darkcomet | f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662

General

Target

f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Size

689KB
MD5

9e25e98bed41833e4e27afd395dff950
SHA1

cadf77649528213974c44cfd5986b00258f8675d
SHA256

f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662
SHA512

7183a0861e543c991b60fd8dc8d2d697d5dca99f86ee5db1230f3f4f8f240c9a6cf52cb6a5d5d2928825c40ffe144100b40112003f61c77af49f61e634f1068c

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeSecurityPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeTakeOwnershipPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeLoadDriverPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeSystemProfilePrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeSystemtimePrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeProfSingleProcessPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeIncBasePriorityPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeCreatePagefilePrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeBackupPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeRestorePrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeShutdownPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeDebugPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeSystemEnvironmentPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeChangeNotifyPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeRemoteShutdownPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeUndockPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeManageVolumePrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeImpersonatePrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: SeCreateGlobalPrivilege	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: 33	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: 34	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: 35	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
Token: 36	4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe

pid process

4608 f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe

pid	process
4608	f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe

C:\Users\Admin\AppData\Local\Temp\f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe
"C:\Users\Admin\AppData\Local\Temp\f7e8ffdaadf7b099fe4a98a522d11948a6fab2081292dbd570ed055f558f0662.exe"
1⤵
- Modifies firewall policy service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads