darkcomet | 0345e5e50f1138a5184d72d01477c71b294c0bb671abd729116c828b73721f00

Analysis

Target

Bu_senin_icin_Askm.exe
Size

658KB
MD5

acfd80a424bc1cf1505baddbd8dc310d
SHA1

4c9447e55fcafc784a31ec0ac20d033af3874a2a
SHA256

0345e5e50f1138a5184d72d01477c71b294c0bb671abd729116c828b73721f00
SHA512

7b8c18d3e4ef2d55c7a4f0306901042c242684551b9a1c86f038f60186da062111384c17221d50fb9b89b9b596a8e4640bb05305d5c66661e766dbc5fc81a5e4

Score

10^/10

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Bu_senin_icin_Askm.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeSecurityPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeTakeOwnershipPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeLoadDriverPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeSystemProfilePrivilege	492	Bu_senin_icin_Askm.exe
Token: SeSystemtimePrivilege	492	Bu_senin_icin_Askm.exe
Token: SeProfSingleProcessPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeIncBasePriorityPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeCreatePagefilePrivilege	492	Bu_senin_icin_Askm.exe
Token: SeBackupPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeRestorePrivilege	492	Bu_senin_icin_Askm.exe
Token: SeShutdownPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeDebugPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeSystemEnvironmentPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeChangeNotifyPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeRemoteShutdownPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeUndockPrivilege	492	Bu_senin_icin_Askm.exe
Token: SeManageVolumePrivilege	492	Bu_senin_icin_Askm.exe
Token: SeImpersonatePrivilege	492	Bu_senin_icin_Askm.exe
Token: SeCreateGlobalPrivilege	492	Bu_senin_icin_Askm.exe
Token: 33	492	Bu_senin_icin_Askm.exe
Token: 34	492	Bu_senin_icin_Askm.exe
Token: 35	492	Bu_senin_icin_Askm.exe
Token: 36	492	Bu_senin_icin_Askm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Bu_senin_icin_Askm.exe

pid process

492 Bu_senin_icin_Askm.exe

pid	process
492	Bu_senin_icin_Askm.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Bu_senin_icin_Askm.exe

description	pid	process	target process
PID 492 wrote to memory of 3312	492	Bu_senin_icin_Askm.exe	iexplore.exe
PID 492 wrote to memory of 3312	492	Bu_senin_icin_Askm.exe	iexplore.exe
PID 492 wrote to memory of 3312	492	Bu_senin_icin_Askm.exe	iexplore.exe
PID 492 wrote to memory of 3300	492	Bu_senin_icin_Askm.exe	explorer.exe
PID 492 wrote to memory of 3300	492	Bu_senin_icin_Askm.exe	explorer.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:3312

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/492-2-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download