darkcomet | d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Size

658KB
MD5

64597e4e804cb1e9316931ec4d7749c0
SHA1

2435b3976f16baef4e40f10f3a22c1d709016c06
SHA256

d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a
SHA512

da2b73fef275415ac4d10577b61106e18fbf4810ed5e41902c0cc1e9bb989f2fd256f0ba0d2f1a4cadc537298763d101a2d73891103e1e4b5fce14df028ceaca
SSDEEP

12288:q9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hN:mZ1xuVVjfFoynPaVBUR8f+kN10EBD

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeSecurityPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeTakeOwnershipPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeLoadDriverPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeSystemProfilePrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeSystemtimePrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeProfSingleProcessPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeIncBasePriorityPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeCreatePagefilePrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeBackupPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeRestorePrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeShutdownPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeDebugPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeSystemEnvironmentPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeChangeNotifyPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeRemoteShutdownPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeUndockPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeManageVolumePrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeImpersonatePrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: SeCreateGlobalPrivilege	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: 33	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: 34	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
Token: 35	1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe

pid process

1016 d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe

pid	process
1016	d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe

C:\Users\Admin\AppData\Local\Temp\d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe
"C:\Users\Admin\AppData\Local\Temp\d7007466cf5f00ddd00d8eef8147bedd4372b83066f38213c9428bb96b06001a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download