darkcomet | efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Size

756KB
MD5

61109a5154ff42d0ea13218c8a445db5
SHA1

e183e30af4bcbaa83a06d1e6b8edf3feb5e04524
SHA256

efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6
SHA512

c416de5946b86dc0988192e378db4ed635a98bda479d1d00214b5e814b5b58be843de40afe97b48d2b2ea62f182fc20d4a71ccb065f48db05b675b1c49c9570c
SSDEEP

12288:v9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hmKlKebJ4:ZZ1xuVVjfFoynPaVBUR8f+kN10EB4hv

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeSecurityPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeTakeOwnershipPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeLoadDriverPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeSystemProfilePrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeSystemtimePrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeProfSingleProcessPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeIncBasePriorityPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeCreatePagefilePrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeBackupPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeRestorePrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeShutdownPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeDebugPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeSystemEnvironmentPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeChangeNotifyPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeRemoteShutdownPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeUndockPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeManageVolumePrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeImpersonatePrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: SeCreateGlobalPrivilege	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: 33	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: 34	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
Token: 35	2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe

C:\Users\Admin\AppData\Local\Temp\efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe
"C:\Users\Admin\AppData\Local\Temp\efa5d268afc29d36341f62507ed86aa830452b329d75cb0f70d55c55165c06f6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download