darkcomet | 89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c

General

Target

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Size

416KB
MD5

9539e0727dd07c8c9ac33b199c23771e
SHA1

b3d6376f44c8463ea7e24b84587c0d88de73f70a
SHA256

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c
SHA512

c902098a4b7dd5b584351edabf685aef0df81d5b27a02d20ea6d20f6e87712903349f3803b5682b948ffc9fbad13f3ee2eb59f5125efc4f01ee1742babf36c89
SSDEEP

12288:ENktTWDAyUNh/lMQo1cr/Ihi2TOsfKJcZLTsEJqPKe:dAO/ML10IhiCOsKJcZLgnPKe

Score

10^/10

darkcomet evasion rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	explorer.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2008-56-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral1/memory/2008-58-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral1/memory/2008-61-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral1/memory/2008-62-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral1/memory/2008-63-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral1/memory/2008-71-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral1/memory/636-83-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral1/memory/636-84-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral1/memory/636-85-0x0000000013140000-0x00000000131FB000-memory.dmp	upx
behavioral1/memory/636-86-0x0000000013140000-0x00000000131FB000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exeexplorer.exe

description	pid	process	target process
PID 960 set thread context of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 2008 set thread context of 904	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	explorer.exe
PID 904 set thread context of 636	904	explorer.exe	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exeexplorer.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeSecurityPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeTakeOwnershipPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeLoadDriverPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeSystemProfilePrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeSystemtimePrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeProfSingleProcessPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeIncBasePriorityPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeCreatePagefilePrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeBackupPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeRestorePrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeShutdownPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeDebugPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeSystemEnvironmentPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeChangeNotifyPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeRemoteShutdownPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeUndockPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeManageVolumePrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeImpersonatePrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeCreateGlobalPrivilege	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: 33	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: 34	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: 35	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
Token: SeIncreaseQuotaPrivilege	636	explorer.exe
Token: SeSecurityPrivilege	636	explorer.exe
Token: SeTakeOwnershipPrivilege	636	explorer.exe
Token: SeLoadDriverPrivilege	636	explorer.exe
Token: SeSystemProfilePrivilege	636	explorer.exe
Token: SeSystemtimePrivilege	636	explorer.exe
Token: SeProfSingleProcessPrivilege	636	explorer.exe
Token: SeIncBasePriorityPrivilege	636	explorer.exe
Token: SeCreatePagefilePrivilege	636	explorer.exe
Token: SeBackupPrivilege	636	explorer.exe
Token: SeRestorePrivilege	636	explorer.exe
Token: SeShutdownPrivilege	636	explorer.exe
Token: SeDebugPrivilege	636	explorer.exe
Token: SeSystemEnvironmentPrivilege	636	explorer.exe
Token: SeChangeNotifyPrivilege	636	explorer.exe
Token: SeRemoteShutdownPrivilege	636	explorer.exe
Token: SeUndockPrivilege	636	explorer.exe
Token: SeManageVolumePrivilege	636	explorer.exe
Token: SeImpersonatePrivilege	636	explorer.exe
Token: SeCreateGlobalPrivilege	636	explorer.exe
Token: 33	636	explorer.exe
Token: 34	636	explorer.exe
Token: 35	636	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exeexplorer.exeexplorer.exe

pid process

960 89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
904 explorer.exe
636 explorer.exe

pid	process
960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
904	explorer.exe
636	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exeexplorer.exe

description	pid	process	target process
PID 960 wrote to memory of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 960 wrote to memory of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 960 wrote to memory of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 960 wrote to memory of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 960 wrote to memory of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 960 wrote to memory of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 960 wrote to memory of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 960 wrote to memory of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 960 wrote to memory of 2008	960	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
PID 2008 wrote to memory of 904	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	explorer.exe
PID 2008 wrote to memory of 904	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	explorer.exe
PID 2008 wrote to memory of 904	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	explorer.exe
PID 2008 wrote to memory of 904	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	explorer.exe
PID 2008 wrote to memory of 904	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	explorer.exe
PID 2008 wrote to memory of 904	2008	89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe	explorer.exe
PID 904 wrote to memory of 636	904	explorer.exe	explorer.exe
PID 904 wrote to memory of 636	904	explorer.exe	explorer.exe
PID 904 wrote to memory of 636	904	explorer.exe	explorer.exe
PID 904 wrote to memory of 636	904	explorer.exe	explorer.exe
PID 904 wrote to memory of 636	904	explorer.exe	explorer.exe
PID 904 wrote to memory of 636	904	explorer.exe	explorer.exe
PID 904 wrote to memory of 636	904	explorer.exe	explorer.exe
PID 904 wrote to memory of 636	904	explorer.exe	explorer.exe
PID 904 wrote to memory of 636	904	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
"C:\Users\Admin\AppData\Local\Temp\89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe
"C:\Users\Admin\AppData\Local\Temp\89cdf7c759ac447bde00fccbd576398f8e81805e91ac960d9c8186043e01319c.exe"
2⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Windows security modification
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-78-0x00000000131F9040-mapping.dmp

Download
memory/636-86-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/636-85-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/636-84-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/636-83-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/904-74-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/904-73-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/904-82-0x0000000000401000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/904-80-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/904-65-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/904-68-0x000000000050C008-mapping.dmp

Download
memory/904-70-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/904-72-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/960-60-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2008-71-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/2008-62-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/2008-56-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/2008-64-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2008-61-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/2008-63-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/2008-59-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/2008-58-0x0000000013140000-0x00000000131FB000-memory.dmp

Filesize
748KB

Download
memory/2008-57-0x00000000131F9040-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads