darkcomet | 803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba

General

Target

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Size

658KB
MD5

c9f2633623802b25ef05ed1f0368c6f7
SHA1

3408dbb4ae9b08f527c25fdcfe3719b45bde95f9
SHA256

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba
SHA512

86df127aa8c5ed2f6f1ad1766d8f5f49eec73bd6c8a9898750b260321392b7e7f4ac0d8b81748ab4d308276d8e1fa31bc303d99d750056668fd4b5059880fbd3

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

pid process

972 803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

pid	process
972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeSecurityPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeTakeOwnershipPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeLoadDriverPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeSystemProfilePrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeSystemtimePrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeProfSingleProcessPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeIncBasePriorityPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeCreatePagefilePrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeBackupPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeRestorePrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeShutdownPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeDebugPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeSystemEnvironmentPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeChangeNotifyPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeRemoteShutdownPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeUndockPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeManageVolumePrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeImpersonatePrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeCreateGlobalPrivilege	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: 33	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: 34	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: 35	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.execmd.execmd.exe

description	pid	process	target process
PID 972 wrote to memory of 1680	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 972 wrote to memory of 1680	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 972 wrote to memory of 1680	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 972 wrote to memory of 1680	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 972 wrote to memory of 2020	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 972 wrote to memory of 2020	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 972 wrote to memory of 2020	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 972 wrote to memory of 2020	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 972 wrote to memory of 2016	972	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1680 wrote to memory of 1184	1680	cmd.exe	attrib.exe
PID 1680 wrote to memory of 1184	1680	cmd.exe	attrib.exe
PID 1680 wrote to memory of 1184	1680	cmd.exe	attrib.exe
PID 1680 wrote to memory of 1184	1680	cmd.exe	attrib.exe
PID 2020 wrote to memory of 596	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 596	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 596	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 596	2020	cmd.exe	attrib.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1184 attrib.exe
596 attrib.exe

pid	process
1184	attrib.exe
596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
"C:\Users\Admin\AppData\Local\Temp\803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe" +s +h
3⤵
- Views/modifies file attributes
PID:1184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Views/modifies file attributes
PID:596

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Disabling Security Tools

2

T1089

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-60-0x0000000000000000-mapping.dmp

Download
memory/972-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1184-58-0x0000000000000000-mapping.dmp

Download
memory/1680-55-0x0000000000000000-mapping.dmp

Download
memory/2016-57-0x0000000000000000-mapping.dmp

Download
memory/2020-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads