darkcomet | 9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a

General

Target

9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Size

658KB
MD5

a5695f82fa2ac0bf31ea53da35f48ff7
SHA1

347edf2679ad426c1ff9bb68fb984b79c067e171
SHA256

9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a
SHA512

5ebe14d6b70f24b6fd383df22ce1472a0b11db3805203004146808c16ac765884f0d5d36747f7de5aaccf7be74fd0a69bd6a28feb50875af9800c50cf15a90f6

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeSecurityPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeTakeOwnershipPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeLoadDriverPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeSystemProfilePrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeSystemtimePrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeProfSingleProcessPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeIncBasePriorityPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeCreatePagefilePrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeBackupPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeRestorePrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeShutdownPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeDebugPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeSystemEnvironmentPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeChangeNotifyPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeRemoteShutdownPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeUndockPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeManageVolumePrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeImpersonatePrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: SeCreateGlobalPrivilege	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: 33	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: 34	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: 35	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
Token: 36	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe

pid process

2496 9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe

pid	process
2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe

description	pid	process	target process
PID 2496 wrote to memory of 4236	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe	iexplore.exe
PID 2496 wrote to memory of 4236	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe	iexplore.exe
PID 2496 wrote to memory of 4236	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe	iexplore.exe
PID 2496 wrote to memory of 4028	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe	explorer.exe
PID 2496 wrote to memory of 4028	2496	9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe
"C:\Users\Admin\AppData\Local\Temp\9bc517bad059d0d52ca121e3d612f2283ee06a36f08f125f28f5f840c5365e9a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:4236

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4028-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing