darkcomet | d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420

General

Target

d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe
Size

498KB
MD5

1bddf9a06684a1cf0d88dacdf407fc20
SHA1

a6d1769c6e15a82434913476dac42d90a3ae3b43
SHA256

d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420
SHA512

5b02a92e8e67b5e74f0ba7838b708cfd3cebc8e754345351d5bfaf68e44a6b4498cef6461358355f25d42e4f75fb40b6bc59cd368f0945af5145b1986f52dd21
SSDEEP

12288:ch5C8uBkFzIkjFNT9RA73gTSZv7xbVxCfk7Kl0ywos:GiZkx996LM+7Z4WKl0yx

Score

10^/10

darkcomet 313 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

313

C2

samantha.servebeer.com:1604

Mutex

DC_MUTEX-61Q6CYX

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
cbF34c47laEA
install
true
offline_keylogger
false
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
1532	vbc.exe
5060	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe
Token: SeIncreaseQuotaPrivilege	1532	vbc.exe
Token: SeSecurityPrivilege	1532	vbc.exe
Token: SeTakeOwnershipPrivilege	1532	vbc.exe
Token: SeLoadDriverPrivilege	1532	vbc.exe
Token: SeSystemProfilePrivilege	1532	vbc.exe
Token: SeSystemtimePrivilege	1532	vbc.exe
Token: SeProfSingleProcessPrivilege	1532	vbc.exe
Token: SeIncBasePriorityPrivilege	1532	vbc.exe
Token: SeCreatePagefilePrivilege	1532	vbc.exe
Token: SeBackupPrivilege	1532	vbc.exe
Token: SeRestorePrivilege	1532	vbc.exe
Token: SeShutdownPrivilege	1532	vbc.exe
Token: SeDebugPrivilege	1532	vbc.exe
Token: SeSystemEnvironmentPrivilege	1532	vbc.exe
Token: SeChangeNotifyPrivilege	1532	vbc.exe
Token: SeRemoteShutdownPrivilege	1532	vbc.exe
Token: SeUndockPrivilege	1532	vbc.exe
Token: SeManageVolumePrivilege	1532	vbc.exe
Token: SeImpersonatePrivilege	1532	vbc.exe
Token: SeCreateGlobalPrivilege	1532	vbc.exe
Token: 33	1532	vbc.exe
Token: 34	1532	vbc.exe
Token: 35	1532	vbc.exe
Token: 36	1532	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 4948 wrote to memory of 1532	4948	d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe	81
PID 1532 wrote to memory of 5060	1532	vbc.exe	82
PID 1532 wrote to memory of 5060	1532	vbc.exe	82
PID 1532 wrote to memory of 5060	1532	vbc.exe	82

C:\Users\Admin\AppData\Local\Temp\d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe
"C:\Users\Admin\AppData\Local\Temp\d2c2064eb6a9cd1bfb734e2f97ecb73ac5331a43988d0408e0aec167c39fb420.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\temp_PoAnPhnKPG\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\temp_PoAnPhnKPG\vbc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe
    "C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    PID:5060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_PoAnPhnKPG\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp_PoAnPhnKPG\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1532-142-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1532-137-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1532-139-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1532-141-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1532-134-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/1532-146-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4948-138-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download
memory/4948-132-0x0000000074940000-0x0000000074EF1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads