Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 03:53
Behavioral task
behavioral1
Sample
DarkComet v5.3/DarkComet.exe
Resource
win7-20240903-en
General
-
Target
DarkComet v5.3/DarkComet.exe
-
Size
11.3MB
-
MD5
d761f3aa64064a706a521ba14d0f8741
-
SHA1
ab7382bcfdf494d0327fccce9c884592bcc1adeb
-
SHA256
21ca06b18698d14154a45822aaae1e3837d168cc7630bcd3ec3d8c68aaa959e6
-
SHA512
d2274c03f805a5cd62104492e154fc225c3f6997091accb2f4bff165308fc82ba0d9adf185ec744222bcb4ece08d1ba754a35a2d88c10c5743f4d2e66494377f
-
SSDEEP
196608:TPvqxSrDTVokQwhM/kSEMTQINokXJw7lW740VeqQPR:LCxSrFokQw2NjUYuWU0t
Malware Config
Signatures
-
Darkcomet family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DarkComet.exe -
Executes dropped EXE 1 IoCs
pid Process 2696 upnp.exe -
resource yara_rule behavioral2/files/0x000b000000023b9c-7.dat upx behavioral2/memory/2696-10-0x0000000000400000-0x000000000040D000-memory.dmp upx behavioral2/memory/2696-16-0x0000000000400000-0x000000000040D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DarkComet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upnp.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 3048 DarkComet.exe 3048 DarkComet.exe 3048 DarkComet.exe 3048 DarkComet.exe 3048 DarkComet.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3048 DarkComet.exe 3048 DarkComet.exe 3048 DarkComet.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3048 DarkComet.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2696 3048 DarkComet.exe 81 PID 3048 wrote to memory of 2696 3048 DarkComet.exe 81 PID 3048 wrote to memory of 2696 3048 DarkComet.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\DarkComet v5.3\DarkComet.exe"C:\Users\Admin\AppData\Local\Temp\DarkComet v5.3\DarkComet.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\upnp.exe"C:\Users\Admin\AppData\Local\Temp\upnp.exe" -a 10.127.1.25 1604 1604 TCP2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
822B
MD5a8933c0b2a69690ca5f7af8910fcba5b
SHA150eddca3220dbe7fd44b3add276c1fbf3ad0ccfb
SHA256c8687eaede08731c29fac0e12786fa998180fc2923bbea58724e10c8b47860e7
SHA512db6d04a57a45b067211c504fb7ab50c484670286b22c03454fa2c3fd8aca66c3c01a070f190f4886df1ec771319b13bb938d41b021a5c66a6f0042d068c05cbf
-
Filesize
822B
MD56d1fbe65bc58b142af5595697c0cff84
SHA14098e9b6425619cd2eb93d268cfabfa3193ab88d
SHA2560832eff4b43ef0b8826a1c90af00b1b433651b78a63f7be53780e69b1a12138e
SHA512fd8eea66c3a51eb0f707b3a40e94fe1310fe338ee4af36d162910a571ef79cbdcb58b6f91a0dd34f1198bb9038a978ad224264a97b4b0dbe8e15d0e7a757ac8d
-
Filesize
12KB
MD513804f8dc4e72ba103d5e34de895c9db
SHA103d7a0500ccb2fef3222ed1eb55f2cbedbb8b8c5
SHA256da659d8c05cfcb5f0abe167191665359123643000d12140836c28d204294ceb6
SHA5129abb98795a1b1c142c50c7c110966b4249972de5b1f40445b27d70c3127140b0ddaaada1d92297e96ffd71177b12cd87749953ffdcf6e5da7803b9f9527d7652