darkcomet | 43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659f

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe
Size

729KB
MD5

6f2fcf21ba49874ed0681d510d5152d0
SHA1

3dea609de221de549e093017609f09968a8a5413
SHA256

43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659f
SHA512

2710bae37f5f290dd931555b680731af2ce440402f590f9fd4d8e2bca716798a43645d0cc75b7882f19cda96cf6ffab589b5eb28f2ba0bb5af304802c7a13326
SSDEEP

12288:uLU768X1JnK+62pn/XTBeB5vpAPN5DFY+4zSsva0beWTr+YzZNQPUFhpd4oSYxlh:z68PK+BNg9GY+4pbaYNNQIpdZSgh

Score

10^/10

darkcomet discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 1 IoCs

pid	Process
2728	Crypted.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe
2716	43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2728	Crypted.exe
Token: SeSecurityPrivilege	2728	Crypted.exe
Token: SeTakeOwnershipPrivilege	2728	Crypted.exe
Token: SeLoadDriverPrivilege	2728	Crypted.exe
Token: SeSystemProfilePrivilege	2728	Crypted.exe
Token: SeSystemtimePrivilege	2728	Crypted.exe
Token: SeProfSingleProcessPrivilege	2728	Crypted.exe
Token: SeIncBasePriorityPrivilege	2728	Crypted.exe
Token: SeCreatePagefilePrivilege	2728	Crypted.exe
Token: SeBackupPrivilege	2728	Crypted.exe
Token: SeRestorePrivilege	2728	Crypted.exe
Token: SeShutdownPrivilege	2728	Crypted.exe
Token: SeDebugPrivilege	2728	Crypted.exe
Token: SeSystemEnvironmentPrivilege	2728	Crypted.exe
Token: SeChangeNotifyPrivilege	2728	Crypted.exe
Token: SeRemoteShutdownPrivilege	2728	Crypted.exe
Token: SeUndockPrivilege	2728	Crypted.exe
Token: SeManageVolumePrivilege	2728	Crypted.exe
Token: SeImpersonatePrivilege	2728	Crypted.exe
Token: SeCreateGlobalPrivilege	2728	Crypted.exe
Token: 33	2728	Crypted.exe
Token: 34	2728	Crypted.exe
Token: 35	2728	Crypted.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2728	2716	43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe	30
PID 2716 wrote to memory of 2728	2716	43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe	30
PID 2716 wrote to memory of 2728	2716	43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe	30
PID 2716 wrote to memory of 2728	2716	43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe	30

C:\Users\Admin\AppData\Local\Temp\43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe
"C:\Users\Admin\AppData\Local\Temp\43cb66688bfb750b12dbc3fe205e36f35c1bc4aaf863b6a93af0f71b241e659fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
707KB

MD5
1f61b9b8977809cab81778f41dd13d82

SHA1
9b8f94791ed4d4d5afa6d634f8d333345c0c7b71

SHA256
ca117f8ce78ddd1391c8481c1a936b8a375b0f402161915aa02dce0361084536

SHA512
24e504c44cef1f66d8417169349b00c0357cc477ac4a90ade189ae890a4d9968ca75918830b3c5a4c09d16374070f26fd87293ed4e52f57cca649819635445f9

Download Submit
memory/2716-0-0x0000000073EDE000-0x0000000073EDF000-memory.dmp

Filesize
4KB

Download
memory/2716-1-0x0000000000050000-0x000000000005E000-memory.dmp

Filesize
56KB

Download
memory/2716-2-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-14-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-12-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2728-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2728-21-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download