darkcomet | 077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f

General

Target

077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Size

318KB
MD5

1a18650786e0d1dd22683b8f55e9747a
SHA1

e9d1ebb4441b84b5789dbde03951014acae6ab35
SHA256

077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f
SHA512

1e749a2371d3d0f1c16374419bd84ce93e6e2cd0f158448dd1b600966659b96cd88c3977c9d33a78d1209cce3d460246941be0802742b82443370ab04833cb65

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe"	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeSecurityPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeTakeOwnershipPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeLoadDriverPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeSystemProfilePrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeSystemtimePrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeProfSingleProcessPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeIncBasePriorityPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeCreatePagefilePrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeBackupPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeRestorePrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeShutdownPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeDebugPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeSystemEnvironmentPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeChangeNotifyPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeRemoteShutdownPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeUndockPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeManageVolumePrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeImpersonatePrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: SeCreateGlobalPrivilege	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: 33	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: 34	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
Token: 35	932	077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe

C:\Users\Admin\AppData\Local\Temp\077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe
"C:\Users\Admin\AppData\Local\Temp\077a9062b87736ebfe68a2eaeb4f6ed0f800d3f5ae870a5ab5971960ea3d057f.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:932