darkcomet | 78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471

General

Target

78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe
Size

911KB
MD5

4bb9134eade669f1ad497b4d022da29f
SHA1

46074e9c42e81452ba97459a73896628db5341ea
SHA256

78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471
SHA512

778851a0407fca8499d7048cfe03e7c475e6d7909e94f7ecf63e6328793b67e07da38b23d8d5a5fafdbba0e057333bbeff1dba5c1bc069c5c74cf0da34b2fa60
SSDEEP

24576:W2O/Gl+LjtXzH4UXAPMdLkRrYFJkiD16KF8KJrUt5+Cx:yjtXzH4UXPBkrYoigKF8KlSDx

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-54FS22Q

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
G2nZxP5wXrRx
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	server.exe

Drops file in Drivers directory 1 IoCs

Processes:

server.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts server.exe
Executes dropped EXE 3 IoCs

Processes:

server.exeResHacker.exemsdcsc.exe

pid process

2004 server.exe
1292 ResHacker.exe
800 msdcsc.exe
Loads dropped DLL 2 IoCs

Processes:

server.exe

pid process

2004 server.exe
2004 server.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	server.exe

pid	process
2004	server.exe
1292	ResHacker.exe
800	msdcsc.exe

pid	process
2004	server.exe
2004	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	server.exe

Drops file in Windows directory 5 IoCs

Processes:

78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe

description	ioc	process
File created	C:\Windows\server.exe	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe
File opened for modification	C:\Windows\server.exe	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_7074255	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe
File created	C:\Windows\ResHacker.exe	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe
File opened for modification	C:\Windows\ResHacker.exe	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

server.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2004	server.exe
Token: SeSecurityPrivilege	2004	server.exe
Token: SeTakeOwnershipPrivilege	2004	server.exe
Token: SeLoadDriverPrivilege	2004	server.exe
Token: SeSystemProfilePrivilege	2004	server.exe
Token: SeSystemtimePrivilege	2004	server.exe
Token: SeProfSingleProcessPrivilege	2004	server.exe
Token: SeIncBasePriorityPrivilege	2004	server.exe
Token: SeCreatePagefilePrivilege	2004	server.exe
Token: SeBackupPrivilege	2004	server.exe
Token: SeRestorePrivilege	2004	server.exe
Token: SeShutdownPrivilege	2004	server.exe
Token: SeDebugPrivilege	2004	server.exe
Token: SeSystemEnvironmentPrivilege	2004	server.exe
Token: SeChangeNotifyPrivilege	2004	server.exe
Token: SeRemoteShutdownPrivilege	2004	server.exe
Token: SeUndockPrivilege	2004	server.exe
Token: SeManageVolumePrivilege	2004	server.exe
Token: SeImpersonatePrivilege	2004	server.exe
Token: SeCreateGlobalPrivilege	2004	server.exe
Token: 33	2004	server.exe
Token: 34	2004	server.exe
Token: 35	2004	server.exe
Token: SeIncreaseQuotaPrivilege	800	msdcsc.exe
Token: SeSecurityPrivilege	800	msdcsc.exe
Token: SeTakeOwnershipPrivilege	800	msdcsc.exe
Token: SeLoadDriverPrivilege	800	msdcsc.exe
Token: SeSystemProfilePrivilege	800	msdcsc.exe
Token: SeSystemtimePrivilege	800	msdcsc.exe
Token: SeProfSingleProcessPrivilege	800	msdcsc.exe
Token: SeIncBasePriorityPrivilege	800	msdcsc.exe
Token: SeCreatePagefilePrivilege	800	msdcsc.exe
Token: SeBackupPrivilege	800	msdcsc.exe
Token: SeRestorePrivilege	800	msdcsc.exe
Token: SeShutdownPrivilege	800	msdcsc.exe
Token: SeDebugPrivilege	800	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	800	msdcsc.exe
Token: SeChangeNotifyPrivilege	800	msdcsc.exe
Token: SeRemoteShutdownPrivilege	800	msdcsc.exe
Token: SeUndockPrivilege	800	msdcsc.exe
Token: SeManageVolumePrivilege	800	msdcsc.exe
Token: SeImpersonatePrivilege	800	msdcsc.exe
Token: SeCreateGlobalPrivilege	800	msdcsc.exe
Token: 33	800	msdcsc.exe
Token: 34	800	msdcsc.exe
Token: 35	800	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

800 msdcsc.exe

pid	process
800	msdcsc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exeserver.exe

description	pid	process	target process
PID 1768 wrote to memory of 2004	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	server.exe
PID 1768 wrote to memory of 2004	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	server.exe
PID 1768 wrote to memory of 2004	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	server.exe
PID 1768 wrote to memory of 2004	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	server.exe
PID 1768 wrote to memory of 2004	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	server.exe
PID 1768 wrote to memory of 2004	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	server.exe
PID 1768 wrote to memory of 2004	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	server.exe
PID 1768 wrote to memory of 1292	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	ResHacker.exe
PID 1768 wrote to memory of 1292	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	ResHacker.exe
PID 1768 wrote to memory of 1292	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	ResHacker.exe
PID 1768 wrote to memory of 1292	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	ResHacker.exe
PID 1768 wrote to memory of 1292	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	ResHacker.exe
PID 1768 wrote to memory of 1292	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	ResHacker.exe
PID 1768 wrote to memory of 1292	1768	78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe	ResHacker.exe
PID 2004 wrote to memory of 800	2004	server.exe	msdcsc.exe
PID 2004 wrote to memory of 800	2004	server.exe	msdcsc.exe
PID 2004 wrote to memory of 800	2004	server.exe	msdcsc.exe
PID 2004 wrote to memory of 800	2004	server.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe
"C:\Users\Admin\AppData\Local\Temp\78f1d4ae12c30ca54b70aa9400f8d1d1d5d2e1e14b8ffd7959b61e50eecfc471.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\server.exe
"C:\Windows\server.exe"
2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:800

C:\Windows\ResHacker.exe
"C:\Windows\ResHacker.exe"
2⤵
- Executes dropped EXE
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
694KB

MD5
60526be0422ff21338477a2db15e0585

SHA1
87d802a77e22ed3d7ac84ece3247fa60e55f6be5

SHA256
5e727364e0dc432f6ea5b157a9e9569cc03b3b26b2db34b070b7c7dd81df484e

SHA512
e9f72d24a640900d95243152a912881cc260e220e8c0a289a2feae956118f6d869beb697adc80aa77d1be2dcc2c2809375e420bcc33b2098df83112aa8dbfa70

Download Submit
C:\Windows\ResHacker.exe
Filesize
861KB

MD5
66064dbdb70a5eb15ebf3bf65aba254b

SHA1
0284fd320f99f62aca800fb1251eff4c31ec4ed7

SHA256
6a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795

SHA512
b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f

Download Submit
C:\Windows\server.exe
Filesize
694KB

MD5
60526be0422ff21338477a2db15e0585

SHA1
87d802a77e22ed3d7ac84ece3247fa60e55f6be5

SHA256
5e727364e0dc432f6ea5b157a9e9569cc03b3b26b2db34b070b7c7dd81df484e

SHA512
e9f72d24a640900d95243152a912881cc260e220e8c0a289a2feae956118f6d869beb697adc80aa77d1be2dcc2c2809375e420bcc33b2098df83112aa8dbfa70

Download Submit
C:\Windows\server.exe
Filesize
694KB

MD5
60526be0422ff21338477a2db15e0585

SHA1
87d802a77e22ed3d7ac84ece3247fa60e55f6be5

SHA256
5e727364e0dc432f6ea5b157a9e9569cc03b3b26b2db34b070b7c7dd81df484e

SHA512
e9f72d24a640900d95243152a912881cc260e220e8c0a289a2feae956118f6d869beb697adc80aa77d1be2dcc2c2809375e420bcc33b2098df83112aa8dbfa70

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
694KB

MD5
60526be0422ff21338477a2db15e0585

SHA1
87d802a77e22ed3d7ac84ece3247fa60e55f6be5

SHA256
5e727364e0dc432f6ea5b157a9e9569cc03b3b26b2db34b070b7c7dd81df484e

SHA512
e9f72d24a640900d95243152a912881cc260e220e8c0a289a2feae956118f6d869beb697adc80aa77d1be2dcc2c2809375e420bcc33b2098df83112aa8dbfa70

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe
Filesize
694KB

MD5
60526be0422ff21338477a2db15e0585

SHA1
87d802a77e22ed3d7ac84ece3247fa60e55f6be5

SHA256
5e727364e0dc432f6ea5b157a9e9569cc03b3b26b2db34b070b7c7dd81df484e

SHA512
e9f72d24a640900d95243152a912881cc260e220e8c0a289a2feae956118f6d869beb697adc80aa77d1be2dcc2c2809375e420bcc33b2098df83112aa8dbfa70

Download Submit
memory/800-64-0x0000000000000000-mapping.dmp

Download
memory/1292-58-0x0000000000000000-mapping.dmp

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/2004-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads