darkcomet | 6609f8a3eb1784fe12d91be389de594b5b9a0ccea15cd0de4ecbd5fe52638f20

General

Target

3e30c9cbfed6311e5ebe149203bc4839.exe
Size

1.1MB
MD5

3e30c9cbfed6311e5ebe149203bc4839
SHA1

fcca7dc34ad5b01e45b3d834a43c59fac8cf527c
SHA256

6609f8a3eb1784fe12d91be389de594b5b9a0ccea15cd0de4ecbd5fe52638f20
SHA512

1993e43d2bfbe9c4f39db163d21b81b4fc40026fdbbfab0a568047c43b64347dd234f21d5f3026b810caab4de4c5b7f446ad0682e1f0c43dc6978c7faf8c4a6b
SSDEEP

12288:m1Eu4AZ+EOJTSNT8JpclOVgvcWS2LgHtJpXMKI1jdT5yRVhJUzIwX5+9NB8GYbnt:Y0GMG15eisLl74ZYS+/VRZN9

Score

10^/10

darkcomet 01 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

01

C2

hostme.no-ip.org:1604

Mutex

DC_MUTEX-MJWC85T

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
kCB568SQFn2i
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation svchost.exe
Executes dropped EXE 2 IoCs

Processes:

svchost.exemsdcsc.exe

pid process

2184 svchost.exe
3728 msdcsc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	svchost.exe

pid	process
2184	svchost.exe
3728	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe3e30c9cbfed6311e5ebe149203bc4839.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\3e30c9cbfed6311e5ebe149203bc4839.exe"	3e30c9cbfed6311e5ebe149203bc4839.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e30c9cbfed6311e5ebe149203bc4839.exe

description pid process target process

PID 2760 set thread context of 2184 2760 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2760 set thread context of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2184	svchost.exe
Token: SeSecurityPrivilege	2184	svchost.exe
Token: SeTakeOwnershipPrivilege	2184	svchost.exe
Token: SeLoadDriverPrivilege	2184	svchost.exe
Token: SeSystemProfilePrivilege	2184	svchost.exe
Token: SeSystemtimePrivilege	2184	svchost.exe
Token: SeProfSingleProcessPrivilege	2184	svchost.exe
Token: SeIncBasePriorityPrivilege	2184	svchost.exe
Token: SeCreatePagefilePrivilege	2184	svchost.exe
Token: SeBackupPrivilege	2184	svchost.exe
Token: SeRestorePrivilege	2184	svchost.exe
Token: SeShutdownPrivilege	2184	svchost.exe
Token: SeDebugPrivilege	2184	svchost.exe
Token: SeSystemEnvironmentPrivilege	2184	svchost.exe
Token: SeChangeNotifyPrivilege	2184	svchost.exe
Token: SeRemoteShutdownPrivilege	2184	svchost.exe
Token: SeUndockPrivilege	2184	svchost.exe
Token: SeManageVolumePrivilege	2184	svchost.exe
Token: SeImpersonatePrivilege	2184	svchost.exe
Token: SeCreateGlobalPrivilege	2184	svchost.exe
Token: 33	2184	svchost.exe
Token: 34	2184	svchost.exe
Token: 35	2184	svchost.exe
Token: 36	2184	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exe

description	pid	process	target process
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2760 wrote to memory of 2184	2760	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2184 wrote to memory of 3728	2184	svchost.exe	msdcsc.exe
PID 2184 wrote to memory of 3728	2184	svchost.exe	msdcsc.exe
PID 2184 wrote to memory of 3728	2184	svchost.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe
"C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:3728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
406KB

MD5
727c2dff5191fbedf1f3aef4f9844f35

SHA1
3ac96d64379c70475577c3949af3adc8f5c93e92

SHA256
5c92a1f613b02bdc571ea094f42a72924c106aabda7dd20d1a7ee87b7e269350

SHA512
465e9bf522f272e2758de5422d077f65db6db977f28cb683c549bbff94d0079b641ef8cf1a69931518e1b19be6d511170915cfe098cdbc5d6c2a4758a1628790

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
128KB

MD5
0712478a997cb73c2acf83235029fee1

SHA1
5f65d6384b1a4c179bedd8f7a0489960f019a73a

SHA256
2f2e1ce3714df70bd7afe5d53df5398515e8c717a89a84b83b12db2e218689d4

SHA512
80e47e9f2ad87b1cc4acffc63e4123f7705421e11135d5e2c49e70612877da28c98b31552145a045528825724aeb61bbbf8d6d5117d1fdb35cfaff508d559b07

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
379KB

MD5
98ffba86e6c3773b22d4000436337657

SHA1
3e0378cf96154c6fe5d2044024a3f65de0930e49

SHA256
07b7cb3210e0c0c1b0a47b08c087f8bc7185f11888cbd45d1b98c94088b95aba

SHA512
e4c1f32655c01f29bc086f6c503a8f0753711e0fcc950572b96f3aa7af39b9ec0a3497a40fe0ce5c2af06378aef084434e6866cee9f77c360056d3fa0788993d

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
420KB

MD5
41287aaacf6af38ac4326adaa553a3c9

SHA1
a19885c79b85335dd3bc4d8b35a74ba73cb19d57

SHA256
3837d9e020211bef81c43f8248879a7617fa8f3ae0d689853a21f521e39d28a0

SHA512
71bf505b39954b033d66dca4015a34c4b94a8b76242b599ac448439c34413090497277051313227d55fde11ef842a2203dc2ef9b40c0d322c46a3f78370ecc05

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
424KB

MD5
0c24cce15959c1295450884dbc9e01a1

SHA1
02dba94e8fee3b9b3a7ccb7af16ad56e937c1b3b

SHA256
8809e463e157d00851ca40b1ecec7d0f019287dbf4a35334c010c0c68eb9a72e

SHA512
91b617d1410bcc325b00544aef443ae8e4c5bf6b015999cbbd01e6c60bd6c70c4f56b6d44d1b95039d676fc293db354863115170efa41221e79bb1654941e213

Download Submit
memory/2184-7-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2184-11-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2184-14-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2184-16-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2184-10-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2184-28-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2760-0-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2760-15-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/2760-2-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/2760-1-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads