darkcomet | df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03

General

Target

df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Size

333KB
MD5

de58f2382c3d29a65f6c391d5ab06726
SHA1

3b783d1db12d0a0eef3071b2acb72eba1b16d98c
SHA256

df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03
SHA512

7e06e83eddbc8b6ee4c6bc9f3b30fde51ded69c40f36442d96846300491ff7547e30966bd962d6f8f101f53953327ef1b1ecc2f1f458b55362331508c20600c8

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeSecurityPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeTakeOwnershipPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeLoadDriverPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeSystemProfilePrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeSystemtimePrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeProfSingleProcessPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeIncBasePriorityPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeCreatePagefilePrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeBackupPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeRestorePrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeShutdownPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeDebugPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeSystemEnvironmentPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeChangeNotifyPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeRemoteShutdownPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeUndockPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeManageVolumePrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeImpersonatePrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: SeCreateGlobalPrivilege	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: 33	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: 34	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: 35	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
Token: 36	884	df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe

C:\Users\Admin\AppData\Local\Temp\df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe
"C:\Users\Admin\AppData\Local\Temp\df4b70d17b65cf70d80d63f0a8bf908e6d0a625166449d61649ff93b5dee3e03.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads