darkcomet | fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457

General

Target

fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe
Size

482KB
MD5

03c94216e10c0e05ee22c6c9202e5b50
SHA1

84fbd8c41074760c20250c39caa8ee003813a1b6
SHA256

fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457
SHA512

30e2828aecd3b16149e6728dbc9dbf2b0dc189f417182c2d4c165c12e919b1df2cfa112e62fb089a58efefa8938f65b63c36093325d6c4dbef3ce2f6b863f16b
SSDEEP

12288:sbx4fwbr8eoEFKUZVpzyq6U9UKQGqDBQf30:+5NFdvVyIqa

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mc123server.no-ip.biz:1604

Mutex

DC_MUTEX-4W96M4L

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
rX2dkt0kRKju
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\winini.exe"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
1360	msdcsc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 916 set thread context of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5100	svchost.exe
Token: SeSecurityPrivilege	5100	svchost.exe
Token: SeTakeOwnershipPrivilege	5100	svchost.exe
Token: SeLoadDriverPrivilege	5100	svchost.exe
Token: SeSystemProfilePrivilege	5100	svchost.exe
Token: SeSystemtimePrivilege	5100	svchost.exe
Token: SeProfSingleProcessPrivilege	5100	svchost.exe
Token: SeIncBasePriorityPrivilege	5100	svchost.exe
Token: SeCreatePagefilePrivilege	5100	svchost.exe
Token: SeBackupPrivilege	5100	svchost.exe
Token: SeRestorePrivilege	5100	svchost.exe
Token: SeShutdownPrivilege	5100	svchost.exe
Token: SeDebugPrivilege	5100	svchost.exe
Token: SeSystemEnvironmentPrivilege	5100	svchost.exe
Token: SeChangeNotifyPrivilege	5100	svchost.exe
Token: SeRemoteShutdownPrivilege	5100	svchost.exe
Token: SeUndockPrivilege	5100	svchost.exe
Token: SeManageVolumePrivilege	5100	svchost.exe
Token: SeImpersonatePrivilege	5100	svchost.exe
Token: SeCreateGlobalPrivilege	5100	svchost.exe
Token: 33	5100	svchost.exe
Token: 34	5100	svchost.exe
Token: 35	5100	svchost.exe
Token: 36	5100	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3776	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	79
PID 916 wrote to memory of 3776	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	79
PID 916 wrote to memory of 3776	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	79
PID 3776 wrote to memory of 1668	3776	cmd.exe	81
PID 3776 wrote to memory of 1668	3776	cmd.exe	81
PID 3776 wrote to memory of 1668	3776	cmd.exe	81
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 916 wrote to memory of 5100	916	fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe	82
PID 5100 wrote to memory of 1360	5100	svchost.exe	83
PID 5100 wrote to memory of 1360	5100	svchost.exe	83
PID 5100 wrote to memory of 1360	5100	svchost.exe	83

C:\Users\Admin\AppData\Local\Temp\fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe
"C:\Users\Admin\AppData\Local\Temp\fb71775ac35d04fb3af796ecb2ef8a0353b05b8c749d75b9b79c9bcb74619457.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\winini.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\winini.exe"
    3⤵
    - Modifies WinLogon for persistence
    PID:1668
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
45KB

MD5
b7c999040d80e5bf87886d70d992c51e

SHA1
a8ed9a51cc14ccf99b670e60ebbc110756504929

SHA256
5c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e

SHA512
71ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309

Download Submit
memory/916-132-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/916-138-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/1360-140-0x0000000000000000-mapping.dmp

Download
memory/1668-134-0x0000000000000000-mapping.dmp

Download
memory/3776-133-0x0000000000000000-mapping.dmp

Download
memory/5100-135-0x0000000000000000-mapping.dmp

Download
memory/5100-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5100-137-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5100-139-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/5100-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads