darkcomet | 81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1.exe
Size

304KB
MD5

90e6a2469d871d04bee95fca6c9e9c55
SHA1

a2defc9af6b677b5940362f7f496ac54eedc58e9
SHA256

81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1
SHA512

922b7dee8e9f574a82cc0e96c6dd141315e0a9b32f9ce677bc2e4860c2c8296617d3ab6c79010a35fb42564ebeb1bafb0f04c1a6e6dc4826cb51221a21e57005
SSDEEP

6144:XsBlY9Z0moB/jMIzk+AUygl+faCEmV34FIYxboEbo:zLAQ+A3gpmNYxboMo

Score

10^/10

darkcomet defense_evasion discovery rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Windows security bypass 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	explorer.exe

Windows security modification 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 2900	2808	explorer.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1740	81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1.exe
Token: SeIncreaseQuotaPrivilege	2808	explorer.exe
Token: SeSecurityPrivilege	2808	explorer.exe
Token: SeTakeOwnershipPrivilege	2808	explorer.exe
Token: SeLoadDriverPrivilege	2808	explorer.exe
Token: SeSystemProfilePrivilege	2808	explorer.exe
Token: SeSystemtimePrivilege	2808	explorer.exe
Token: SeProfSingleProcessPrivilege	2808	explorer.exe
Token: SeIncBasePriorityPrivilege	2808	explorer.exe
Token: SeCreatePagefilePrivilege	2808	explorer.exe
Token: SeBackupPrivilege	2808	explorer.exe
Token: SeRestorePrivilege	2808	explorer.exe
Token: SeShutdownPrivilege	2808	explorer.exe
Token: SeDebugPrivilege	2808	explorer.exe
Token: SeSystemEnvironmentPrivilege	2808	explorer.exe
Token: SeChangeNotifyPrivilege	2808	explorer.exe
Token: SeRemoteShutdownPrivilege	2808	explorer.exe
Token: SeUndockPrivilege	2808	explorer.exe
Token: SeManageVolumePrivilege	2808	explorer.exe
Token: SeImpersonatePrivilege	2808	explorer.exe
Token: SeCreateGlobalPrivilege	2808	explorer.exe
Token: 33	2808	explorer.exe
Token: 34	2808	explorer.exe
Token: 35	2808	explorer.exe
Token: SeIncreaseQuotaPrivilege	2900	explorer.exe
Token: SeSecurityPrivilege	2900	explorer.exe
Token: SeTakeOwnershipPrivilege	2900	explorer.exe
Token: SeLoadDriverPrivilege	2900	explorer.exe
Token: SeSystemProfilePrivilege	2900	explorer.exe
Token: SeSystemtimePrivilege	2900	explorer.exe
Token: SeProfSingleProcessPrivilege	2900	explorer.exe
Token: SeIncBasePriorityPrivilege	2900	explorer.exe
Token: SeCreatePagefilePrivilege	2900	explorer.exe
Token: SeBackupPrivilege	2900	explorer.exe
Token: SeRestorePrivilege	2900	explorer.exe
Token: SeShutdownPrivilege	2900	explorer.exe
Token: SeDebugPrivilege	2900	explorer.exe
Token: SeSystemEnvironmentPrivilege	2900	explorer.exe
Token: SeChangeNotifyPrivilege	2900	explorer.exe
Token: SeRemoteShutdownPrivilege	2900	explorer.exe
Token: SeUndockPrivilege	2900	explorer.exe
Token: SeManageVolumePrivilege	2900	explorer.exe
Token: SeImpersonatePrivilege	2900	explorer.exe
Token: SeCreateGlobalPrivilege	2900	explorer.exe
Token: 33	2900	explorer.exe
Token: 34	2900	explorer.exe
Token: 35	2900	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2900	explorer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2808	1740	81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1.exe	31
PID 1740 wrote to memory of 2808	1740	81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1.exe	31
PID 1740 wrote to memory of 2808	1740	81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1.exe	31
PID 1740 wrote to memory of 2808	1740	81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1.exe	31
PID 2808 wrote to memory of 2900	2808	explorer.exe	32
PID 2808 wrote to memory of 2900	2808	explorer.exe	32
PID 2808 wrote to memory of 2900	2808	explorer.exe	32
PID 2808 wrote to memory of 2900	2808	explorer.exe	32
PID 2808 wrote to memory of 2900	2808	explorer.exe	32
PID 2808 wrote to memory of 2900	2808	explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1.exe
"C:\Users\Admin\AppData\Local\Temp\81d4ae23ba6fda401f23dcd6fe0e5ab0d074cabc55da653c21443df29efed2c1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\explorer.exe
  "C:\Users\Admin\AppData\Roaming\explorer.exe"
  2⤵
  - Windows security bypass
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Windows security bypass
    - Checks BIOS information in registry
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
232KB

MD5
813c33b6cbd5ab4c3f7511649a20cef5

SHA1
3b694fc0c4eef1495bde4e704c3272213d52bbf9

SHA256
c6f22a2868f89e29b6ee5acc9f82aab9a9d6f1a8b2f9527418ee53b2222132e7

SHA512
e3af68d8c4c0a851fb80d172a225921cdfee50712c14f9bda5f11a4d8f9fcac23241deef6a8e8dd14091bdc65e498c95cc1de03b543f422e3929ccc36cf99803

Download Submit
memory/1740-1-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-2-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-3-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-13-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-31-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-30-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-0-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

Filesize
4KB

Download
memory/1740-25-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

Filesize
4KB

Download
memory/2808-22-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2808-11-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2808-12-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2900-26-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2900-24-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2900-19-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2900-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-29-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2900-28-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2900-27-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2900-23-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2900-15-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download
memory/2900-32-0x0000000013140000-0x00000000131FD000-memory.dmp

Filesize
756KB

Download