darkcomet | 12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99

General

Target

12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe
Size

2.1MB
MD5

06666b8c365f725fce6c099c63aa2342
SHA1

30f5e6c2566ccf5fb5f7bcfe8e8bc0bcd4352b3b
SHA256

12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99
SHA512

b1ecfa68a162255b6042272399b008b275034553ddba137fcb1378fdfb08fe254a420d83b30e24ab6505f29e6343f3909fd6499c0f2ad7721ee29e92094eee7f
SSDEEP

49152:+kwkn9IMHea1xjBkMGXsgR+PS4+F7x7maPCS:NdnVdxNkMGXtKEx7VPC

Score

10^/10

darkcomet ddddyyy persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

ddddyyy

C2

daynasmithx.ddns.net:100

Mutex

DCMIN_MUTEX-UGTM8YB

Attributes

InstallPath
DCSCMIN\explorer.exe
gencode
vhfpLUSAnw3d
install
true
offline_keylogger
true
persistence
false
reg_key
explorer.exe

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe"	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe
2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe
2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe
2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe
2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28
PID 2028 wrote to memory of 328	2028	12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe	28

C:\Users\Admin\AppData\Local\Temp\12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe
"C:\Users\Admin\AppData\Local\Temp\12b0f55ad1876e48ccffa02bff9255e705a072755902c5bedef5a87e7993eb99.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\WerFault.exe
  "C:\Windows\SysWOW64\WerFault.exe"
  2⤵
  PID:328
- - C:\Users\Admin\Documents\DCSCMIN\explorer.exe
    "C:\Users\Admin\Documents\DCSCMIN\explorer.exe"
    3⤵
    PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/328-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/328-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2028-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing