darkcomet | a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905

General

Target

a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Size

318KB
MD5

05cf4f8680713194351357aa49b43076
SHA1

a2e23c0195c04160da45e1739424bb0c6695e6a3
SHA256

a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905
SHA512

4d70affba693089faf4c2debe3839afa5eda63936e3c9a7cadc3a222e29687f3021113e38a74be1498aa1c267fb44e489fecdee51f595f5d2229fb1efd05332a

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeSecurityPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeTakeOwnershipPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeLoadDriverPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeSystemProfilePrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeSystemtimePrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeProfSingleProcessPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeIncBasePriorityPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeCreatePagefilePrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeBackupPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeRestorePrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeShutdownPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeDebugPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeSystemEnvironmentPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeChangeNotifyPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeRemoteShutdownPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeUndockPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeManageVolumePrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeImpersonatePrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: SeCreateGlobalPrivilege	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: 33	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: 34	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
Token: 35	1848	a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe

C:\Users\Admin\AppData\Local\Temp\a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe
"C:\Users\Admin\AppData\Local\Temp\a442c3203228642a60f501ff0c78520c22cbf332cf9a25fc584d2712a16ba905.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1848