darkcomet | 48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a

General

Target

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Size

658KB
MD5

4cfcea18e8c42ce1f55d0765535efe94
SHA1

674fac67b3783038d72de824a69d09c02f3be146
SHA256

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a
SHA512

a69ff2bb8509084ba03d0c82ceaedb31f54fa830d258d4568567c6f3403911084a5cc74d8389cfb77987d299e4b45a1288b175feb825b6536257deacfe650b00
SSDEEP

12288:y9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hd:eZ1xuVVjfFoynPaVBUR8f+kN10EBj

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

Disables Task Manager via registry modification
evasion
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4812 attrib.exe
4824 attrib.exe

pid	process
4812	attrib.exe
4824	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

pid process

4460 48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

pid	process
4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeSecurityPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeTakeOwnershipPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeLoadDriverPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeSystemProfilePrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeSystemtimePrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeProfSingleProcessPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeIncBasePriorityPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeCreatePagefilePrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeBackupPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeRestorePrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeShutdownPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeDebugPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeSystemEnvironmentPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeChangeNotifyPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeRemoteShutdownPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeUndockPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeManageVolumePrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeImpersonatePrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: SeCreateGlobalPrivilege	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: 33	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: 34	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: 35	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
Token: 36	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

pid process

4460 48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

pid	process
4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.execmd.execmd.exe

description	pid	process	target process
PID 4460 wrote to memory of 3484	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	cmd.exe
PID 4460 wrote to memory of 3484	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	cmd.exe
PID 4460 wrote to memory of 3484	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	cmd.exe
PID 4460 wrote to memory of 1428	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	cmd.exe
PID 4460 wrote to memory of 1428	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	cmd.exe
PID 4460 wrote to memory of 1428	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	cmd.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 4460 wrote to memory of 4068	4460	48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe	notepad.exe
PID 3484 wrote to memory of 4812	3484	cmd.exe	attrib.exe
PID 3484 wrote to memory of 4812	3484	cmd.exe	attrib.exe
PID 3484 wrote to memory of 4812	3484	cmd.exe	attrib.exe
PID 1428 wrote to memory of 4824	1428	cmd.exe	attrib.exe
PID 1428 wrote to memory of 4824	1428	cmd.exe	attrib.exe
PID 1428 wrote to memory of 4824	1428	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4824 attrib.exe
4812 attrib.exe

pid	process
4824	attrib.exe
4812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe
"C:\Users\Admin\AppData\Local\Temp\48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe"
1⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\48c0f1768c382a1036e36cc8cf198dd66568eebe737acb1a7ef9072e6f02c89a.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1428