darkcomet | 803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba

General

Target

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Size

658KB
MD5

c9f2633623802b25ef05ed1f0368c6f7
SHA1

3408dbb4ae9b08f527c25fdcfe3719b45bde95f9
SHA256

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba
SHA512

86df127aa8c5ed2f6f1ad1766d8f5f49eec73bd6c8a9898750b260321392b7e7f4ac0d8b81748ab4d308276d8e1fa31bc303d99d750056668fd4b5059880fbd3

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

pid process

1568 803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

pid	process
1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeSecurityPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeTakeOwnershipPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeLoadDriverPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeSystemProfilePrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeSystemtimePrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeProfSingleProcessPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeIncBasePriorityPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeCreatePagefilePrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeBackupPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeRestorePrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeShutdownPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeDebugPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeSystemEnvironmentPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeChangeNotifyPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeRemoteShutdownPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeUndockPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeManageVolumePrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeImpersonatePrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: SeCreateGlobalPrivilege	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: 33	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: 34	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: 35	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Token: 36	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.execmd.execmd.exe

description	pid	process	target process
PID 1568 wrote to memory of 2608	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 1568 wrote to memory of 2608	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 1568 wrote to memory of 2608	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 1568 wrote to memory of 1788	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 1568 wrote to memory of 1788	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 1568 wrote to memory of 1788	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	cmd.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 1568 wrote to memory of 4432	1568	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe	notepad.exe
PID 2608 wrote to memory of 2884	2608	cmd.exe	attrib.exe
PID 2608 wrote to memory of 2884	2608	cmd.exe	attrib.exe
PID 2608 wrote to memory of 2884	2608	cmd.exe	attrib.exe
PID 1788 wrote to memory of 5076	1788	cmd.exe	attrib.exe
PID 1788 wrote to memory of 5076	1788	cmd.exe	attrib.exe
PID 1788 wrote to memory of 5076	1788	cmd.exe	attrib.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2884 attrib.exe
5076 attrib.exe

pid	process
2884	attrib.exe
5076	attrib.exe

C:\Users\Admin\AppData\Local\Temp\803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe
"C:\Users\Admin\AppData\Local\Temp\803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Checks computer location settings
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\803ba3d37287521035a8bdd6ebfe42f211aa98fdbec5b5e25af7748f786313ba.exe" +s +h
3⤵
- Views/modifies file attributes
PID:2884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1788