darkcomet | 71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab

General

Target

71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Size

283KB
MD5

3472394d7b6a9cd6cf986a4694f3c6d1
SHA1

5be0323a82712a26fe3da33ff0f5f480448680b1
SHA256

71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab
SHA512

9a43d8535241640e09c5ff0caf197f8e4c09da3622579e268ee9713eb562c0e7ca37bd82973701f84c4a525811b4858eb5912608384447bc9a3baf76070c5673
SSDEEP

6144:scNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37YbZl:scW7KEZlPzCy37YbZl

Score

10^/10

darkcomet tiger evasion rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

tiger

C2

tigersass.bounceme.net:4444

Mutex

DC_MUTEX-3ST2RQM

Attributes

gencode
Hs53iBWxmLGZ
install
false
offline_keylogger
false
password
eaheah
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4112-132-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
behavioral2/memory/4112-133-0x0000000000400000-0x00000000004C7000-memory.dmp	upx

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeSecurityPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeTakeOwnershipPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeLoadDriverPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeSystemProfilePrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeSystemtimePrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeProfSingleProcessPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeIncBasePriorityPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeCreatePagefilePrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeBackupPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeRestorePrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeShutdownPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeDebugPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeSystemEnvironmentPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeChangeNotifyPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeRemoteShutdownPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeUndockPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeManageVolumePrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeImpersonatePrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: SeCreateGlobalPrivilege	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: 33	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: 34	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: 35	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
Token: 36	4112	71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe

C:\Users\Admin\AppData\Local\Temp\71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe
"C:\Users\Admin\AppData\Local\Temp\71722d401fcb508b66d3f4ec970aa425d04c969b221e4b52c7b820cfcf7f22ab.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:4112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4112-132-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/4112-133-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads