdcsc.exe
Token: SeChangeNotifyPrivilege	336	msdcsc.exe
Token: SeRemoteShutdownPrivilege	336	msdcsc.exe
Token: SeUndockPrivilege	336	msdcsc.exe
Token: SeManageVolumePrivilege	336	msdcsc.exe
Token: SeImpersonatePrivilege	336	msdcsc.exe
Token: SeCreateGlobalPrivilege	336	msdcsc.exe
Token: 33	336	msdcsc.exe
Token: 34	336	msdcsc.exe
Token: 35	336	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1840	iexplore.exe
Token: SeSecurityPrivilege	1840	iexplore.exe
Token: SeTakeOwnershipPrivilege	1840	iexplore.exe
Token: SeLoadDriverPrivilege	1840	iexplore.exe
Token: SeSystemProfilePrivilege	1840	iexplore.exe
Token: SeSystemtimePrivilege	1840	iexplore.exe
Token: SeProfSingleProcessPrivilege	1840	iexplore.exe
Token: SeIncBasePriorityPrivilege	1840	iexplore.exe
Token: SeCreatePagefilePrivilege	1840	iexplore.exe
Token: SeBackupPrivilege	1840	iexplore.exe
Token: SeRestorePrivilege	1840	iexplore.exe
Token: SeShutdownPrivilege	1840	iexplore.exe
Token: SeDebugPrivilege	1840	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1840	iexplore.exe
Token: SeChangeNotifyPrivilege	1840	iexplore.exe
Token: SeRemoteShutdownPrivilege	1840	iexplore.exe
Token: SeUndockPrivilege	1840	iexplore.exe
Token: SeManageVolumePrivilege	1840	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1840	iexplore.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 516	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe	28
PID 2008 wrote to memory of 516	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe	28
PID 2008 wrote to memory of 516	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe	28
PID 2008 wrote to memory of 516	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe	28
PID 516 wrote to memory of 1488	516	cmd.exe	30
PID 516 wrote to memory of 1488	516	cmd.exe	30
PID 516 wrote to memory of 1488	516	cmd.exe	30
PID 516 wrote to memory of 1488	516	cmd.exe	30
PID 2008 wrote to memory of 336	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe	31
PID 2008 wrote to memory of 336	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe	31
PID 2008 wrote to memory of 336	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe	31
PID 2008 wrote to memory of 336	2008	c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe	31
PID 336 wrote to memory of 1840	336	msdcsc.exe	32
PID 336 wrote to memory of 1840	336	msdcsc.exe	32
PID 336 wrote to memory of 1840	336	msdcsc.exe	32
PID 336 wrote to memory of 1840	336	msdcsc.exe	32
PID 336 wrote to memory of 1840	336	msdcsc.exe	32
PID 336 wrote to memory of 1840	336	msdcsc.exe	32

C:\Users\Admin\AppData\Local\Temp\c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe
"C:\Users\Admin\AppData\Local\Temp\c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 4
    3⤵
    - Runs ping.exe
    PID:1488
- C:\MSDCSC\msdcsc.exe
  "C:\MSDCSC\msdcsc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSDCSC\msdcsc.exe

Filesize
744KB

MD5
ec9b8f4b0af5befd5558ffeb0ecc88a6

SHA1
9bb0f2e8322288ed4e2612496d7de2340dcb5173

SHA256
c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d

SHA512
6cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137

Download Submit
C:\MSDCSC\msdcsc.exe

Filesize
744KB

MD5
ec9b8f4b0af5befd5558ffeb0ecc88a6

SHA1
9bb0f2e8322288ed4e2612496d7de2340dcb5173

SHA256
c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d

SHA512
6cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137

Download Submit
\MSDCSC\msdcsc.exe

Filesize
744KB

MD5
ec9b8f4b0af5befd5558ffeb0ecc88a6

SHA1
9bb0f2e8322288ed4e2612496d7de2340dcb5173

SHA256
c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d

SHA512
6cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137

Download Submit
\MSDCSC\msdcsc.exe

Filesize
744KB

MD5
ec9b8f4b0af5befd5558ffeb0ecc88a6

SHA1
9bb0f2e8322288ed4e2612496d7de2340dcb5173

SHA256
c1e70bd2045de199ae27a22d3fab35002290b8bffb938d8f17cb7a058730e57d

SHA512
6cd1a68c677ecf120c023ed274cbf12977e86a1e593021964bbae51638b8daa71ee451ab859a7ca521a29f71706892549b1db2440f5f7cf21e0ec104cb4e4137

Download Submit
memory/2008-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads