darkcomet | 24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Size

743KB
MD5

938c2d1fc83e69a6fb33fbfd5dca3ea1
SHA1

82c6740dfbe5e05595ad659b6fb8efd36f46e480
SHA256

24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e
SHA512

ab2a49fd2459ab3598693d4c004e9d3194db636689da4f83ae9edaf78a16a5957bed516f98e0cc2123e9d2a04dac91608a07a0c071af2b93711a386646370523
SSDEEP

12288:p8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORix:iUKoN0bUxgGa/pfBHDb+y1HgZ

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iexplore.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5080 set thread context of 2100	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	81

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeSecurityPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeTakeOwnershipPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeLoadDriverPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeSystemProfilePrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeSystemtimePrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeProfSingleProcessPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeIncBasePriorityPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeCreatePagefilePrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeBackupPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeRestorePrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeShutdownPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeDebugPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeSystemEnvironmentPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeChangeNotifyPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeRemoteShutdownPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeUndockPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeManageVolumePrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeImpersonatePrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeCreateGlobalPrivilege	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: 33	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: 34	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: 35	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: 36	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
Token: SeIncreaseQuotaPrivilege	2100	iexplore.exe
Token: SeSecurityPrivilege	2100	iexplore.exe
Token: SeTakeOwnershipPrivilege	2100	iexplore.exe
Token: SeLoadDriverPrivilege	2100	iexplore.exe
Token: SeSystemProfilePrivilege	2100	iexplore.exe
Token: SeSystemtimePrivilege	2100	iexplore.exe
Token: SeProfSingleProcessPrivilege	2100	iexplore.exe
Token: SeIncBasePriorityPrivilege	2100	iexplore.exe
Token: SeCreatePagefilePrivilege	2100	iexplore.exe
Token: SeBackupPrivilege	2100	iexplore.exe
Token: SeRestorePrivilege	2100	iexplore.exe
Token: SeShutdownPrivilege	2100	iexplore.exe
Token: SeDebugPrivilege	2100	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2100	iexplore.exe
Token: SeChangeNotifyPrivilege	2100	iexplore.exe
Token: SeRemoteShutdownPrivilege	2100	iexplore.exe
Token: SeUndockPrivilege	2100	iexplore.exe
Token: SeManageVolumePrivilege	2100	iexplore.exe
Token: SeImpersonatePrivilege	2100	iexplore.exe
Token: SeCreateGlobalPrivilege	2100	iexplore.exe
Token: 33	2100	iexplore.exe
Token: 34	2100	iexplore.exe
Token: 35	2100	iexplore.exe
Token: 36	2100	iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	iexplore.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2100	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	81
PID 5080 wrote to memory of 2100	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	81
PID 5080 wrote to memory of 2100	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	81
PID 5080 wrote to memory of 2100	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	81
PID 5080 wrote to memory of 2100	5080	24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe	81

C:\Users\Admin\AppData\Local\Temp\24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe
"C:\Users\Admin\AppData\Local\Temp\24a221f7354fc10d013a80ec9bfccac9722d03b64f0bfdab06f20abab2ec301e.exe"
1⤵
- Windows security bypass
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - Windows security bypass
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads