darkcomet | c85bec54289c64d6243a6c7ac3aa7f735eaa271f84c6db356ac28158abd83dbc

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15/11/2023, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Size

233KB
MD5

dee9b31ec2aaf7af82361103beafb080
SHA1

65233d419e73a1fab7fdd6f532eb81306d277389
SHA256

c85bec54289c64d6243a6c7ac3aa7f735eaa271f84c6db356ac28158abd83dbc
SHA512

b8b637b208b6e168bcd6098ba376766a9a203aa86e09cce6ba4e0379b8dbf30f72495938131ac170b1c080bdc1955d0ede0c15d7ae1a98676c8e425db39cb21a
SSDEEP

6144:tcy5z5EHYRj8GOfXx0V6Kf1dIBsvAOaZsN:tbKHYRAGO/8rYU

Score

10^/10

darkcomet rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
928	schtasks.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeAssignPrimaryTokenPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeLockMemoryPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeIncreaseQuotaPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: 0	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeMachineAccountPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeTcbPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeSecurityPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeTakeOwnershipPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeLoadDriverPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeSystemProfilePrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeSystemtimePrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeProfSingleProcessPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeIncBasePriorityPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeCreatePagefilePrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeCreatePermanentPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeBackupPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeRestorePrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeShutdownPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeDebugPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeAuditPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeSystemEnvironmentPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeChangeNotifyPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeRemoteShutdownPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeUndockPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeSyncAgentPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeEnableDelegationPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeManageVolumePrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeImpersonatePrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe
Token: SeCreateGlobalPrivilege	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 928	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe	93
PID 3032 wrote to memory of 928	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe	93
PID 3032 wrote to memory of 928	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe	93
PID 3032 wrote to memory of 4168	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe	94
PID 3032 wrote to memory of 4168	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe	94
PID 3032 wrote to memory of 4168	3032	NEAS.dee9b31ec2aaf7af82361103beafb080.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.dee9b31ec2aaf7af82361103beafb080.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dee9b31ec2aaf7af82361103beafb080.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "MyTask" /tr "C:\Users\Admin\AppData\Local\NEAS.dee9b31ec2aaf7af82361103beafb080.exe" /sc daily /st 12:00
  2⤵
  - Creates scheduled task(s)
  PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads