Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\notepad.exe,"	C:\Windows\SysWOW64\reg.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1256 wrote to memory of 1488	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1488	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1488	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1488	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1488 wrote to memory of 880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1488 wrote to memory of 880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1488 wrote to memory of 880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1256 wrote to memory of 1520	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1520	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1520	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1520	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 1060	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1520 wrote to memory of 1060	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1520 wrote to memory of 1060	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1520 wrote to memory of 1060	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1488 wrote to memory of 1860	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1488 wrote to memory of 1860	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1488 wrote to memory of 1860	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1488 wrote to memory of 1860	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 392	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1520 wrote to memory of 392	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1520 wrote to memory of 392	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1520 wrote to memory of 392	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe

"C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 39

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 37

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\notepad.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 37

Network

Country	Destination	Domain	Proto
N/A	142.251.36.45:443		tcp
N/A	172.217.168.238:443		tcp
N/A	142.251.36.42:443		tcp
N/A	8.8.8.8:443		tcp
N/A	216.58.208.99:443		tcp
N/A	13.227.211.209:443		tcp
N/A	142.250.179.195:443		tcp

Files

memory/1256-54-0x0000000000B10000-0x000000000112A000-memory.dmp

memory/1256-55-0x0000000076391000-0x0000000076393000-memory.dmp

memory/1256-56-0x0000000000460000-0x0000000000490000-memory.dmp

memory/1256-57-0x0000000000390000-0x00000000003A8000-memory.dmp

memory/1488-58-0x0000000000000000-mapping.dmp

memory/880-59-0x0000000000000000-mapping.dmp

memory/1520-60-0x0000000000000000-mapping.dmp

memory/1060-61-0x0000000000000000-mapping.dmp

memory/1860-62-0x0000000000000000-mapping.dmp

memory/392-63-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-27 17:57

Reported

2023-01-27 18:01

Platform

win10v2004-20220812-en

Max time kernel

211s

Max time network

212s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\notepad.exe,"	C:\Windows\SysWOW64\reg.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 4852 set thread context of 4616	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4208 wrote to memory of 1768	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 1768	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 1768	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 2592	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1768 wrote to memory of 2592	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1768 wrote to memory of 2592	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4208 wrote to memory of 1464	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 1464	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 1464	N/A	C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe	C:\Windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 2392	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1464 wrote to memory of 2392	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1464 wrote to memory of 2392	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1768 wrote to memory of 4780	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1768 wrote to memory of 4780	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1768 wrote to memory of 4780	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\reg.exe
PID 1464 wrote to memory of 2224	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1464 wrote to memory of 2224	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1464 wrote to memory of 2224	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1464 wrote to memory of 4852	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe
PID 1464 wrote to memory of 4852	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe
PID 1464 wrote to memory of 4852	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe
PID 4852 wrote to memory of 4616	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4852 wrote to memory of 4616	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4852 wrote to memory of 4616	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4852 wrote to memory of 4616	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4852 wrote to memory of 4616	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4852 wrote to memory of 4616	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4852 wrote to memory of 4616	N/A	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe

"C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 38

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 48 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Doge-Miner203.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe" && ping 127.0.0.1 -n 48 > nul && "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 48

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe,"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 48

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE

"C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE"

C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE

"C:\Users\Admin\AppData\Local\Temp\WINLOGONS.EXE"

Network

Country	Destination	Domain	Proto
N/A	13.107.21.200:443		tcp
N/A	13.107.21.200:443		tcp
N/A	8.8.8.8:53	r.bing.com	udp
N/A	204.79.197.200:443	r.bing.com	tcp
N/A	8.8.8.8:53	t-ring-fdv2.msedge.net	udp
N/A	13.107.237.254:443	t-ring-fdv2.msedge.net	tcp
N/A	8.8.8.8:53	a-ring-fallback.msedge.net	udp
N/A	131.253.33.254:443	a-ring-fallback.msedge.net	tcp
N/A	8.8.8.8:53	s-ring.msedge.net	udp
N/A	13.107.3.254:443	s-ring.msedge.net	tcp
N/A	93.184.221.240:80		tcp
N/A	93.184.221.240:80		tcp
N/A	13.69.239.72:443		tcp
N/A	93.184.221.240:80		tcp
N/A	93.184.221.240:80		tcp
N/A	93.184.221.240:80		tcp

Files

memory/4208-132-0x0000000000050000-0x000000000066A000-memory.dmp

memory/4208-133-0x0000000005CD0000-0x0000000006274000-memory.dmp

memory/4208-134-0x0000000005720000-0x00000000057B2000-memory.dmp

memory/4208-135-0x00000000057C0000-0x000000000585C000-memory.dmp

memory/4208-136-0x00000000051B0000-0x00000000051BA000-memory.dmp

memory/1768-137-0x0000000000000000-mapping.dmp

memory/2592-138-0x0000000000000000-mapping.dmp

memory/1464-139-0x0000000000000000-mapping.dmp

memory/2392-140-0x0000000000000000-mapping.dmp

memory/4780-141-0x0000000000000000-mapping.dmp

memory/2224-142-0x0000000000000000-mapping.dmp

memory/4852-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe

MD5	d7e6fd264bc937e3646de58e551a29db
SHA1	1db4664777b17e004f71cee4002f9ccc430413e4
SHA256	463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
SHA512	cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\notepad.exe

MD5	d7e6fd264bc937e3646de58e551a29db
SHA1	1db4664777b17e004f71cee4002f9ccc430413e4
SHA256	463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
SHA512	cc133bd0599c0a994c65c2ddc047dd7bec3d4032201feba63ac8f4a35582a31f2eed5d3bfe385fefda7e76d3e95415b1ccf1923a9b74a1792dc36c8f7caee837

memory/4852-146-0x0000000000440000-0x0000000000A5A000-memory.dmp

memory/4616-147-0x0000000000000000-mapping.dmp

memory/4616-148-0x0000000000400000-0x0000000000A0D000-memory.dmp

memory/4616-150-0x0000000000400000-0x0000000000A0D000-memory.dmp

memory/4616-151-0x0000000000400000-0x0000000000A0D000-memory.dmp

memory/4616-152-0x0000000000400000-0x0000000000A0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CPUMON.EXE

MD5	0d965d2e1b40b30d0eb821fc05aee8b6
SHA1	08bc8f842d39da2e0c72e376296d213afbbe6f16
SHA256	90693d7242fb9f853d759a2ec7b247a81adf808dd81dcd631b7dbfafff80b605
SHA512	5780394828a5f7b67406fd50c010f5e92752517bfc7e957a589a18ffeb5cdc2a7f7c78b0c4a6f822dc348699bfde9c0f4931356e92d8882f74de98b1c6a7a605

C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE

MD5	6ca3516e1b7a3b7a5e0e3866684eb554
SHA1	bea5ff040a735327cdc9e4d5a3d753861a81fd07
SHA256	b6df37dcbbd5d9ed73fcb6fe59f89ff1b075440e12674d76a76f5cea9ef992e8
SHA512	1cb3b7984ac338ba43a688ab41c9bbdd5a6e4bd7dbeb7b04c67673cdf882d099a7033223d9e0091e96292ce2ff1f228c6e9ce54a1eba32580c7f4dba0a2da288

C:\Users\Admin\AppData\Local\Temp\MSCALC.EXE

MD5	6ca3516e1b7a3b7a5e0e3866684eb554
SHA1	bea5ff040a735327cdc9e4d5a3d753861a81fd07
SHA256	b6df37dcbbd5d9ed73fcb6fe59f89ff1b075440e12674d76a76f5cea9ef992e8
SHA512	1cb3b7984ac338ba43a688ab41c9bbdd5a6e4bd7dbeb7b04c67673cdf882d099a7033223d9e0091e96292ce2ff1f228c6e9ce54a1eba32580c7f4dba0a2da288

Sample ID	230127-wjv41adg9z
Target	Doge-Miner203.exe
SHA256	463d5d683ca55e95f8701d36543d6208fae366e065bc71fe663351450a4f8c24
Tags	persistence darkcomet rat trojan upx

Malware Analysis Report

2024-08-06 18:53

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files