darkcomet | daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1

Analysis

max time kernel
46s
max time network
97s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 03:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe
Size

1.2MB
MD5

2d1552fc4d7061d7ff2d0bb329f93e70
SHA1

cda6295ea30076e323b49405be0e61319d037e69
SHA256

daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1
SHA512

b544a1cdaa9ab1a30ba5f888ecdec0c4336ff7abde5b60ec0080c4ef9ed86d1902ee752f2e46fa7b6182a4ace735905ac3aa0c716ea38a1f7610736b531643b9
SSDEEP

12288:RjFPs8PRJ7xEhU4X2EV+luiIPBLX8eI+LchMP+8uQBiJSKfK5tjZAp6q8g/6PmSJ:nZrAIIMqhPZ5IZGZcUYw62mY

Score

10^/10

darkcomet zombk evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

zombk

zombk.no-ip.org:1500

127.0.0.1:1500

192.168.1.43:1500

Mutex

DC_MUTEX-DR20D9S

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
2hEkSK4e2CCs
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
1440	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1876	attrib.exe
1476	attrib.exe

Loads dropped DLL 2 IoCs

pid	Process
996	vbc.exe
1116	dw20.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe
Token: SeIncreaseQuotaPrivilege	996	vbc.exe
Token: SeSecurityPrivilege	996	vbc.exe
Token: SeTakeOwnershipPrivilege	996	vbc.exe
Token: SeLoadDriverPrivilege	996	vbc.exe
Token: SeSystemProfilePrivilege	996	vbc.exe
Token: SeSystemtimePrivilege	996	vbc.exe
Token: SeProfSingleProcessPrivilege	996	vbc.exe
Token: SeIncBasePriorityPrivilege	996	vbc.exe
Token: SeCreatePagefilePrivilege	996	vbc.exe
Token: SeBackupPrivilege	996	vbc.exe
Token: SeRestorePrivilege	996	vbc.exe
Token: SeShutdownPrivilege	996	vbc.exe
Token: SeDebugPrivilege	996	vbc.exe
Token: SeSystemEnvironmentPrivilege	996	vbc.exe
Token: SeChangeNotifyPrivilege	996	vbc.exe
Token: SeRemoteShutdownPrivilege	996	vbc.exe
Token: SeUndockPrivilege	996	vbc.exe
Token: SeManageVolumePrivilege	996	vbc.exe
Token: SeImpersonatePrivilege	996	vbc.exe
Token: SeCreateGlobalPrivilege	996	vbc.exe
Token: 33	996	vbc.exe
Token: 34	996	vbc.exe
Token: 35	996	vbc.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 960 wrote to memory of 996	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	28
PID 996 wrote to memory of 1940	996	vbc.exe	29
PID 996 wrote to memory of 1940	996	vbc.exe	29
PID 996 wrote to memory of 1940	996	vbc.exe	29
PID 996 wrote to memory of 1940	996	vbc.exe	29
PID 996 wrote to memory of 1828	996	vbc.exe	30
PID 996 wrote to memory of 1828	996	vbc.exe	30
PID 996 wrote to memory of 1828	996	vbc.exe	30
PID 996 wrote to memory of 1828	996	vbc.exe	30
PID 1940 wrote to memory of 1876	1940	cmd.exe	33
PID 1940 wrote to memory of 1876	1940	cmd.exe	33
PID 1940 wrote to memory of 1876	1940	cmd.exe	33
PID 1940 wrote to memory of 1876	1940	cmd.exe	33
PID 1828 wrote to memory of 1476	1828	cmd.exe	34
PID 1828 wrote to memory of 1476	1828	cmd.exe	34
PID 1828 wrote to memory of 1476	1828	cmd.exe	34
PID 1828 wrote to memory of 1476	1828	cmd.exe	34
PID 996 wrote to memory of 1440	996	vbc.exe	35
PID 996 wrote to memory of 1440	996	vbc.exe	35
PID 996 wrote to memory of 1440	996	vbc.exe	35
PID 996 wrote to memory of 1440	996	vbc.exe	35
PID 960 wrote to memory of 1116	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	37
PID 960 wrote to memory of 1116	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	37
PID 960 wrote to memory of 1116	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	37
PID 960 wrote to memory of 1116	960	daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe	37

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1876	attrib.exe
1476	attrib.exe

C:\Users\Admin\AppData\Local\Temp\daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe
"C:\Users\Admin\AppData\Local\Temp\daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1476
- - C:\MSDCSC\msdcsc.exe
    "C:\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    PID:1440
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 944
  2⤵
  - Loads dropped DLL
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1.exe

Filesize
1.2MB

MD5
2d1552fc4d7061d7ff2d0bb329f93e70

SHA1
cda6295ea30076e323b49405be0e61319d037e69

SHA256
daf153c8c96b58f17b27eaa1b7940323b85ddfe059991a5ed8d57b750aaf17f1

SHA512
b544a1cdaa9ab1a30ba5f888ecdec0c4336ff7abde5b60ec0080c4ef9ed86d1902ee752f2e46fa7b6182a4ace735905ac3aa0c716ea38a1f7610736b531643b9

Download Submit
memory/960-55-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/960-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/960-71-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/996-61-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/996-70-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/996-60-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/996-58-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/996-56-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download