darkcomet | 6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311

General

Target

6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Size

382KB
MD5

1ebf9166d9b0e6bc0415f665f7fcd626
SHA1

dd172a3834de7cf3af5d19500559996d3b0ace49
SHA256

6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311
SHA512

86daa80e18ff3d7a3785f6f89f97c2c664ca32ac4f4a373a3bd311f7cb4b1f0c7ce4312590756cea3db998881a6a78b3147f1ecb78a5cb02bb9836a67380f433
SSDEEP

6144:8lb6SDOiIN4o2cOMayarS0IjX7n6wXmzbBFXm6d/p:80Siiu2cOMayaZerXXmhFXmyh

Score

10^/10

darkcomet evasion rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1940 attrib.exe

pid	process
1940	attrib.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4772-132-0x0000000000400000-0x00000000004F9000-memory.dmp	upx
behavioral2/memory/4772-134-0x0000000000400000-0x00000000004F9000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe

description	pid	process	target process
PID 4772 set thread context of 2380	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeSecurityPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeTakeOwnershipPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeLoadDriverPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeSystemProfilePrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeSystemtimePrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeProfSingleProcessPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeIncBasePriorityPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeCreatePagefilePrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeBackupPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeRestorePrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeShutdownPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeDebugPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeSystemEnvironmentPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeChangeNotifyPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeRemoteShutdownPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeUndockPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeManageVolumePrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeImpersonatePrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeCreateGlobalPrivilege	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: 33	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: 34	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: 35	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: 36	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
Token: SeIncreaseQuotaPrivilege	2380	iexplore.exe
Token: SeSecurityPrivilege	2380	iexplore.exe
Token: SeTakeOwnershipPrivilege	2380	iexplore.exe
Token: SeLoadDriverPrivilege	2380	iexplore.exe
Token: SeSystemProfilePrivilege	2380	iexplore.exe
Token: SeSystemtimePrivilege	2380	iexplore.exe
Token: SeProfSingleProcessPrivilege	2380	iexplore.exe
Token: SeIncBasePriorityPrivilege	2380	iexplore.exe
Token: SeCreatePagefilePrivilege	2380	iexplore.exe
Token: SeBackupPrivilege	2380	iexplore.exe
Token: SeRestorePrivilege	2380	iexplore.exe
Token: SeShutdownPrivilege	2380	iexplore.exe
Token: SeDebugPrivilege	2380	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2380	iexplore.exe
Token: SeChangeNotifyPrivilege	2380	iexplore.exe
Token: SeRemoteShutdownPrivilege	2380	iexplore.exe
Token: SeUndockPrivilege	2380	iexplore.exe
Token: SeManageVolumePrivilege	2380	iexplore.exe
Token: SeImpersonatePrivilege	2380	iexplore.exe
Token: SeCreateGlobalPrivilege	2380	iexplore.exe
Token: 33	2380	iexplore.exe
Token: 34	2380	iexplore.exe
Token: 35	2380	iexplore.exe
Token: 36	2380	iexplore.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.execmd.exe

description	pid	process	target process
PID 4772 wrote to memory of 2024	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe	cmd.exe
PID 4772 wrote to memory of 2024	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe	cmd.exe
PID 4772 wrote to memory of 2024	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe	cmd.exe
PID 4772 wrote to memory of 2380	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe	iexplore.exe
PID 4772 wrote to memory of 2380	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe	iexplore.exe
PID 4772 wrote to memory of 2380	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe	iexplore.exe
PID 4772 wrote to memory of 2380	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe	iexplore.exe
PID 4772 wrote to memory of 2380	4772	6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe	iexplore.exe
PID 2024 wrote to memory of 1940	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1940	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1940	2024	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1940 attrib.exe

pid	process
1940	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe
"C:\Users\Admin\AppData\Local\Temp\6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\6167b0aec21cfb29c5848b6ad076163d5f587a8b46699cf6fcba3ead014d3311.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1940

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
119B

MD5
be05b49f5290e39bea8f5845c8954d2d

SHA1
9e10a04d4520b40ecbd4a6baced3637588835215

SHA256
bddde9bec40e0032ebf4a886a3edf64e35209a88b0f1ab30f080e373aef6630e

SHA512
e4fcb83393feeb90ea24c30902874002d9de286b3ad1bb8537dbab20a88d1e800cb81a671890b32a834c49e1bf31fb0cc49654ffca7be9061070a8f63e704b71

Download Submit
memory/1940-136-0x0000000000000000-mapping.dmp

Download
memory/2024-133-0x0000000000000000-mapping.dmp

Download
memory/4772-132-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4772-134-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads