darkcomet | 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8

Analysis

max time kernel
153s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Size

1.5MB
MD5

255d824058f18f2d9dac2dda2214e08a
SHA1

95ebcbae50218bc8ca8d472a5b1b7f23d7a0c061
SHA256

1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8
SHA512

65451253c32711991f742a045c4158d3219ed473a1b9120eeae888f6caa59ad108fe2133a3e95f8b98d224d119c905bed26073f29a10cf125bb73677de23a0d5
SSDEEP

24576:mZ1xuVVjfFoynPaVBUR8f+kN10EBiKzn1AAHEvtcwOwnvzuEG9WlE:2QDgok309qA3c5VFkW

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeSecurityPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeTakeOwnershipPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeLoadDriverPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeSystemProfilePrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeSystemtimePrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeProfSingleProcessPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeIncBasePriorityPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeCreatePagefilePrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeBackupPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeRestorePrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeShutdownPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeDebugPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeSystemEnvironmentPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeChangeNotifyPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeRemoteShutdownPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeUndockPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeManageVolumePrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeImpersonatePrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: SeCreateGlobalPrivilege	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: 33	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: 34	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: 35	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
Token: 36	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe

pid process

4880 1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe

pid	process
4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe

description	pid	process	target process
PID 4880 wrote to memory of 4812	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe	iexplore.exe
PID 4880 wrote to memory of 4812	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe	iexplore.exe
PID 4880 wrote to memory of 4812	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe	iexplore.exe
PID 4880 wrote to memory of 1932	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe	explorer.exe
PID 4880 wrote to memory of 1932	4880	1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe
"C:\Users\Admin\AppData\Local\Temp\1f1d35c7afb5178b9e98b71c433108743ba6d9d7f9aecf647c4b9130ea084ab8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:4812

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-132-0x0000000000000000-mapping.dmp

Download