darkcomet | 8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357

General

Target

8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Size

251KB
MD5

530119807d27adea9b69bcbf9aad4f0b
SHA1

37c487c8363d9f4e730772ceb135e1a3d330b121
SHA256

8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357
SHA512

295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be

Score

10^/10

darkcomet evasion persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Temp\\Microsoft.NET.exe"	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

Microsoft.NET.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Microsoft.NET.exe
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

Microsoft.NET.exe

pid process

1752 Microsoft.NET.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Microsoft.NET.exe

pid	process
1752	Microsoft.NET.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe	upx
C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe	upx
\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe	upx
C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe	upx

Loads dropped DLL 2 IoCs

Processes:

8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe

pid	process
240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Microsoft.NET.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Microsoft.NET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Microsoft.NET.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.NET = "C:\\Users\\Admin\\AppData\\Roaming\\Temp\\Microsoft.NET.exe"	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Microsoft.NET.exe

pid process

1752 Microsoft.NET.exe

pid	process
1752	Microsoft.NET.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exeMicrosoft.NET.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeSecurityPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeTakeOwnershipPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeLoadDriverPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeSystemProfilePrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeSystemtimePrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeProfSingleProcessPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeIncBasePriorityPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeCreatePagefilePrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeBackupPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeRestorePrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeShutdownPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeDebugPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeSystemEnvironmentPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeChangeNotifyPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeRemoteShutdownPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeUndockPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeManageVolumePrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeImpersonatePrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeCreateGlobalPrivilege	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: 33	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: 34	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: 35	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
Token: SeIncreaseQuotaPrivilege	1752	Microsoft.NET.exe
Token: SeSecurityPrivilege	1752	Microsoft.NET.exe
Token: SeTakeOwnershipPrivilege	1752	Microsoft.NET.exe
Token: SeLoadDriverPrivilege	1752	Microsoft.NET.exe
Token: SeSystemProfilePrivilege	1752	Microsoft.NET.exe
Token: SeSystemtimePrivilege	1752	Microsoft.NET.exe
Token: SeProfSingleProcessPrivilege	1752	Microsoft.NET.exe
Token: SeIncBasePriorityPrivilege	1752	Microsoft.NET.exe
Token: SeCreatePagefilePrivilege	1752	Microsoft.NET.exe
Token: SeBackupPrivilege	1752	Microsoft.NET.exe
Token: SeRestorePrivilege	1752	Microsoft.NET.exe
Token: SeShutdownPrivilege	1752	Microsoft.NET.exe
Token: SeDebugPrivilege	1752	Microsoft.NET.exe
Token: SeSystemEnvironmentPrivilege	1752	Microsoft.NET.exe
Token: SeChangeNotifyPrivilege	1752	Microsoft.NET.exe
Token: SeRemoteShutdownPrivilege	1752	Microsoft.NET.exe
Token: SeUndockPrivilege	1752	Microsoft.NET.exe
Token: SeManageVolumePrivilege	1752	Microsoft.NET.exe
Token: SeImpersonatePrivilege	1752	Microsoft.NET.exe
Token: SeCreateGlobalPrivilege	1752	Microsoft.NET.exe
Token: 33	1752	Microsoft.NET.exe
Token: 34	1752	Microsoft.NET.exe
Token: 35	1752	Microsoft.NET.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Microsoft.NET.exe

pid process

1752 Microsoft.NET.exe

pid	process
1752	Microsoft.NET.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.execmd.execmd.exeMicrosoft.NET.exe

description	pid	process	target process
PID 240 wrote to memory of 1180	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	cmd.exe
PID 240 wrote to memory of 1180	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	cmd.exe
PID 240 wrote to memory of 1180	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	cmd.exe
PID 240 wrote to memory of 1180	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	cmd.exe
PID 240 wrote to memory of 1972	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	cmd.exe
PID 240 wrote to memory of 1972	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	cmd.exe
PID 240 wrote to memory of 1972	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	cmd.exe
PID 240 wrote to memory of 1972	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	cmd.exe
PID 1180 wrote to memory of 2040	1180	cmd.exe	attrib.exe
PID 1180 wrote to memory of 2040	1180	cmd.exe	attrib.exe
PID 1180 wrote to memory of 2040	1180	cmd.exe	attrib.exe
PID 1180 wrote to memory of 2040	1180	cmd.exe	attrib.exe
PID 1972 wrote to memory of 1736	1972	cmd.exe	attrib.exe
PID 1972 wrote to memory of 1736	1972	cmd.exe	attrib.exe
PID 1972 wrote to memory of 1736	1972	cmd.exe	attrib.exe
PID 1972 wrote to memory of 1736	1972	cmd.exe	attrib.exe
PID 240 wrote to memory of 1752	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	Microsoft.NET.exe
PID 240 wrote to memory of 1752	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	Microsoft.NET.exe
PID 240 wrote to memory of 1752	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	Microsoft.NET.exe
PID 240 wrote to memory of 1752	240	8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe	Microsoft.NET.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe
PID 1752 wrote to memory of 1332	1752	Microsoft.NET.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2040 attrib.exe
1736 attrib.exe

pid	process
2040	attrib.exe
1736	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe
"C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357.exe" +s +h
3⤵
- Views/modifies file attributes
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:1736

C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe
"C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe"
2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Disabling Security Tools

2

T1089

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe
MD5
530119807d27adea9b69bcbf9aad4f0b

SHA1
37c487c8363d9f4e730772ceb135e1a3d330b121

SHA256
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357

SHA512
295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe
MD5
530119807d27adea9b69bcbf9aad4f0b

SHA1
37c487c8363d9f4e730772ceb135e1a3d330b121

SHA256
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357

SHA512
295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be

Download Submit
\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe
MD5
530119807d27adea9b69bcbf9aad4f0b

SHA1
37c487c8363d9f4e730772ceb135e1a3d330b121

SHA256
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357

SHA512
295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be

Download Submit
\Users\Admin\AppData\Roaming\Temp\Microsoft.NET.exe
MD5
530119807d27adea9b69bcbf9aad4f0b

SHA1
37c487c8363d9f4e730772ceb135e1a3d330b121

SHA256
8237c56fb8d1968bafeb63ebd64ef362b9efc3b923e57e3732870076e04bf357

SHA512
295342c759e0da72e18e2c2967d9df4173f05d81d8dbc3472ec6e29a6cc1729008e26830e412c995ed19b94008b77cd8c61e49af26ed41006ff351afbdb867be

Download Submit
memory/1180-0-0x0000000000000000-mapping.dmp

Download
memory/1332-9-0x0000000000000000-mapping.dmp

Download
memory/1332-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1332-11-0x0000000000000000-mapping.dmp

Download
memory/1736-3-0x0000000000000000-mapping.dmp

Download
memory/1752-6-0x0000000000000000-mapping.dmp

Download
memory/1972-1-0x0000000000000000-mapping.dmp

Download
memory/2040-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads