darkcomet | 58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2

General

Target

58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Size

756KB
MD5

29576b605f9b997bbb7bb7290dc63a8b
SHA1

a4ece5227c704039ac4556d8b2d5832404239f93
SHA256

58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2
SHA512

c6d246ca7126a4cd6e828ba6b283c446530d513f8be5ef546fba4e13061e39dad2dfc40c408129999af23960f3a6de3250caac56920f8499d2fcd711e7272b96

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

iexplore.exe58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exeiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iexplore.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3956 attrib.exe
492 attrib.exe

pid	process
3956	attrib.exe
492	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe

description	pid	process	target process
PID 4828 set thread context of 3460	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeSecurityPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeTakeOwnershipPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeLoadDriverPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeSystemProfilePrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeSystemtimePrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeProfSingleProcessPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeIncBasePriorityPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeCreatePagefilePrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeBackupPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeRestorePrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeShutdownPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeDebugPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeSystemEnvironmentPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeChangeNotifyPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeRemoteShutdownPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeUndockPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeManageVolumePrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeImpersonatePrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeCreateGlobalPrivilege	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: 33	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: 34	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: 35	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: 36	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
Token: SeIncreaseQuotaPrivilege	3460	iexplore.exe
Token: SeSecurityPrivilege	3460	iexplore.exe
Token: SeTakeOwnershipPrivilege	3460	iexplore.exe
Token: SeLoadDriverPrivilege	3460	iexplore.exe
Token: SeSystemProfilePrivilege	3460	iexplore.exe
Token: SeSystemtimePrivilege	3460	iexplore.exe
Token: SeProfSingleProcessPrivilege	3460	iexplore.exe
Token: SeIncBasePriorityPrivilege	3460	iexplore.exe
Token: SeCreatePagefilePrivilege	3460	iexplore.exe
Token: SeBackupPrivilege	3460	iexplore.exe
Token: SeRestorePrivilege	3460	iexplore.exe
Token: SeShutdownPrivilege	3460	iexplore.exe
Token: SeDebugPrivilege	3460	iexplore.exe
Token: SeSystemEnvironmentPrivilege	3460	iexplore.exe
Token: SeChangeNotifyPrivilege	3460	iexplore.exe
Token: SeRemoteShutdownPrivilege	3460	iexplore.exe
Token: SeUndockPrivilege	3460	iexplore.exe
Token: SeManageVolumePrivilege	3460	iexplore.exe
Token: SeImpersonatePrivilege	3460	iexplore.exe
Token: SeCreateGlobalPrivilege	3460	iexplore.exe
Token: 33	3460	iexplore.exe
Token: 34	3460	iexplore.exe
Token: 35	3460	iexplore.exe
Token: 36	3460	iexplore.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.execmd.execmd.exe

description	pid	process	target process
PID 4828 wrote to memory of 5020	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	cmd.exe
PID 4828 wrote to memory of 5020	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	cmd.exe
PID 4828 wrote to memory of 5020	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	cmd.exe
PID 4828 wrote to memory of 3964	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	cmd.exe
PID 4828 wrote to memory of 3964	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	cmd.exe
PID 4828 wrote to memory of 3964	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	cmd.exe
PID 4828 wrote to memory of 3460	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	iexplore.exe
PID 4828 wrote to memory of 3460	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	iexplore.exe
PID 4828 wrote to memory of 3460	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	iexplore.exe
PID 4828 wrote to memory of 3460	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	iexplore.exe
PID 4828 wrote to memory of 3460	4828	58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe	iexplore.exe
PID 5020 wrote to memory of 3956	5020	cmd.exe	attrib.exe
PID 5020 wrote to memory of 3956	5020	cmd.exe	attrib.exe
PID 5020 wrote to memory of 3956	5020	cmd.exe	attrib.exe
PID 3964 wrote to memory of 492	3964	cmd.exe	attrib.exe
PID 3964 wrote to memory of 492	3964	cmd.exe	attrib.exe
PID 3964 wrote to memory of 492	3964	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3956 attrib.exe
492 attrib.exe

pid	process
3956	attrib.exe
492	attrib.exe

C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe
"C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe"
1⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\58bc9b0c5e16f64103d96cf3dab84488d9e44de1f17619163665bc30bf388df2.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:492

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Suspicious use of AdjustPrivilegeToken
PID:3460