darkcomet | b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e

General

Target

b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe
Size

752KB
MD5

7ae82a0eb34716b9157d187dc6fc92b0
SHA1

37355e07e919c4f11e8891328ae6a33f5a9e1c98
SHA256

b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e
SHA512

8f5eac8d5169cf3b292408a9eea4e73c87b37cb10132ec98e3b29db71936f85c3932e4b9b2a9ab7a9750172a64c59351854262b39b3878f9664cd0ebc6e92a9d
SSDEEP

12288:o977/I/+E7vLImA7AEiEbii6d3lDXAwmptdyETbb6K3cTRhwk:oFnXiEyJlDXpQyYiKs

Score

10^/10

darkcomet dc evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

DC

C2

silentr0ck.no-ip.org:200

Mutex

DC_MUTEX-GFB9NCY

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
wSXulC9TtV8h
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

1372 msdcsc.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1980 attrib.exe
1872 attrib.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

1020 svchost.exe

pid	process
1372	msdcsc.exe

pid	process
1980	attrib.exe
1872	attrib.exe

pid	process
1020	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

attrib.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\svchost.exe attrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\svchost.exe	attrib.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe

description	pid	process	target process
PID 1612 set thread context of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

attrib.exe

description ioc process

File opened for modification C:\Windows\SysWOW64 attrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64	attrib.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe
Token: SeIncreaseQuotaPrivilege	1020	svchost.exe
Token: SeSecurityPrivilege	1020	svchost.exe
Token: SeTakeOwnershipPrivilege	1020	svchost.exe
Token: SeLoadDriverPrivilege	1020	svchost.exe
Token: SeSystemProfilePrivilege	1020	svchost.exe
Token: SeSystemtimePrivilege	1020	svchost.exe
Token: SeProfSingleProcessPrivilege	1020	svchost.exe
Token: SeIncBasePriorityPrivilege	1020	svchost.exe
Token: SeCreatePagefilePrivilege	1020	svchost.exe
Token: SeBackupPrivilege	1020	svchost.exe
Token: SeRestorePrivilege	1020	svchost.exe
Token: SeShutdownPrivilege	1020	svchost.exe
Token: SeDebugPrivilege	1020	svchost.exe
Token: SeSystemEnvironmentPrivilege	1020	svchost.exe
Token: SeChangeNotifyPrivilege	1020	svchost.exe
Token: SeRemoteShutdownPrivilege	1020	svchost.exe
Token: SeUndockPrivilege	1020	svchost.exe
Token: SeManageVolumePrivilege	1020	svchost.exe
Token: SeImpersonatePrivilege	1020	svchost.exe
Token: SeCreateGlobalPrivilege	1020	svchost.exe
Token: 33	1020	svchost.exe
Token: 34	1020	svchost.exe
Token: 35	1020	svchost.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exesvchost.execmd.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1612 wrote to memory of 1020	1612	b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe	svchost.exe
PID 1020 wrote to memory of 2012	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 2012	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 2012	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 2012	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 1972	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 1972	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 1972	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 1972	1020	svchost.exe	cmd.exe
PID 2012 wrote to memory of 1872	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1872	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1872	2012	cmd.exe	attrib.exe
PID 2012 wrote to memory of 1872	2012	cmd.exe	attrib.exe
PID 1972 wrote to memory of 1980	1972	cmd.exe	attrib.exe
PID 1972 wrote to memory of 1980	1972	cmd.exe	attrib.exe
PID 1972 wrote to memory of 1980	1972	cmd.exe	attrib.exe
PID 1972 wrote to memory of 1980	1972	cmd.exe	attrib.exe
PID 1020 wrote to memory of 1372	1020	svchost.exe	msdcsc.exe
PID 1020 wrote to memory of 1372	1020	svchost.exe	msdcsc.exe
PID 1020 wrote to memory of 1372	1020	svchost.exe	msdcsc.exe
PID 1020 wrote to memory of 1372	1020	svchost.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1872 attrib.exe
1980 attrib.exe

pid	process
1872	attrib.exe
1980	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe
"C:\Users\Admin\AppData\Local\Temp\b95aab4ab662ec879876add015f81eca69f7ce36c95d3235615498e015cff70e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\svchost.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\svchost.exe" +s +h
4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1980

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1372

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
memory/1020-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-70-0x000000000048F888-mapping.dmp

Download
memory/1020-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1020-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1372-80-0x0000000000000000-mapping.dmp

Download
memory/1612-73-0x0000000074110000-0x00000000746BB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1872-77-0x0000000000000000-mapping.dmp

Download
memory/1972-76-0x0000000000000000-mapping.dmp

Download
memory/1980-78-0x0000000000000000-mapping.dmp

Download
memory/2012-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads