darkcomet | 38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b

General

Target

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Size

283KB
MD5

a621055f753ae69983b149c494e24929
SHA1

c84337eb41ff9f6f9c2a999292db7e3066a379e3
SHA256

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b
SHA512

5d1be5fb16549c3b120c6c7a20e3086c764ee9bdf4faad0d22875057193bcb1aded84147b32e00e8df95fcf3e2c0e8e2948a1bfaaef0aef4408f38172d400de8

Score

10^/10

darkcomet evasion rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Drops file in Drivers directory 1 IoCs

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

904 attrib.exe
1512 attrib.exe

pid	process
904	attrib.exe
1512	attrib.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1976-130-0x0000000000400000-0x00000000004C7000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

pid process

1976 38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

pid	process
1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeSecurityPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeTakeOwnershipPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeLoadDriverPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeSystemProfilePrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeSystemtimePrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeProfSingleProcessPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeIncBasePriorityPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeCreatePagefilePrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeBackupPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeRestorePrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeShutdownPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeDebugPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeSystemEnvironmentPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeChangeNotifyPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeRemoteShutdownPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeUndockPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeManageVolumePrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeImpersonatePrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: SeCreateGlobalPrivilege	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: 33	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: 34	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: 35	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Token: 36	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

pid process

1976 38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

pid	process
1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.execmd.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 2676	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	cmd.exe
PID 1976 wrote to memory of 2676	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	cmd.exe
PID 1976 wrote to memory of 2676	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	cmd.exe
PID 1976 wrote to memory of 3596	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	cmd.exe
PID 1976 wrote to memory of 3596	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	cmd.exe
PID 1976 wrote to memory of 3596	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	cmd.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 1976 wrote to memory of 2392	1976	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe	notepad.exe
PID 3596 wrote to memory of 1512	3596	cmd.exe	attrib.exe
PID 3596 wrote to memory of 1512	3596	cmd.exe	attrib.exe
PID 3596 wrote to memory of 1512	3596	cmd.exe	attrib.exe
PID 2676 wrote to memory of 904	2676	cmd.exe	attrib.exe
PID 2676 wrote to memory of 904	2676	cmd.exe	attrib.exe
PID 2676 wrote to memory of 904	2676	cmd.exe	attrib.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1512 attrib.exe
904 attrib.exe

pid	process
1512	attrib.exe
904	attrib.exe

C:\Users\Admin\AppData\Local\Temp\38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe
"C:\Users\Admin\AppData\Local\Temp\38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Checks computer location settings
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\38fe7ad463b1d9b9ac351df7e7669c31ec0a456aa941c3207c7cf5c0a6e3ad8b.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1512

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Disabling Security Tools

2

T1089

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-135-0x0000000000000000-mapping.dmp

Download
memory/1512-134-0x0000000000000000-mapping.dmp

Download
memory/1976-130-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2392-133-0x0000000000000000-mapping.dmp

Download
memory/2676-131-0x0000000000000000-mapping.dmp

Download
memory/3596-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads