darkcomet | 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83

General

Target

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Size

251KB
MD5

b547e8c99725f6703be9abd07e5224c7
SHA1

62983bc952692ddba6f4901c8dea12d27600897f
SHA256

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83
SHA512

674651da4dde4df3593cdb798f4c70f404534540f445f775d069be112da658e2beb6c087e5fb8d3759f05a232459a5141cfb3db8d0bdae6046e9ec701c7db2a9

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeSecurityPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeTakeOwnershipPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeLoadDriverPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeSystemProfilePrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeSystemtimePrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeProfSingleProcessPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeIncBasePriorityPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeCreatePagefilePrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeBackupPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeRestorePrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeShutdownPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeDebugPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeSystemEnvironmentPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeChangeNotifyPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeRemoteShutdownPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeUndockPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeManageVolumePrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeImpersonatePrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: SeCreateGlobalPrivilege	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: 33	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: 34	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: 35	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
Token: 36	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

pid process

3008 5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

pid	process
3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.execmd.execmd.exe

description	pid	process	target process
PID 3008 wrote to memory of 2920	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 3008 wrote to memory of 2920	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 3008 wrote to memory of 2920	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 3008 wrote to memory of 8	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 3008 wrote to memory of 8	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 3008 wrote to memory of 8	3008	5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe	cmd.exe
PID 2920 wrote to memory of 3500	2920	cmd.exe	attrib.exe
PID 2920 wrote to memory of 3500	2920	cmd.exe	attrib.exe
PID 2920 wrote to memory of 3500	2920	cmd.exe	attrib.exe
PID 8 wrote to memory of 3064	8	cmd.exe	attrib.exe
PID 8 wrote to memory of 3064	8	cmd.exe	attrib.exe
PID 8 wrote to memory of 3064	8	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3500 attrib.exe
3064 attrib.exe

pid	process
3500	attrib.exe
3064	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe
"C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe"
1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\5596614cddff8a68bce813b25424d50e9f6eed9eb65a4bcb6b20d544071fdd83.exe" +s +h
3⤵
- Views/modifies file attributes
PID:3500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:3064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-116-0x0000000000000000-mapping.dmp

Download
memory/2920-115-0x0000000000000000-mapping.dmp

Download
memory/3008-114-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3064-118-0x0000000000000000-mapping.dmp

Download
memory/3500-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads