darkcomet | c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487

General

Target

c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487.exe
Size

762KB
MD5

29b9f87ea8c3424be1ea834d1a5cf246
SHA1

a94efb9b90389bff5e53f1d7dfa1a1552a1f4297
SHA256

c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487
SHA512

919aa7c9141207d186e28990abada53d54cee024f63ddcaed205529799863ea1aabe7bb54b5f415618b1d65b6feeb1ba1db812389f880396bcf7853ef769fcc9
SSDEEP

12288:30jpc+Bl7sGIE196M/txC14ZLBsQJaBSY0bHqm2a0YkJJx+w2HOa90lHhQyZfnYZ:4pJBNsEjlz84VBs8+X0bqyN6x+w2Hl9P

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
3192	Windowswinlogon.exe
3116	Windowswinlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windowswinlogon.exe"	Windowswinlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windowswinlogon.exe"	Windowswinlogon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3192 set thread context of 3116	3192	Windowswinlogon.exe	86

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1852	c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487.exe
1852	c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487.exe
3192	Windowswinlogon.exe
3192	Windowswinlogon.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3116	Windowswinlogon.exe
Token: SeSecurityPrivilege	3116	Windowswinlogon.exe
Token: SeTakeOwnershipPrivilege	3116	Windowswinlogon.exe
Token: SeLoadDriverPrivilege	3116	Windowswinlogon.exe
Token: SeSystemProfilePrivilege	3116	Windowswinlogon.exe
Token: SeSystemtimePrivilege	3116	Windowswinlogon.exe
Token: SeProfSingleProcessPrivilege	3116	Windowswinlogon.exe
Token: SeIncBasePriorityPrivilege	3116	Windowswinlogon.exe
Token: SeCreatePagefilePrivilege	3116	Windowswinlogon.exe
Token: SeBackupPrivilege	3116	Windowswinlogon.exe
Token: SeRestorePrivilege	3116	Windowswinlogon.exe
Token: SeShutdownPrivilege	3116	Windowswinlogon.exe
Token: SeDebugPrivilege	3116	Windowswinlogon.exe
Token: SeSystemEnvironmentPrivilege	3116	Windowswinlogon.exe
Token: SeChangeNotifyPrivilege	3116	Windowswinlogon.exe
Token: SeRemoteShutdownPrivilege	3116	Windowswinlogon.exe
Token: SeUndockPrivilege	3116	Windowswinlogon.exe
Token: SeManageVolumePrivilege	3116	Windowswinlogon.exe
Token: SeImpersonatePrivilege	3116	Windowswinlogon.exe
Token: SeCreateGlobalPrivilege	3116	Windowswinlogon.exe
Token: 33	3116	Windowswinlogon.exe
Token: 34	3116	Windowswinlogon.exe
Token: 35	3116	Windowswinlogon.exe
Token: 36	3116	Windowswinlogon.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 3192	1852	c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487.exe	84
PID 1852 wrote to memory of 3192	1852	c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487.exe	84
PID 1852 wrote to memory of 3192	1852	c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487.exe	84
PID 3192 wrote to memory of 4496	3192	Windowswinlogon.exe	85
PID 3192 wrote to memory of 4496	3192	Windowswinlogon.exe	85
PID 3192 wrote to memory of 4496	3192	Windowswinlogon.exe	85
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 3192 wrote to memory of 3116	3192	Windowswinlogon.exe	86
PID 4496 wrote to memory of 1496	4496	cmd.exe	88
PID 4496 wrote to memory of 1496	4496	cmd.exe	88
PID 4496 wrote to memory of 1496	4496	cmd.exe	88
PID 1496 wrote to memory of 4376	1496	net.exe	91
PID 1496 wrote to memory of 4376	1496	net.exe	91
PID 1496 wrote to memory of 4376	1496	net.exe	91

C:\Users\Admin\AppData\Local\Temp\c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487.exe
"C:\Users\Admin\AppData\Local\Temp\c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windowswinlogon.exe
  C:\Windowswinlogon.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    /c net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\net.exe
      net stop MpsSvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MpsSvc
        5⤵
        
        PID:4376
- - C:\Windowswinlogon.exe
    C:\Windowswinlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windowswinlogon.exe

Filesize
762KB

MD5
29b9f87ea8c3424be1ea834d1a5cf246

SHA1
a94efb9b90389bff5e53f1d7dfa1a1552a1f4297

SHA256
c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487

SHA512
919aa7c9141207d186e28990abada53d54cee024f63ddcaed205529799863ea1aabe7bb54b5f415618b1d65b6feeb1ba1db812389f880396bcf7853ef769fcc9

Download Submit
C:\Windowswinlogon.exe

Filesize
762KB

MD5
29b9f87ea8c3424be1ea834d1a5cf246

SHA1
a94efb9b90389bff5e53f1d7dfa1a1552a1f4297

SHA256
c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487

SHA512
919aa7c9141207d186e28990abada53d54cee024f63ddcaed205529799863ea1aabe7bb54b5f415618b1d65b6feeb1ba1db812389f880396bcf7853ef769fcc9

Download Submit
C:\Windowswinlogon.exe

Filesize
762KB

MD5
29b9f87ea8c3424be1ea834d1a5cf246

SHA1
a94efb9b90389bff5e53f1d7dfa1a1552a1f4297

SHA256
c4d5d80855f58c7c2b71f8f9306f2f86056eb998344995101a5f8eb8a0153487

SHA512
919aa7c9141207d186e28990abada53d54cee024f63ddcaed205529799863ea1aabe7bb54b5f415618b1d65b6feeb1ba1db812389f880396bcf7853ef769fcc9

Download Submit
memory/1852-133-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/3116-139-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3116-141-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3116-142-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3116-145-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3116-146-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing