darkcomet | 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83

General

Target

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Size

251KB
MD5

b547e8c99725f6703be9abd07e5224c7
SHA1

62983bc952692ddba6f4901c8dea12d27600897f
SHA256

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83
SHA512

674651da4dde4df3593cdb798f4c70f404534540f445f775d069be112da658e2beb6c087e5fb8d3759f05a232459a5141cfb3db8d0bdae6046e9ec701c7db2a9

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeSecurityPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeTakeOwnershipPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeLoadDriverPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeSystemProfilePrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeSystemtimePrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeProfSingleProcessPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeIncBasePriorityPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeCreatePagefilePrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeBackupPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeRestorePrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeShutdownPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeDebugPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeSystemEnvironmentPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeChangeNotifyPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeRemoteShutdownPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeUndockPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeManageVolumePrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeImpersonatePrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeCreateGlobalPrivilege	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: 33	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: 34	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: 35	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

pid process

1684 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

pid	process
1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.execmd.execmd.exe

description	pid	process	target process
PID 1684 wrote to memory of 1752	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 1684 wrote to memory of 1752	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 1684 wrote to memory of 1752	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 1684 wrote to memory of 1752	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 1684 wrote to memory of 1764	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 1684 wrote to memory of 1764	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 1684 wrote to memory of 1764	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 1684 wrote to memory of 1764	1684	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 1752 wrote to memory of 1144	1752	cmd.exe	attrib.exe
PID 1752 wrote to memory of 1144	1752	cmd.exe	attrib.exe
PID 1752 wrote to memory of 1144	1752	cmd.exe	attrib.exe
PID 1752 wrote to memory of 1144	1752	cmd.exe	attrib.exe
PID 1764 wrote to memory of 1188	1764	cmd.exe	attrib.exe
PID 1764 wrote to memory of 1188	1764	cmd.exe	attrib.exe
PID 1764 wrote to memory of 1188	1764	cmd.exe	attrib.exe
PID 1764 wrote to memory of 1188	1764	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1144 attrib.exe
1188 attrib.exe

pid	process
1144	attrib.exe
1188	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
"C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe"
1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe" +s +h
3⤵
- Views/modifies file attributes
PID:1144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-56-0x0000000000000000-mapping.dmp

Download
memory/1188-57-0x0000000000000000-mapping.dmp

Download
memory/1684-53-0x0000000075641000-0x0000000075643000-memory.dmp

Filesize
8KB

Download
memory/1684-58-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1752-54-0x0000000000000000-mapping.dmp

Download
memory/1764-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads