darkcomet | 0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5

General

Target

0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe
Size

1.3MB
MD5

48648aa5677354a1c0bfc88c129af92f
SHA1

ab1a6027c7d7f77f260455fd13bc4ef6ef0110a1
SHA256

0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5
SHA512

572c33f8641b774a30eee507e4a47eaf11c54978f2780d978d2042ae6ca52183b40f21b61a00dbdb4ee7d3c34d5e808ce6cb33bf075d59e29f9ce838726d6c7f

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

deneme 12 - Kopya.exedeneme 12 - Kopya.exe

pid process

3588 deneme 12 - Kopya.exe
3896 deneme 12 - Kopya.exe

pid	process
3588	deneme 12 - Kopya.exe
3896	deneme 12 - Kopya.exe

Drops file in System32 directory 6 IoCs

Processes:

0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exedeneme 12 - Kopya.exe

description	ioc	process
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259283828	0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe
File created	C:\Windows\SysWOW64\Injector + by Unpublished.exe	0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe
File opened for modification	C:\Windows\SysWOW64\Injector + by Unpublished.exe	0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe
File created	C:\Windows\SysWOW64\deneme 12 - Kopya.exe	0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe
File opened for modification	C:\Windows\SysWOW64\deneme 12 - Kopya.exe	0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe
File opened for modification	C:\Windows\SysWOW64\deneme 12 - Kopya.exe	deneme 12 - Kopya.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

deneme 12 - Kopya.exe

description pid process target process

PID 3588 set thread context of 3896 3588 deneme 12 - Kopya.exe deneme 12 - Kopya.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3588 set thread context of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

deneme 12 - Kopya.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3896	deneme 12 - Kopya.exe
Token: SeSecurityPrivilege	3896	deneme 12 - Kopya.exe
Token: SeTakeOwnershipPrivilege	3896	deneme 12 - Kopya.exe
Token: SeLoadDriverPrivilege	3896	deneme 12 - Kopya.exe
Token: SeSystemProfilePrivilege	3896	deneme 12 - Kopya.exe
Token: SeSystemtimePrivilege	3896	deneme 12 - Kopya.exe
Token: SeProfSingleProcessPrivilege	3896	deneme 12 - Kopya.exe
Token: SeIncBasePriorityPrivilege	3896	deneme 12 - Kopya.exe
Token: SeCreatePagefilePrivilege	3896	deneme 12 - Kopya.exe
Token: SeBackupPrivilege	3896	deneme 12 - Kopya.exe
Token: SeRestorePrivilege	3896	deneme 12 - Kopya.exe
Token: SeShutdownPrivilege	3896	deneme 12 - Kopya.exe
Token: SeDebugPrivilege	3896	deneme 12 - Kopya.exe
Token: SeSystemEnvironmentPrivilege	3896	deneme 12 - Kopya.exe
Token: SeChangeNotifyPrivilege	3896	deneme 12 - Kopya.exe
Token: SeRemoteShutdownPrivilege	3896	deneme 12 - Kopya.exe
Token: SeUndockPrivilege	3896	deneme 12 - Kopya.exe
Token: SeManageVolumePrivilege	3896	deneme 12 - Kopya.exe
Token: SeImpersonatePrivilege	3896	deneme 12 - Kopya.exe
Token: SeCreateGlobalPrivilege	3896	deneme 12 - Kopya.exe
Token: 33	3896	deneme 12 - Kopya.exe
Token: 34	3896	deneme 12 - Kopya.exe
Token: 35	3896	deneme 12 - Kopya.exe
Token: 36	3896	deneme 12 - Kopya.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

deneme 12 - Kopya.exe

pid process

3588 deneme 12 - Kopya.exe

pid	process
3588	deneme 12 - Kopya.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exedeneme 12 - Kopya.exe

description	pid	process	target process
PID 2988 wrote to memory of 3588	2988	0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe	deneme 12 - Kopya.exe
PID 2988 wrote to memory of 3588	2988	0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe	deneme 12 - Kopya.exe
PID 2988 wrote to memory of 3588	2988	0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe
PID 3588 wrote to memory of 3896	3588	deneme 12 - Kopya.exe	deneme 12 - Kopya.exe

C:\Users\Admin\AppData\Local\Temp\0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe
"C:\Users\Admin\AppData\Local\Temp\0c360cedae75c423ed83accf4f4ecc9fe61212e60aa6b24830d1f54ef4944fe5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\deneme 12 - Kopya.exe
"C:\Windows\System32\deneme 12 - Kopya.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\deneme 12 - Kopya.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\deneme 12 - Kopya.exe
MD5
dfd73c773fb43e7a812c19e48d83ab21

SHA1
d083d1de7151d49ce8103a7e431dfe3cb0017635

SHA256
426fc237ea38ea0ed1ed73da4ae192abe9d83895788b036a33704c499a56ed1c

SHA512
61a4c3032b2c065db04769b3375d529dcbbe3bc7fb795d827b3d29240b160a1021474ef910124fe140a001a89185d99fa1d773cffeac1a211e1a8dcbcf82f72a

Download Submit
C:\Windows\SysWOW64\deneme 12 - Kopya.exe
MD5
dfd73c773fb43e7a812c19e48d83ab21

SHA1
d083d1de7151d49ce8103a7e431dfe3cb0017635

SHA256
426fc237ea38ea0ed1ed73da4ae192abe9d83895788b036a33704c499a56ed1c

SHA512
61a4c3032b2c065db04769b3375d529dcbbe3bc7fb795d827b3d29240b160a1021474ef910124fe140a001a89185d99fa1d773cffeac1a211e1a8dcbcf82f72a

Download Submit
C:\Windows\SysWOW64\deneme 12 - Kopya.exe
MD5
dfd73c773fb43e7a812c19e48d83ab21

SHA1
d083d1de7151d49ce8103a7e431dfe3cb0017635

SHA256
426fc237ea38ea0ed1ed73da4ae192abe9d83895788b036a33704c499a56ed1c

SHA512
61a4c3032b2c065db04769b3375d529dcbbe3bc7fb795d827b3d29240b160a1021474ef910124fe140a001a89185d99fa1d773cffeac1a211e1a8dcbcf82f72a

Download Submit
memory/3588-114-0x0000000000000000-mapping.dmp

Download
memory/3588-122-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3896-119-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3896-120-0x000000000048E828-mapping.dmp

Download
memory/3896-123-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3896-124-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads