darkcomet | 951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5

General

Target

951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Size

648KB
MD5

abd8f98710e4a0179af227737b436a00
SHA1

2ca93c9a48b398b36b95c30ae5f4d80fbf0d806b
SHA256

951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5
SHA512

e0a5fc969cd94d6da2b1fe26eb0951bd782696ac2d9f567d550a811653d972bfaa689b35ac7548fa1a1b6d0e919815f21a61ffa1d7f3dfdaf565ec5bd38e80f6
SSDEEP

12288:w6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh8:VAmBpVKHu0Mu9Xo20VGLVP58

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1496	attrib.exe
1276	attrib.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeSecurityPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeTakeOwnershipPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeLoadDriverPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeSystemProfilePrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeSystemtimePrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeProfSingleProcessPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeIncBasePriorityPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeCreatePagefilePrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeBackupPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeRestorePrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeShutdownPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeDebugPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeSystemEnvironmentPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeChangeNotifyPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeRemoteShutdownPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeUndockPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeManageVolumePrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeImpersonatePrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeCreateGlobalPrivilege	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: 33	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: 34	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: 35	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 556	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	28
PID 1736 wrote to memory of 556	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	28
PID 1736 wrote to memory of 556	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	28
PID 1736 wrote to memory of 556	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	28
PID 1736 wrote to memory of 468	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	30
PID 1736 wrote to memory of 468	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	30
PID 1736 wrote to memory of 468	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	30
PID 1736 wrote to memory of 468	1736	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	30
PID 556 wrote to memory of 1496	556	cmd.exe	32
PID 556 wrote to memory of 1496	556	cmd.exe	32
PID 556 wrote to memory of 1496	556	cmd.exe	32
PID 556 wrote to memory of 1496	556	cmd.exe	32
PID 468 wrote to memory of 1276	468	cmd.exe	33
PID 468 wrote to memory of 1276	468	cmd.exe	33
PID 468 wrote to memory of 1276	468	cmd.exe	33
PID 468 wrote to memory of 1276	468	cmd.exe	33

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1276	attrib.exe
1496	attrib.exe

C:\Users\Admin\AppData\Local\Temp\951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
"C:\Users\Admin\AppData\Local\Temp\951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1276