darkcomet | 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Size

691KB
MD5

a0225368087bee96ce530d10cc9dc300
SHA1

89438fe4a2c079ec4fe5e0ca439d3dcec6926c55
SHA256

3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58
SHA512

2ea3c7ae1c20bff1b65736ccc8574333222bf2303fc27c9ad9b794e729361372daa0fa6e182ab0c255118b74b2dabe567f51659db9649ceeccb417029a2ef6e4
SSDEEP

12288:QXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Uq:2nAw2WWeFcfbP9VPSPMTSPL/rWvzq4J6

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeSecurityPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeTakeOwnershipPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeLoadDriverPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeSystemProfilePrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeSystemtimePrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeProfSingleProcessPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeIncBasePriorityPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeCreatePagefilePrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeBackupPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeRestorePrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeShutdownPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeDebugPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeSystemEnvironmentPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeChangeNotifyPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeRemoteShutdownPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeUndockPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeManageVolumePrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeImpersonatePrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: SeCreateGlobalPrivilege	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: 33	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: 34	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: 35	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
Token: 36	1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe

pid process

1388 3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe

pid	process
1388	3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe

C:\Users\Admin\AppData\Local\Temp\3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe
"C:\Users\Admin\AppData\Local\Temp\3d91747df27fa6094fc3ee6f93d115288aa6a5d3414fdc970e9669624d796d58.exe"
1⤵
- Windows security bypass
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads