darkcomet | 359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571

General

Target

359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571.exe
Size

762KB
MD5

5609b2223a6180c5633cefae5c4d41c5
SHA1

00fc2f3eeff89da65239830ac94cc711209766ab
SHA256

359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571
SHA512

868e130f179e9c0f8e0e5972d79a088ed3291ea166f685cd70d85f8390feca422bce8d2197acb2bdbf9983c6dece3031b1790dc7bcc7a5b527ee615449535451
SSDEEP

12288:30jpc+Bl7sGIE196M/txC14ZLBsQJaBSY0bHqm2a0YkJJx+w2HOa90lHhQyZfnYq:4pJBNsEjlz84VBs8+X0bqyN6x+w2Hl9g

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
1476	Windowswinlogon.exe
2012	Windowswinlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windowswinlogon.exe"	Windowswinlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windowswinlogon.exe"	Windowswinlogon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 2012	1476	Windowswinlogon.exe	85

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4884	359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571.exe
4884	359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571.exe
1476	Windowswinlogon.exe
1476	Windowswinlogon.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2012	Windowswinlogon.exe
Token: SeSecurityPrivilege	2012	Windowswinlogon.exe
Token: SeTakeOwnershipPrivilege	2012	Windowswinlogon.exe
Token: SeLoadDriverPrivilege	2012	Windowswinlogon.exe
Token: SeSystemProfilePrivilege	2012	Windowswinlogon.exe
Token: SeSystemtimePrivilege	2012	Windowswinlogon.exe
Token: SeProfSingleProcessPrivilege	2012	Windowswinlogon.exe
Token: SeIncBasePriorityPrivilege	2012	Windowswinlogon.exe
Token: SeCreatePagefilePrivilege	2012	Windowswinlogon.exe
Token: SeBackupPrivilege	2012	Windowswinlogon.exe
Token: SeRestorePrivilege	2012	Windowswinlogon.exe
Token: SeShutdownPrivilege	2012	Windowswinlogon.exe
Token: SeDebugPrivilege	2012	Windowswinlogon.exe
Token: SeSystemEnvironmentPrivilege	2012	Windowswinlogon.exe
Token: SeChangeNotifyPrivilege	2012	Windowswinlogon.exe
Token: SeRemoteShutdownPrivilege	2012	Windowswinlogon.exe
Token: SeUndockPrivilege	2012	Windowswinlogon.exe
Token: SeManageVolumePrivilege	2012	Windowswinlogon.exe
Token: SeImpersonatePrivilege	2012	Windowswinlogon.exe
Token: SeCreateGlobalPrivilege	2012	Windowswinlogon.exe
Token: 33	2012	Windowswinlogon.exe
Token: 34	2012	Windowswinlogon.exe
Token: 35	2012	Windowswinlogon.exe
Token: 36	2012	Windowswinlogon.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 1476	4884	359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571.exe	83
PID 4884 wrote to memory of 1476	4884	359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571.exe	83
PID 4884 wrote to memory of 1476	4884	359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571.exe	83
PID 1476 wrote to memory of 392	1476	Windowswinlogon.exe	84
PID 1476 wrote to memory of 392	1476	Windowswinlogon.exe	84
PID 1476 wrote to memory of 392	1476	Windowswinlogon.exe	84
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 1476 wrote to memory of 2012	1476	Windowswinlogon.exe	85
PID 392 wrote to memory of 4028	392	cmd.exe	87
PID 392 wrote to memory of 4028	392	cmd.exe	87
PID 392 wrote to memory of 4028	392	cmd.exe	87
PID 4028 wrote to memory of 5020	4028	net.exe	88
PID 4028 wrote to memory of 5020	4028	net.exe	88
PID 4028 wrote to memory of 5020	4028	net.exe	88

C:\Users\Admin\AppData\Local\Temp\359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571.exe
"C:\Users\Admin\AppData\Local\Temp\359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windowswinlogon.exe
  C:\Windowswinlogon.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    /c net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:5020
- - C:\Windowswinlogon.exe
    C:\Windowswinlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windowswinlogon.exe

Filesize
762KB

MD5
5609b2223a6180c5633cefae5c4d41c5

SHA1
00fc2f3eeff89da65239830ac94cc711209766ab

SHA256
359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571

SHA512
868e130f179e9c0f8e0e5972d79a088ed3291ea166f685cd70d85f8390feca422bce8d2197acb2bdbf9983c6dece3031b1790dc7bcc7a5b527ee615449535451

Download Submit
C:\Windowswinlogon.exe

Filesize
762KB

MD5
5609b2223a6180c5633cefae5c4d41c5

SHA1
00fc2f3eeff89da65239830ac94cc711209766ab

SHA256
359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571

SHA512
868e130f179e9c0f8e0e5972d79a088ed3291ea166f685cd70d85f8390feca422bce8d2197acb2bdbf9983c6dece3031b1790dc7bcc7a5b527ee615449535451

Download Submit
C:\Windowswinlogon.exe

Filesize
762KB

MD5
5609b2223a6180c5633cefae5c4d41c5

SHA1
00fc2f3eeff89da65239830ac94cc711209766ab

SHA256
359ec665305e1f1613b28f58743906f62239c46a394df6b2c3843e9aa5b90571

SHA512
868e130f179e9c0f8e0e5972d79a088ed3291ea166f685cd70d85f8390feca422bce8d2197acb2bdbf9983c6dece3031b1790dc7bcc7a5b527ee615449535451

Download Submit
memory/2012-141-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2012-138-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2012-140-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2012-143-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2012-145-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4884-135-0x0000000000670000-0x0000000000676000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing