darkcomet | ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3

General

Target

ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Size

658KB
MD5

6d6aceaf5c3f2d9c02d292c15e4ff3d6
SHA1

b92e13064b7693551963909d879f1e9eae57a021
SHA256

ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3
SHA512

6a78c45f1dc631f77b2bc5f7e2bc3e7dc31c8aa81f46f549de035616f922c277dce75bf12a710d3be02731e87f649a5cbb36e08226e256a141bad91ba51cfbb9

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe

Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeSecurityPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeTakeOwnershipPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeLoadDriverPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeSystemProfilePrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeSystemtimePrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeProfSingleProcessPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeIncBasePriorityPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeCreatePagefilePrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeBackupPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeRestorePrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeShutdownPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeDebugPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeSystemEnvironmentPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeChangeNotifyPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeRemoteShutdownPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeUndockPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeManageVolumePrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeImpersonatePrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: SeCreateGlobalPrivilege	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: 33	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: 34	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Token: 35	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe

pid process

240 ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe

pid	process
240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.execmd.execmd.exe

description	pid	process	target process
PID 240 wrote to memory of 848	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe	cmd.exe
PID 240 wrote to memory of 848	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe	cmd.exe
PID 240 wrote to memory of 848	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe	cmd.exe
PID 240 wrote to memory of 848	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe	cmd.exe
PID 240 wrote to memory of 1436	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe	cmd.exe
PID 240 wrote to memory of 1436	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe	cmd.exe
PID 240 wrote to memory of 1436	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe	cmd.exe
PID 240 wrote to memory of 1436	240	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe	cmd.exe
PID 1436 wrote to memory of 1304	1436	cmd.exe	attrib.exe
PID 1436 wrote to memory of 1304	1436	cmd.exe	attrib.exe
PID 1436 wrote to memory of 1304	1436	cmd.exe	attrib.exe
PID 1436 wrote to memory of 1304	1436	cmd.exe	attrib.exe
PID 848 wrote to memory of 1320	848	cmd.exe	attrib.exe
PID 848 wrote to memory of 1320	848	cmd.exe	attrib.exe
PID 848 wrote to memory of 1320	848	cmd.exe	attrib.exe
PID 848 wrote to memory of 1320	848	cmd.exe	attrib.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1320 attrib.exe
1304 attrib.exe

pid	process
1320	attrib.exe
1304	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe
"C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe"
1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\ef6832d7f49bb09e6bb239c64b3c6738930cfe71a599bc70a8c62cb570447ff3.exe" +s +h
3⤵
- Views/modifies file attributes
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-54-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/848-55-0x0000000000000000-mapping.dmp

Download
memory/1304-57-0x0000000000000000-mapping.dmp

Download
memory/1320-58-0x0000000000000000-mapping.dmp

Download
memory/1436-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads