darkcomet | be7656e2b1231f4d605532b23aaaeb8671cb5365e915bce6b34cb07e8d473065

General

Target

d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Size

658KB
MD5

d1154b48aca1e4a5596d0094e1eab310
SHA1

d87f2eb1455b25eb2e5bc0d5c0db40c17aa2673b
SHA256

be7656e2b1231f4d605532b23aaaeb8671cb5365e915bce6b34cb07e8d473065
SHA512

91538539864ebb17bb499c06ac0cb4dc15e983736019211767a7b9338d8d5fcff9cdd23abb223e661bd677ad3c8d6bfff03b270f4a17ad90fac51c24d39893e5
SSDEEP

12288:69HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZK3/X:2iBIGkbxqEcjsWiDxguehC2+

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

batana8.ddns.net:1604

batana8.ddns.net:81

192.168.0.100:81

192.168.0.100:1604

Mutex

DC_MUTEX-CSGJERF

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
FkkFqpZ4j68T
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

msdcsc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

msdcsc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1448 attrib.exe
4832 attrib.exe

pid	process
1448	attrib.exe
4832	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

2696 msdcsc.exe

pid	process
2696	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.exe

pid process

2696 msdcsc.exe

pid	process
2696	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeSecurityPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeTakeOwnershipPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeSystemProfilePrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeSystemtimePrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeProfSingleProcessPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeCreatePagefilePrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeBackupPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeRestorePrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeShutdownPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeDebugPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeSystemEnvironmentPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeChangeNotifyPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeRemoteShutdownPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeUndockPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeManageVolumePrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeImpersonatePrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: 33	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: 34	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: 35	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: 36	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
Token: SeIncreaseQuotaPrivilege	2696	msdcsc.exe
Token: SeSecurityPrivilege	2696	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2696	msdcsc.exe
Token: SeLoadDriverPrivilege	2696	msdcsc.exe
Token: SeSystemProfilePrivilege	2696	msdcsc.exe
Token: SeSystemtimePrivilege	2696	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2696	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2696	msdcsc.exe
Token: SeCreatePagefilePrivilege	2696	msdcsc.exe
Token: SeBackupPrivilege	2696	msdcsc.exe
Token: SeRestorePrivilege	2696	msdcsc.exe
Token: SeShutdownPrivilege	2696	msdcsc.exe
Token: SeDebugPrivilege	2696	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2696	msdcsc.exe
Token: SeChangeNotifyPrivilege	2696	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2696	msdcsc.exe
Token: SeUndockPrivilege	2696	msdcsc.exe
Token: SeManageVolumePrivilege	2696	msdcsc.exe
Token: SeImpersonatePrivilege	2696	msdcsc.exe
Token: SeCreateGlobalPrivilege	2696	msdcsc.exe
Token: 33	2696	msdcsc.exe
Token: 34	2696	msdcsc.exe
Token: 35	2696	msdcsc.exe
Token: 36	2696	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

2696 msdcsc.exe

pid	process
2696	msdcsc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.execmd.execmd.exe

description	pid	process	target process
PID 2868 wrote to memory of 3680	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe	cmd.exe
PID 2868 wrote to memory of 3680	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe	cmd.exe
PID 2868 wrote to memory of 3680	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe	cmd.exe
PID 2868 wrote to memory of 4004	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe	cmd.exe
PID 2868 wrote to memory of 4004	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe	cmd.exe
PID 2868 wrote to memory of 4004	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe	cmd.exe
PID 3680 wrote to memory of 1448	3680	cmd.exe	attrib.exe
PID 3680 wrote to memory of 1448	3680	cmd.exe	attrib.exe
PID 3680 wrote to memory of 1448	3680	cmd.exe	attrib.exe
PID 4004 wrote to memory of 4832	4004	cmd.exe	attrib.exe
PID 4004 wrote to memory of 4832	4004	cmd.exe	attrib.exe
PID 4004 wrote to memory of 4832	4004	cmd.exe	attrib.exe
PID 2868 wrote to memory of 2696	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe	msdcsc.exe
PID 2868 wrote to memory of 2696	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe	msdcsc.exe
PID 2868 wrote to memory of 2696	2868	d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe	msdcsc.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1448 attrib.exe
4832 attrib.exe

pid	process
1448	attrib.exe
4832	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\d1154b48aca1e4a5596d0094e1eab310_NeikiAnalytics.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4832
- C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
  "C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies security service
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Filesize
658KB

MD5
d1154b48aca1e4a5596d0094e1eab310

SHA1
d87f2eb1455b25eb2e5bc0d5c0db40c17aa2673b

SHA256
be7656e2b1231f4d605532b23aaaeb8671cb5365e915bce6b34cb07e8d473065

SHA512
91538539864ebb17bb499c06ac0cb4dc15e983736019211767a7b9338d8d5fcff9cdd23abb223e661bd677ad3c8d6bfff03b270f4a17ad90fac51c24d39893e5

Download Submit
memory/2696-62-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2696-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2696-66-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2696-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2868-0-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2868-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads