darkcomet | 24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Size

743KB
MD5

938c2d1fc83e69a6fb33fbfd5dca3ea1
SHA1

82c6740dfbe5e05595ad659b6fb8efd36f46e480
SHA256

24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e
SHA512

ab2a49fd2459ab3598693d4c004e9d3194db636689da4f83ae9edaf78a16a5957bed516f98e0cc2123e9d2a04dac91608a07a0c071af2b93711a386646370523
SSDEEP

12288:p8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORix:iUKoN0bUxgGa/pfBHDb+y1HgZ

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1472	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	26

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeSecurityPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeTakeOwnershipPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeLoadDriverPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeSystemProfilePrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeSystemtimePrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeProfSingleProcessPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeIncBasePriorityPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeCreatePagefilePrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeBackupPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeRestorePrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeShutdownPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeDebugPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeSystemEnvironmentPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeChangeNotifyPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeRemoteShutdownPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeUndockPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeManageVolumePrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeImpersonatePrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeCreateGlobalPrivilege	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: 33	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: 34	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: 35	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeIncreaseQuotaPrivilege	1472	iexplore.exe
Token: SeSecurityPrivilege	1472	iexplore.exe
Token: SeTakeOwnershipPrivilege	1472	iexplore.exe
Token: SeLoadDriverPrivilege	1472	iexplore.exe
Token: SeSystemProfilePrivilege	1472	iexplore.exe
Token: SeSystemtimePrivilege	1472	iexplore.exe
Token: SeProfSingleProcessPrivilege	1472	iexplore.exe
Token: SeIncBasePriorityPrivilege	1472	iexplore.exe
Token: SeCreatePagefilePrivilege	1472	iexplore.exe
Token: SeBackupPrivilege	1472	iexplore.exe
Token: SeRestorePrivilege	1472	iexplore.exe
Token: SeShutdownPrivilege	1472	iexplore.exe
Token: SeDebugPrivilege	1472	iexplore.exe
Token: SeSystemEnvironmentPrivilege	1472	iexplore.exe
Token: SeChangeNotifyPrivilege	1472	iexplore.exe
Token: SeRemoteShutdownPrivilege	1472	iexplore.exe
Token: SeUndockPrivilege	1472	iexplore.exe
Token: SeManageVolumePrivilege	1472	iexplore.exe
Token: SeImpersonatePrivilege	1472	iexplore.exe
Token: SeCreateGlobalPrivilege	1472	iexplore.exe
Token: 33	1472	iexplore.exe
Token: 34	1472	iexplore.exe
Token: 35	1472	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1472	iexplore.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1472	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	26
PID 1388 wrote to memory of 1472	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	26
PID 1388 wrote to memory of 1472	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	26
PID 1388 wrote to memory of 1472	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	26
PID 1388 wrote to memory of 1472	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	26
PID 1388 wrote to memory of 1472	1388	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	26

C:\Users\Admin\AppData\Local\Temp\24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
"C:\Users\Admin\AppData\Local\Temp\24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe"
1⤵
- Windows security bypass
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Windows security bypass
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads