darkcomet | a27a185b9f8e65db47817f2c4ac5c8085d4dba22abd9ca607aa7daf8553e7bff

General

Target

1d0f673ee9048a28c447e3adb83329c4.exe
Size

777KB
MD5

1d0f673ee9048a28c447e3adb83329c4
SHA1

46dad27b42272dd87fb89128695b6264c992a0d1
SHA256

a27a185b9f8e65db47817f2c4ac5c8085d4dba22abd9ca607aa7daf8553e7bff
SHA512

9274285641e463b003464204a341cdf7864e6f475d86884392ec8ad46d13d8af2e2c555af5a3fe2239ce33066096ba61386cb5aad29cd9965dd8dc168ab72900
SSDEEP

12288:uEEXmw/aQ1PifJQ3j0DfAyhb5Nahsdg8iU8IpUixmdR:l8gfs0jpb5NaN8ioUiEdR

Score

10^/10

darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

myratherenow.no-ip.biz:3737

Mutex

DC_MUTEX-KUYD9J8

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
k6TJEpcoZLQU
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Stage1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Stage1.exe

Executes dropped EXE 5 IoCs

Processes:

fb.exeCrypted.exeStage2.exeStage1.exemsdcsc.exe

pid process

2100 fb.exe
3064 Crypted.exe
2640 Stage2.exe
2568 Stage1.exe
2864 msdcsc.exe

pid	process
2100	fb.exe
3064	Crypted.exe
2640	Stage2.exe
2568	Stage1.exe
2864	msdcsc.exe

Loads dropped DLL 20 IoCs

Processes:

1d0f673ee9048a28c447e3adb83329c4.exeCrypted.exefb.exeStage2.exeStage1.exemsdcsc.exe

pid	process
2040	1d0f673ee9048a28c447e3adb83329c4.exe
2040	1d0f673ee9048a28c447e3adb83329c4.exe
2040	1d0f673ee9048a28c447e3adb83329c4.exe
3064	Crypted.exe
3064	Crypted.exe
2100	fb.exe
2100	fb.exe
2100	fb.exe
3064	Crypted.exe
3064	Crypted.exe
2640	Stage2.exe
2640	Stage2.exe
3064	Crypted.exe
3064	Crypted.exe
2568	Stage1.exe
2568	Stage1.exe
2568	Stage1.exe
2568	Stage1.exe
2864	msdcsc.exe
2864	msdcsc.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Crypted.exe	upx
\Users\Admin\AppData\Local\Temp\Crypted.exe	upx
behavioral1/memory/2040-4-0x0000000001E20000-0x0000000001E44000-memory.dmp	upx
behavioral1/memory/3064-19-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/3064-32-0x0000000002530000-0x0000000002573000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\Stage2.exe	upx
behavioral1/memory/2640-44-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3064-65-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Stage1.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	Stage1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

Stage1.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2568	Stage1.exe
Token: SeSecurityPrivilege	2568	Stage1.exe
Token: SeTakeOwnershipPrivilege	2568	Stage1.exe
Token: SeLoadDriverPrivilege	2568	Stage1.exe
Token: SeSystemProfilePrivilege	2568	Stage1.exe
Token: SeSystemtimePrivilege	2568	Stage1.exe
Token: SeProfSingleProcessPrivilege	2568	Stage1.exe
Token: SeIncBasePriorityPrivilege	2568	Stage1.exe
Token: SeCreatePagefilePrivilege	2568	Stage1.exe
Token: SeBackupPrivilege	2568	Stage1.exe
Token: SeRestorePrivilege	2568	Stage1.exe
Token: SeShutdownPrivilege	2568	Stage1.exe
Token: SeDebugPrivilege	2568	Stage1.exe
Token: SeSystemEnvironmentPrivilege	2568	Stage1.exe
Token: SeChangeNotifyPrivilege	2568	Stage1.exe
Token: SeRemoteShutdownPrivilege	2568	Stage1.exe
Token: SeUndockPrivilege	2568	Stage1.exe
Token: SeManageVolumePrivilege	2568	Stage1.exe
Token: SeImpersonatePrivilege	2568	Stage1.exe
Token: SeCreateGlobalPrivilege	2568	Stage1.exe
Token: 33	2568	Stage1.exe
Token: 34	2568	Stage1.exe
Token: 35	2568	Stage1.exe
Token: SeIncreaseQuotaPrivilege	2864	msdcsc.exe
Token: SeSecurityPrivilege	2864	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2864	msdcsc.exe
Token: SeLoadDriverPrivilege	2864	msdcsc.exe
Token: SeSystemProfilePrivilege	2864	msdcsc.exe
Token: SeSystemtimePrivilege	2864	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2864	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2864	msdcsc.exe
Token: SeCreatePagefilePrivilege	2864	msdcsc.exe
Token: SeBackupPrivilege	2864	msdcsc.exe
Token: SeRestorePrivilege	2864	msdcsc.exe
Token: SeShutdownPrivilege	2864	msdcsc.exe
Token: SeDebugPrivilege	2864	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2864	msdcsc.exe
Token: SeChangeNotifyPrivilege	2864	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2864	msdcsc.exe
Token: SeUndockPrivilege	2864	msdcsc.exe
Token: SeManageVolumePrivilege	2864	msdcsc.exe
Token: SeImpersonatePrivilege	2864	msdcsc.exe
Token: SeCreateGlobalPrivilege	2864	msdcsc.exe
Token: 33	2864	msdcsc.exe
Token: 34	2864	msdcsc.exe
Token: 35	2864	msdcsc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fb.exemsdcsc.exe

pid process

2100 fb.exe
2864 msdcsc.exe

pid	process
2100	fb.exe
2864	msdcsc.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

1d0f673ee9048a28c447e3adb83329c4.exeCrypted.exeStage1.exe

description	pid	process	target process
PID 2040 wrote to memory of 3064	2040	1d0f673ee9048a28c447e3adb83329c4.exe	Crypted.exe
PID 2040 wrote to memory of 3064	2040	1d0f673ee9048a28c447e3adb83329c4.exe	Crypted.exe
PID 2040 wrote to memory of 3064	2040	1d0f673ee9048a28c447e3adb83329c4.exe	Crypted.exe
PID 2040 wrote to memory of 3064	2040	1d0f673ee9048a28c447e3adb83329c4.exe	Crypted.exe
PID 2040 wrote to memory of 3064	2040	1d0f673ee9048a28c447e3adb83329c4.exe	Crypted.exe
PID 2040 wrote to memory of 3064	2040	1d0f673ee9048a28c447e3adb83329c4.exe	Crypted.exe
PID 2040 wrote to memory of 3064	2040	1d0f673ee9048a28c447e3adb83329c4.exe	Crypted.exe
PID 2040 wrote to memory of 2100	2040	1d0f673ee9048a28c447e3adb83329c4.exe	fb.exe
PID 2040 wrote to memory of 2100	2040	1d0f673ee9048a28c447e3adb83329c4.exe	fb.exe
PID 2040 wrote to memory of 2100	2040	1d0f673ee9048a28c447e3adb83329c4.exe	fb.exe
PID 2040 wrote to memory of 2100	2040	1d0f673ee9048a28c447e3adb83329c4.exe	fb.exe
PID 2040 wrote to memory of 2100	2040	1d0f673ee9048a28c447e3adb83329c4.exe	fb.exe
PID 2040 wrote to memory of 2100	2040	1d0f673ee9048a28c447e3adb83329c4.exe	fb.exe
PID 2040 wrote to memory of 2100	2040	1d0f673ee9048a28c447e3adb83329c4.exe	fb.exe
PID 3064 wrote to memory of 2640	3064	Crypted.exe	Stage2.exe
PID 3064 wrote to memory of 2640	3064	Crypted.exe	Stage2.exe
PID 3064 wrote to memory of 2640	3064	Crypted.exe	Stage2.exe
PID 3064 wrote to memory of 2640	3064	Crypted.exe	Stage2.exe
PID 3064 wrote to memory of 2640	3064	Crypted.exe	Stage2.exe
PID 3064 wrote to memory of 2640	3064	Crypted.exe	Stage2.exe
PID 3064 wrote to memory of 2640	3064	Crypted.exe	Stage2.exe
PID 3064 wrote to memory of 2568	3064	Crypted.exe	Stage1.exe
PID 3064 wrote to memory of 2568	3064	Crypted.exe	Stage1.exe
PID 3064 wrote to memory of 2568	3064	Crypted.exe	Stage1.exe
PID 3064 wrote to memory of 2568	3064	Crypted.exe	Stage1.exe
PID 3064 wrote to memory of 2568	3064	Crypted.exe	Stage1.exe
PID 3064 wrote to memory of 2568	3064	Crypted.exe	Stage1.exe
PID 3064 wrote to memory of 2568	3064	Crypted.exe	Stage1.exe
PID 2568 wrote to memory of 2864	2568	Stage1.exe	msdcsc.exe
PID 2568 wrote to memory of 2864	2568	Stage1.exe	msdcsc.exe
PID 2568 wrote to memory of 2864	2568	Stage1.exe	msdcsc.exe
PID 2568 wrote to memory of 2864	2568	Stage1.exe	msdcsc.exe
PID 2568 wrote to memory of 2864	2568	Stage1.exe	msdcsc.exe
PID 2568 wrote to memory of 2864	2568	Stage1.exe	msdcsc.exe
PID 2568 wrote to memory of 2864	2568	Stage1.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\1d0f673ee9048a28c447e3adb83329c4.exe
"C:\Users\Admin\AppData\Local\Temp\1d0f673ee9048a28c447e3adb83329c4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\Crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\Stage2.exe
"C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640

C:\Users\Admin\AppData\Local\Temp\Stage1.exe
"C:\Users\Admin\AppData\Local\Temp\Stage1.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Users\Admin\AppData\Local\Temp\fb.exe
"C:\Users\Admin\AppData\Local\Temp\fb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stage1.exe

Filesize
533KB

MD5
ebf7ac9523830616740079b5c4482a35

SHA1
facc18413cb03425f08a24895657d0b966113ae8

SHA256
58a71c392a1bc8aeaa7e8ad74c9029b2c482d3fa22d943760a702a44787c5fcf

SHA512
f6996a56cc3151882cce99bbe783f69368a4b2054d4bd27781fe83c0b7a7b22054df1ea8ee03a94c604cfc8be12416e165f7399f9f18c43d84101a43aa5461e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb.exe

Filesize
16KB

MD5
1df8f182b953de1f57dc102b7a04965c

SHA1
adbd3b9870c01b8938f14b669bd197e8e81233c4

SHA256
351b5f6759e396244e98dc5fbc2d86bd4a3066af3a7378b8073d2f07b25167d3

SHA512
9e07fb58713e192ac1cbd0e5ac6d05f86ebf6a3f85c7cc6bfc751ad43faf06545f81a696e16be70802256eb5f7102ee34da4dc3a875a9fc6429f3a32b5b1b552

Download Submit
\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
403KB

MD5
8f2e4ebabd4ca87f2a66862cd79baccc

SHA1
002235ff65498d6a5feda249feae1687499d837a

SHA256
8bce36e743256dc3edad5cb3109dda1e9a38b78e364d3392a47d55188ad24f6d

SHA512
92c8e35c032f2b6fe9bb076e0bd3333cb82e797cabcff9247cf497aadce5543432664097d58df7d9d967fc6ee2531214bd2aae1e558aca1d5092d6c7675135ba

Download Submit
\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
64KB

MD5
4437f9e13ca4108455528597161c3151

SHA1
7c9c5f5c3ae6f7984df260bdbaec8527b37ca7b8

SHA256
d2fae62c5bd4d111e9d83eb2da1929ad784fc3f06543b7aeb4edf2a17cfd5a21

SHA512
4c240a4b5ee678adf731cab1b62fc146a5d50a98dc777bbdf1d5e374770f98dcfef8e08d5c34be2d0df0823c7ebb7d0d3bae5b5fe975cac8822f2d4758f5b1b7

Download Submit
\Users\Admin\AppData\Local\Temp\Stage1.exe

Filesize
658KB

MD5
db4cf755c9998f2b054fcffbef6e354c

SHA1
328257469b45e1e20ffb06c197d999816c5b9f1e

SHA256
a568eb0e75ff7079e2c74dbe4e76875dcde39e3dd0c525365e977a017d3bb195

SHA512
37b05dd0b98e1dfdefbc3ed907342d6478b37a7cf28bdd984ff555a14d43b932040f5a28e3b9fc7dea36ad16733257164a7dd94d66ed0fe3a65dca8f9b659e4b

Download Submit
\Users\Admin\AppData\Local\Temp\Stage2.exe

Filesize
356KB

MD5
2340b72183d8e5b715cfe7eec0b934da

SHA1
c35424f0f9f0f8f7e0b991c021c1337c87c6d448

SHA256
a493e188cf3607497259725a297f810095b6f48154e820bfc83dc33cca518965

SHA512
cdd0e9fb63d880d8cc53adfe1fb011ab4d949c257d8cb7a25d96757d2e446126f015b7aab2fc50eec8377cc0b13167f49a1d9b6531e737af8aba967726156568

Download Submit
memory/2040-4-0x0000000001E20000-0x0000000001E44000-memory.dmp

Filesize
144KB

Download
memory/2568-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2640-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-76-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2864-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3064-37-0x0000000002530000-0x0000000002573000-memory.dmp

Filesize
268KB

Download
memory/3064-20-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/3064-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3064-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3064-32-0x0000000002530000-0x0000000002573000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads