darkcomet | 951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5

General

Target

951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Size

648KB
MD5

abd8f98710e4a0179af227737b436a00
SHA1

2ca93c9a48b398b36b95c30ae5f4d80fbf0d806b
SHA256

951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5
SHA512

e0a5fc969cd94d6da2b1fe26eb0951bd782696ac2d9f567d550a811653d972bfaa689b35ac7548fa1a1b6d0e919815f21a61ffa1d7f3dfdaf565ec5bd38e80f6
SSDEEP

12288:w6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh8:VAmBpVKHu0Mu9Xo20VGLVP58

Score

10^/10

darkcomet evasion rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
5040	attrib.exe
988	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeSecurityPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeTakeOwnershipPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeLoadDriverPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeSystemProfilePrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeSystemtimePrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeProfSingleProcessPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeIncBasePriorityPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeCreatePagefilePrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeBackupPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeRestorePrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeShutdownPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeDebugPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeSystemEnvironmentPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeChangeNotifyPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeRemoteShutdownPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeUndockPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeManageVolumePrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeImpersonatePrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: SeCreateGlobalPrivilege	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: 33	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: 34	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: 35	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
Token: 36	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4596	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	81
PID 4588 wrote to memory of 4596	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	81
PID 4588 wrote to memory of 4596	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	81
PID 4588 wrote to memory of 1560	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	82
PID 4588 wrote to memory of 1560	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	82
PID 4588 wrote to memory of 1560	4588	951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe	82
PID 4596 wrote to memory of 5040	4596	cmd.exe	86
PID 4596 wrote to memory of 5040	4596	cmd.exe	86
PID 4596 wrote to memory of 5040	4596	cmd.exe	86
PID 1560 wrote to memory of 988	1560	cmd.exe	85
PID 1560 wrote to memory of 988	1560	cmd.exe	85
PID 1560 wrote to memory of 988	1560	cmd.exe	85

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
988	attrib.exe
5040	attrib.exe

C:\Users\Admin\AppData\Local\Temp\951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe
"C:\Users\Admin\AppData\Local\Temp\951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe"
1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp\951397418f92de4eac59fd9ee658aa84a355d8664b515e5b739e0fcb9a8790e5.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:988