darkcomet | 8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e

General

Target

8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exe
Size

762KB
MD5

0ed9af9dee28109f70002a762566413f
SHA1

11b7c7c44006636a779cca150443841145d0db23
SHA256

8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e
SHA512

1ea7e142a7c46c3335711d1e06d471d82fda6a22bbf73ec87b27f9e86ab130ecbbe8130f09deb66bb33df95ca82f0a20e05849b20730491403ff46976777301b
SSDEEP

12288:30jpc+Bl7sGIE196M/txC14ZLBsQJaBSY0bHqm2a0YkJJx+w2HOa90lHhQyZfnYa:4pJBNsEjlz84VBs8+X0bqyN6x+w2Hl94

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 2 IoCs

Processes:

Windowswinlogon.exeWindowswinlogon.exe

pid process

4812 Windowswinlogon.exe
4876 Windowswinlogon.exe

pid	process
4812	Windowswinlogon.exe
4876	Windowswinlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windowswinlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windowswinlogon.exe"	Windowswinlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windowswinlogon.exe"	Windowswinlogon.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Windowswinlogon.exe

description pid process target process

PID 4812 set thread context of 4876 4812 Windowswinlogon.exe Windowswinlogon.exe
Runs net.exe

description	pid	process	target process
PID 4812 set thread context of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exeWindowswinlogon.exe

pid	process
4896	8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exe
4896	8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exe
4812	Windowswinlogon.exe
4812	Windowswinlogon.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Windowswinlogon.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4876	Windowswinlogon.exe
Token: SeSecurityPrivilege	4876	Windowswinlogon.exe
Token: SeTakeOwnershipPrivilege	4876	Windowswinlogon.exe
Token: SeLoadDriverPrivilege	4876	Windowswinlogon.exe
Token: SeSystemProfilePrivilege	4876	Windowswinlogon.exe
Token: SeSystemtimePrivilege	4876	Windowswinlogon.exe
Token: SeProfSingleProcessPrivilege	4876	Windowswinlogon.exe
Token: SeIncBasePriorityPrivilege	4876	Windowswinlogon.exe
Token: SeCreatePagefilePrivilege	4876	Windowswinlogon.exe
Token: SeBackupPrivilege	4876	Windowswinlogon.exe
Token: SeRestorePrivilege	4876	Windowswinlogon.exe
Token: SeShutdownPrivilege	4876	Windowswinlogon.exe
Token: SeDebugPrivilege	4876	Windowswinlogon.exe
Token: SeSystemEnvironmentPrivilege	4876	Windowswinlogon.exe
Token: SeChangeNotifyPrivilege	4876	Windowswinlogon.exe
Token: SeRemoteShutdownPrivilege	4876	Windowswinlogon.exe
Token: SeUndockPrivilege	4876	Windowswinlogon.exe
Token: SeManageVolumePrivilege	4876	Windowswinlogon.exe
Token: SeImpersonatePrivilege	4876	Windowswinlogon.exe
Token: SeCreateGlobalPrivilege	4876	Windowswinlogon.exe
Token: 33	4876	Windowswinlogon.exe
Token: 34	4876	Windowswinlogon.exe
Token: 35	4876	Windowswinlogon.exe
Token: 36	4876	Windowswinlogon.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exeWindowswinlogon.execmd.exenet.exe

description	pid	process	target process
PID 4896 wrote to memory of 4812	4896	8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exe	Windowswinlogon.exe
PID 4896 wrote to memory of 4812	4896	8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exe	Windowswinlogon.exe
PID 4896 wrote to memory of 4812	4896	8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4864	4812	Windowswinlogon.exe	cmd.exe
PID 4812 wrote to memory of 4864	4812	Windowswinlogon.exe	cmd.exe
PID 4812 wrote to memory of 4864	4812	Windowswinlogon.exe	cmd.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4812 wrote to memory of 4876	4812	Windowswinlogon.exe	Windowswinlogon.exe
PID 4864 wrote to memory of 4644	4864	cmd.exe	net.exe
PID 4864 wrote to memory of 4644	4864	cmd.exe	net.exe
PID 4864 wrote to memory of 4644	4864	cmd.exe	net.exe
PID 4644 wrote to memory of 848	4644	net.exe	net1.exe
PID 4644 wrote to memory of 848	4644	net.exe	net1.exe
PID 4644 wrote to memory of 848	4644	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exe
"C:\Users\Admin\AppData\Local\Temp\8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windowswinlogon.exe
C:\Windowswinlogon.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
4⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
5⤵
PID:848

C:\Windowswinlogon.exe
C:\Windowswinlogon.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windowswinlogon.exe
Filesize
762KB

MD5
0ed9af9dee28109f70002a762566413f

SHA1
11b7c7c44006636a779cca150443841145d0db23

SHA256
8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e

SHA512
1ea7e142a7c46c3335711d1e06d471d82fda6a22bbf73ec87b27f9e86ab130ecbbe8130f09deb66bb33df95ca82f0a20e05849b20730491403ff46976777301b

Download Submit
C:\Windowswinlogon.exe
Filesize
762KB

MD5
0ed9af9dee28109f70002a762566413f

SHA1
11b7c7c44006636a779cca150443841145d0db23

SHA256
8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e

SHA512
1ea7e142a7c46c3335711d1e06d471d82fda6a22bbf73ec87b27f9e86ab130ecbbe8130f09deb66bb33df95ca82f0a20e05849b20730491403ff46976777301b

Download Submit
C:\Windowswinlogon.exe
Filesize
762KB

MD5
0ed9af9dee28109f70002a762566413f

SHA1
11b7c7c44006636a779cca150443841145d0db23

SHA256
8e45651905f70f9ba0bf329c8eb38c1c6c167694e3c8fd2a32f97c7933a4632e

SHA512
1ea7e142a7c46c3335711d1e06d471d82fda6a22bbf73ec87b27f9e86ab130ecbbe8130f09deb66bb33df95ca82f0a20e05849b20730491403ff46976777301b

Download Submit
memory/848-143-0x0000000000000000-mapping.dmp

Download
memory/4644-142-0x0000000000000000-mapping.dmp

Download
memory/4812-132-0x0000000000000000-mapping.dmp

Download
memory/4864-136-0x0000000000000000-mapping.dmp

Download
memory/4876-141-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4876-140-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4876-138-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4876-137-0x0000000000000000-mapping.dmp

Download
memory/4876-144-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4876-145-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/4896-134-0x0000000000550000-0x0000000000556000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads