darkcomet | 6609f8a3eb1784fe12d91be389de594b5b9a0ccea15cd0de4ecbd5fe52638f20

General

Target

3e30c9cbfed6311e5ebe149203bc4839.exe
Size

1.1MB
MD5

3e30c9cbfed6311e5ebe149203bc4839
SHA1

fcca7dc34ad5b01e45b3d834a43c59fac8cf527c
SHA256

6609f8a3eb1784fe12d91be389de594b5b9a0ccea15cd0de4ecbd5fe52638f20
SHA512

1993e43d2bfbe9c4f39db163d21b81b4fc40026fdbbfab0a568047c43b64347dd234f21d5f3026b810caab4de4c5b7f446ad0682e1f0c43dc6978c7faf8c4a6b
SSDEEP

12288:m1Eu4AZ+EOJTSNT8JpclOVgvcWS2LgHtJpXMKI1jdT5yRVhJUzIwX5+9NB8GYbnt:Y0GMG15eisLl74ZYS+/VRZN9

Score

10^/10

darkcomet 01 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

01

C2

hostme.no-ip.org:1604

Mutex

DC_MUTEX-MJWC85T

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
kCB568SQFn2i
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exemsdcsc.exe

pid process

2644 svchost.exe
2780 msdcsc.exe
Loads dropped DLL 2 IoCs

Processes:

3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exe

pid process

2504 3e30c9cbfed6311e5ebe149203bc4839.exe
2644 svchost.exe

pid	process
2644	svchost.exe
2780	msdcsc.exe

pid	process
2504	3e30c9cbfed6311e5ebe149203bc4839.exe
2644	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Roaming\\3e30c9cbfed6311e5ebe149203bc4839.exe"	3e30c9cbfed6311e5ebe149203bc4839.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e30c9cbfed6311e5ebe149203bc4839.exe

description pid process target process

PID 2504 set thread context of 2644 2504 3e30c9cbfed6311e5ebe149203bc4839.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2504 set thread context of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2644	svchost.exe
Token: SeSecurityPrivilege	2644	svchost.exe
Token: SeTakeOwnershipPrivilege	2644	svchost.exe
Token: SeLoadDriverPrivilege	2644	svchost.exe
Token: SeSystemProfilePrivilege	2644	svchost.exe
Token: SeSystemtimePrivilege	2644	svchost.exe
Token: SeProfSingleProcessPrivilege	2644	svchost.exe
Token: SeIncBasePriorityPrivilege	2644	svchost.exe
Token: SeCreatePagefilePrivilege	2644	svchost.exe
Token: SeBackupPrivilege	2644	svchost.exe
Token: SeRestorePrivilege	2644	svchost.exe
Token: SeShutdownPrivilege	2644	svchost.exe
Token: SeDebugPrivilege	2644	svchost.exe
Token: SeSystemEnvironmentPrivilege	2644	svchost.exe
Token: SeChangeNotifyPrivilege	2644	svchost.exe
Token: SeRemoteShutdownPrivilege	2644	svchost.exe
Token: SeUndockPrivilege	2644	svchost.exe
Token: SeManageVolumePrivilege	2644	svchost.exe
Token: SeImpersonatePrivilege	2644	svchost.exe
Token: SeCreateGlobalPrivilege	2644	svchost.exe
Token: 33	2644	svchost.exe
Token: 34	2644	svchost.exe
Token: 35	2644	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3e30c9cbfed6311e5ebe149203bc4839.exesvchost.exe

description	pid	process	target process
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2504 wrote to memory of 2644	2504	3e30c9cbfed6311e5ebe149203bc4839.exe	svchost.exe
PID 2644 wrote to memory of 2780	2644	svchost.exe	msdcsc.exe
PID 2644 wrote to memory of 2780	2644	svchost.exe	msdcsc.exe
PID 2644 wrote to memory of 2780	2644	svchost.exe	msdcsc.exe
PID 2644 wrote to memory of 2780	2644	svchost.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe
"C:\Users\Admin\AppData\Local\Temp\3e30c9cbfed6311e5ebe149203bc4839.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:2780

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
415KB

MD5
87ba94dcd3334ba357c6b70f1401f7f3

SHA1
88c8be63990a6d9d86b298e9a16c8479c5e26675

SHA256
81dbda90158db49d954670538a65a4560e60a07434c4eed0abbed25fc9428c59

SHA512
06beb5c381e4602e550da2c8da997e3d37857437b5cfe3643c68eb644df5b44bac4f70532f999aec99483b5d68862c3c5c4bb20896422248f2c4fb1000ad61fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
199KB

MD5
e942f4a4bfbb1677d6d270aad53424af

SHA1
d2290b118048e907c44b23ea2fe3f3c35c8e2559

SHA256
19fd56ac0e0220eb832376e86aa553ef70b65daa05a6e043ca07e1217ca6d7dc

SHA512
b4020e461d07d5b0c3b0f9cc75a34a9a90232d3e5acf5d35313ce9a02301a22cfac21bb29795ec3313f31470a99baa3acc4c69472ef630dc9eeff46d7f62e6a9

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
183KB

MD5
86b4ffa237e7059cc0905d0d69e34d44

SHA1
7f6004cae488f382be27ec1b5e49e05dee95552a

SHA256
a9206782dfc8047465aa8f70f59957cd010cdddcb7e5c90080ba14743edced4a

SHA512
5ef26a5c5379973b870f3f160823d133a36f7438fdbd969953f41e0cc9fd0989888b9b1afdc82c570d0bc5adc7c7b733cfda18adb6cc19eaf3e110179ad0c91d

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
141KB

MD5
68f13e11d24c55c17f2b12bd09418cf2

SHA1
a5415b7bc1f36f4ee593065994087b3a2b3aea30

SHA256
c0ecc5345ac93587b9b111856f8e6ec7005d9b9a2c34f18a82813185ae71d681

SHA512
2f7259a3b5958526062e2d996fa2c5a5dc744997045b738e77df3581212c2814f92d338465286049aac53fbb94110efe0673281bc3e96550748fbaa19a4da3a5

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
76KB

MD5
e45355646a24e6714a6f4578f881348e

SHA1
680bde6d20d53efc3940e67b00566d9eb03d4f03

SHA256
88c0331375587e846738c26f7cc605126cd41c338c7fb588d4261bea6e70c55b

SHA512
6c13c284f1f083333e26bdad6aab77b3d987974add6a28b1b6c27a8a9ec993c7ca7e834da1425b6c7be96aa70e3ee18a7a0cd1a3d37d7d97a785c2c51f3770a9

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
24KB

MD5
c37baf46e3bdac70c02f0edaac0b1fac

SHA1
fd884d1bce988ba1866bffbf10fe5f4f1b89f09e

SHA256
950673b93495f0ed4d3d7c714a29533df2706a8e03e1e3f142078745304aedef

SHA512
f6f750069e6ab0f7097ef0527c2e3f172ced4902d0a9ba982cbabdc268c96d0b1c603bfb0c6cc8f6ff0f2a00159f13cd4f24a82a3e2f48353c324dbc2f423fa3

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
90KB

MD5
55a152c2aa377b551e0894d7a31994f7

SHA1
56f9cc557f4a2df54e00948a36d3d4087f91f9fb

SHA256
2b2cd651ddb5c5334305c7d048bbc481494ec89bfe55d5d1302f27656119210e

SHA512
9b6b27b8f37d778b3ccad2cae431e0b26fe297ea67d916201e243c767ff376d8384bcf42c10b6ed9e44807ffa5165196c98323bf0f4221bb2e01730b5a754289

Download Submit
memory/2504-1-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-2-0x0000000002300000-0x0000000002340000-memory.dmp

Filesize
256KB

Download
memory/2504-0-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/2504-27-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-17-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-30-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2644-26-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-24-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-21-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-28-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-20-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-29-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-11-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-19-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-13-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-39-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-15-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-9-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads