Overview

overview

8

Static

static

1

URLScan

urlscan

1

https://cometrbx.xyz...

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2023, 19:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cometrbx.xyz/external-files/CometJSONAPI.json

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://cometrbx.xyz/external-files/CometJSONAPI.json
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3820 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:5076
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3820 CREDAT:17414 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1516
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3056
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3532
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\CometJSONAPI.json
        2⤵
        • Modifies Internet Explorer settings
        PID:3760
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\CometJSONAPI.json"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\CometJSONAPI.json
          3⤵
          • Checks processor information in registry
          • Modifies registry class
          • NTFS ADS
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4844
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.0.708397053\1769623347" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6840ce84-c5df-40f9-aaa5-662a09896637} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 1932 24d5cc16b58 gpu
            4⤵
              PID:4824
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.1.1921811612\1265191835" -parentBuildID 20221007134813 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {187c7a8a-0d25-4306-825d-74b7b7ffec29} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2356 24d4ec72858 socket
              4⤵
                PID:2700
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.2.846555373\665870687" -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3168 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83604c5f-3659-47db-9113-2ddf51c171f2} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3200 24d5fa0f458 tab
                4⤵
                  PID:220
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.3.1882029822\1925752474" -childID 2 -isForBrowser -prefsHandle 4040 -prefMapHandle 4028 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a06cc88-eb56-413b-b5dc-f2749cd3f2e4} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4052 24d60e46d58 tab
                  4⤵
                    PID:1192
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.4.2073896618\673355154" -childID 3 -isForBrowser -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8e44aa2-1638-41a0-b2c8-5512487bd56d} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4772 24d61dea258 tab
                    4⤵
                      PID:1332
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.5.2088595918\1098452466" -childID 4 -isForBrowser -prefsHandle 4852 -prefMapHandle 4856 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97751677-d25d-4137-8c3e-e648a0acaf28} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4936 24d62621258 tab
                      4⤵
                        PID:788
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.6.898165357\354741251" -childID 5 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3cd8800-89d1-4891-9b23-a9a883a0b8c2} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5048 24d62621558 tab
                        4⤵
                          PID:4100
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.7.1213105872\288281962" -childID 6 -isForBrowser -prefsHandle 5668 -prefMapHandle 5664 -prefsLen 26891 -prefMapSize 232675 -jsInitHandle 1436 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0509ad6f-256e-4014-8b3d-5ec52f430d82} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2948 24d6266dd58 tab
                          4⤵
                            PID:856
                    • C:\Windows\system32\OpenWith.exe
                      C:\Windows\system32\OpenWith.exe -Embedding
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:4528
                    • C:\Users\Admin\Downloads\Debug\Comet 3.exe
                      "C:\Users\Admin\Downloads\Debug\Comet 3.exe"
                      1⤵
                      • Enumerates system info in registry
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:496
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 2804
                        2⤵
                        • Program crash
                        PID:3484
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 496 -ip 496
                      1⤵
                        PID:4944

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WPCK8CWE\CometJSONAPI[1].json
                        Filesize

                        460B

                        MD5

                        44f4c7dce53050212ba7647990429dfc

                        SHA1

                        c471af467a6b9119a7d21766e57b8a9f2c2f751e

                        SHA256

                        bb2ae1eaf1b69eb60ca389103628505aa63bb470027578c1a9f85c10ea85fcba

                        SHA512

                        00e7b99e0418011e5664bf7813ee6d5f3b2ad47c5983625a928f85245ad441dc2a39e5f5841e2993e9390653f125f63e04f69ac34453275dfa6c2a5b02516fa7

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WPCK8CWE\suggestions[1].en-US
                        Filesize

                        17KB

                        MD5

                        5a34cb996293fde2cb7a4ac89587393a

                        SHA1

                        3c96c993500690d1a77873cd62bc639b3a10653f

                        SHA256

                        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                        SHA512

                        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        157KB

                        MD5

                        c6458f2d04efc19d88264918ee7418bd

                        SHA1

                        a1e80a5023ea68dcdef28e2d859ecec3748c825b

                        SHA256

                        659c9aa7a9e03e60f5dff8f48ebf1d72c3cd7e249cfddb3750923cfd477082bc

                        SHA512

                        581aeda03921e3d0e3587c7811a3564410bb9d7d6da145e9e316cdb53cb8467d8556d6ead017b5656c578d671d5c565c9bbf0daaad65c7843d1215254a084c80

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        8ade3e7d684d84eb41b4201d290cb14a

                        SHA1

                        03e98a38fb1d7f44c9c57e93e70160f55bca8994

                        SHA256

                        1a3e71ff739f055f8076370f966f3ddc60623b391290594c540ba3b119c5a445

                        SHA512

                        ab23cd1770d5f15047c380ff2dd14902a9a509f40e3b8f00a84f5759e083121bdc4602f6e4483a5709ef9fc3d85339fa4f40b5ce75c3825d8953a25df20b466b

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        72c7bf58630e88c2a4780e3a5ff64595

                        SHA1

                        a97167de9432dbb25eae66d052f1207cc1207f20

                        SHA256

                        7a90515689bad604324effb487359ada02ddb2b7b4b5e713ff4c7cf4cd671be2

                        SHA512

                        e0b789a5e390b9d1b4a4a7c99820878c2208e4dc6ee90bdb85a17ffb08be937ffc97c4c5810be714dddfab1f99f05ca36e0b1b7bc4c75397ac878e63f310844a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
                        Filesize

                        7KB

                        MD5

                        2a0558c07291c9cf2760ddf093e6d090

                        SHA1

                        1f2ea31eddea6bd9360cf7c4f0251196243cce90

                        SHA256

                        b5f4ded0c07f9a6b3030e148d43b5722d40e13349d41c2d9ee7d7f7562636e24

                        SHA512

                        eb47685e958e2ed84d1ec30d7ed27e84ecc80417a0f1697b47f46ee19f204a52fe36c7b809239d232b178dddac0e0729fc110e085713476a29d58f241e89c872

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
                        Filesize

                        7KB

                        MD5

                        a9a7d56d1d1ce776bddd600e844d3cf4

                        SHA1

                        8915aabb8badf98345bc6be05a52428a7c3c2fc4

                        SHA256

                        929829c0e5c01fac4703613790aae59ed20731d05265774d9c0a60e8d21eabbd

                        SHA512

                        84c26c8a3ebec7dc26fe6fa08e731cc24fee29de97a8f4247162ec0194ba82a772eb637b4d7ad03b63bb3838b354f016f80f8e55cacdbe7f85c38e3a7937eaa9

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        f3f901bb37514fc3162b638ef8e98ab1

                        SHA1

                        ebdf59cd4c3ae7331f5d03b742c30e56b8942b39

                        SHA256

                        a785157a0cd862551bd220e8049f62a3f363bf2ce2dbec357b4aff7f80073c9c

                        SHA512

                        8ec07779e92fb65ff1ea8f3472f10a36f66e9ce74941ff82e76e3edb999de5ea6e05bf508dcaec2267e7b7c556013fbdf9ac2a721c9447af4b663d830e9e9e37

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js
                        Filesize

                        6KB

                        MD5

                        feb8a52858c8167a58f36caa1b37f116

                        SHA1

                        7ae7f9d2721ae3c579f9e18e4fea679e8c848158

                        SHA256

                        adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

                        SHA512

                        109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        50a4b239f5b231d97108e052811add17

                        SHA1

                        2cb2192197270143fe45deff16ab43a2328c3616

                        SHA256

                        4cbb3a4013c3ef708ff8496e971d535284511e0db7dc1b897bb66ae144965ba4

                        SHA512

                        115e5befc6eba77cf37694de2684e47a27abc63a355141892c710d67e6a76970d67f8697efec6e3fbf5681c413c4dd6a9bf66a28fefe12045f9161bf00d2002a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        72cadf47c5966794b434d39281c6bb5b

                        SHA1

                        2034d3a4aab368cfed87c462c7691e2cd18777a9

                        SHA256

                        b6026ba25633d4a9749d961ea58becc9945687b8731194432c8a08b1308290b2

                        SHA512

                        4f3fc6e2a4a39cc16049fc6bc186248f11ca8d91bafe9569b9eb68f187a77dd024e6e79b3247889b8ead84ede50a8b932df209dea15b94e78d92947fc5aeff4e

                        Download Submit

                      • C:\Users\Admin\Downloads\CometJSONAPI.json.zclzzlp.partial
                        Filesize

                        460B

                        MD5

                        44f4c7dce53050212ba7647990429dfc

                        SHA1

                        c471af467a6b9119a7d21766e57b8a9f2c2f751e

                        SHA256

                        bb2ae1eaf1b69eb60ca389103628505aa63bb470027578c1a9f85c10ea85fcba

                        SHA512

                        00e7b99e0418011e5664bf7813ee6d5f3b2ad47c5983625a928f85245ad441dc2a39e5f5841e2993e9390653f125f63e04f69ac34453275dfa6c2a5b02516fa7

                        Download Submit

                      • C:\Users\Admin\Downloads\Debug.HzeQsmMb.zip.part
                        Filesize

                        100KB

                        MD5

                        e64dc091208ae009a96362ec8a7b2618

                        SHA1

                        9c744931f9bee868bcc63d629b9b96fa45b66197

                        SHA256

                        8a71d7514bd0ba9806be298dcb39e9daeda984495dee1e9948f159ae4a1653d5

                        SHA512

                        b1f57d5bd4af986a3537ab14782dac2ba1b6c0cceb7b1104155982206136dc37ac2ad748562eb69f08ae73cb349c02634ad618f9aef37846a654e5cf026d4c56

                        Download Submit

                      • C:\Users\Admin\Downloads\Module.RdB7Urcr.dll.part
                        Filesize

                        11KB

                        MD5

                        5ac951279c5c97be4fd9b1bd27499364

                        SHA1

                        83806ba005ad6e3dc52b6062ffdf1256e3df48ae

                        SHA256

                        6a3c53f8261e86419d82f5795519fef693a84473b643efa616212f153a266a57

                        SHA512

                        3a78d717a28883dd39171221670b06b4e695c633eb99d0cf6e7fe261863cddd82c638762afa6581b5ffa6c6c9eaed81058034dc6d9886a05d3bbe3dbdaa64b47

                        Download Submit

                      • memory/496-913-0x0000000005210000-0x0000000005220000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/496-1009-0x0000000009AA0000-0x0000000009B32000-memory.dmp

                        Filesize

                        584KB

                        Download

                      • memory/496-933-0x00000000081D0000-0x0000000008246000-memory.dmp

                        Filesize

                        472KB

                        Download

                      • memory/496-949-0x00000000093B0000-0x00000000093D2000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/496-975-0x00000000097E0000-0x00000000097E1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/496-976-0x000000006CBE0000-0x000000006D654000-memory.dmp

                        Filesize

                        10.5MB

                        Download

                      • memory/496-989-0x0000000009830000-0x000000000984E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/496-929-0x0000000008700000-0x0000000008CA4000-memory.dmp

                        Filesize

                        5.6MB

                        Download

                      • memory/496-890-0x0000000000240000-0x0000000000926000-memory.dmp

                        Filesize

                        6.9MB

                        Download

                      • memory/496-1095-0x000000000E0F0000-0x000000000E128000-memory.dmp

                        Filesize

                        224KB

                        Download

                      • memory/496-1096-0x000000000E0B0000-0x000000000E0BE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/496-1105-0x000000000E240000-0x000000000E24A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/496-1112-0x0000000005210000-0x0000000005220000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/496-1128-0x000000000EB70000-0x000000000EB82000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/496-1219-0x0000000005210000-0x0000000005220000-memory.dmp

                        Filesize

                        64KB

                        Download