Analysis
-
max time kernel
182s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
comet.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
comet.exe
Resource
win11-20240426-en
General
-
Target
comet.exe
-
Size
1.2MB
-
MD5
3761df3c55454663ca4aa500b31b41ca
-
SHA1
7e81974259a65b2e3e8631645974f37f147bac06
-
SHA256
bbf8a678f59bd3cdb0bb4b1a3d2072829acf7d763016a586e683d38fe05e3d90
-
SHA512
013ba37b0858bf8ebf8e278f435ea429a7ac859e3f8db52b9fc7955dc69200ed73447e0eca79d62096236e20ed474aee8e7d07515ce7bb929804abe60eda52da
-
SSDEEP
24576:ZiNJjDBAOySeTQcPTAcySiDNpfVkqgfPyU8/oa8reuaDOR:ZMJjDaOyN70nS4pfVkqgy6r3a6
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/380-6-0x0000000006640000-0x0000000006852000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 25 IoCs
pid Process 1688 AMIDEWINx64.EXE 2248 AMIDEWINx64.EXE 4340 AMIDEWINx64.EXE 2900 AMIDEWINx64.EXE 1856 AMIDEWINx64.EXE 3628 AMIDEWINx64.EXE 1032 AMIDEWINx64.EXE 2700 AMIDEWINx64.EXE 4744 AMIDEWINx64.EXE 1428 AMIDEWINx64.EXE 3720 AMIDEWINx64.EXE 2592 AMIDEWINx64.EXE 420 AMIDEWINx64.EXE 2392 AMIDEWINx64.EXE 4436 AMIDEWINx64.EXE 3800 AMIDEWINx64.EXE 4460 AMIDEWINx64.EXE 1676 AMIDEWINx64.EXE 3228 AMIDEWINx64.EXE 4500 AMIDEWINx64.EXE 4948 AMIDEWINx64.EXE 3084 AMIDEWINx64.EXE 1184 AMIDEWINx64.EXE 3988 Volumeid.exe 3464 Volumeid.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\PLA\Rules\en-GB\winxsrcsv64.sys comet.exe File created C:\Windows\Fonts\AMIDEWINx64.EXE comet.exe File created C:\Windows\Fonts\amigendrv64.sys comet.exe File created C:\Windows\Fonts\amifldrv64.sys comet.exe File created C:\Windows\IME\Volumeid.exe comet.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS comet.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer comet.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion comet.exe -
Suspicious behavior: LoadsDriver 23 IoCs
pid Process 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 380 comet.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 380 wrote to memory of 1688 380 comet.exe 110 PID 380 wrote to memory of 1688 380 comet.exe 110 PID 380 wrote to memory of 2248 380 comet.exe 112 PID 380 wrote to memory of 2248 380 comet.exe 112 PID 380 wrote to memory of 4340 380 comet.exe 114 PID 380 wrote to memory of 4340 380 comet.exe 114 PID 380 wrote to memory of 2900 380 comet.exe 116 PID 380 wrote to memory of 2900 380 comet.exe 116 PID 380 wrote to memory of 1856 380 comet.exe 118 PID 380 wrote to memory of 1856 380 comet.exe 118 PID 380 wrote to memory of 3628 380 comet.exe 120 PID 380 wrote to memory of 3628 380 comet.exe 120 PID 380 wrote to memory of 1032 380 comet.exe 122 PID 380 wrote to memory of 1032 380 comet.exe 122 PID 380 wrote to memory of 2700 380 comet.exe 124 PID 380 wrote to memory of 2700 380 comet.exe 124 PID 380 wrote to memory of 4744 380 comet.exe 126 PID 380 wrote to memory of 4744 380 comet.exe 126 PID 380 wrote to memory of 1428 380 comet.exe 128 PID 380 wrote to memory of 1428 380 comet.exe 128 PID 380 wrote to memory of 3720 380 comet.exe 130 PID 380 wrote to memory of 3720 380 comet.exe 130 PID 380 wrote to memory of 2592 380 comet.exe 132 PID 380 wrote to memory of 2592 380 comet.exe 132 PID 380 wrote to memory of 420 380 comet.exe 134 PID 380 wrote to memory of 420 380 comet.exe 134 PID 380 wrote to memory of 2392 380 comet.exe 136 PID 380 wrote to memory of 2392 380 comet.exe 136 PID 380 wrote to memory of 4436 380 comet.exe 138 PID 380 wrote to memory of 4436 380 comet.exe 138 PID 380 wrote to memory of 3800 380 comet.exe 140 PID 380 wrote to memory of 3800 380 comet.exe 140 PID 380 wrote to memory of 4460 380 comet.exe 142 PID 380 wrote to memory of 4460 380 comet.exe 142 PID 380 wrote to memory of 1676 380 comet.exe 144 PID 380 wrote to memory of 1676 380 comet.exe 144 PID 380 wrote to memory of 3228 380 comet.exe 146 PID 380 wrote to memory of 3228 380 comet.exe 146 PID 380 wrote to memory of 4500 380 comet.exe 148 PID 380 wrote to memory of 4500 380 comet.exe 148 PID 380 wrote to memory of 4948 380 comet.exe 150 PID 380 wrote to memory of 4948 380 comet.exe 150 PID 380 wrote to memory of 3084 380 comet.exe 152 PID 380 wrote to memory of 3084 380 comet.exe 152 PID 380 wrote to memory of 1184 380 comet.exe 154 PID 380 wrote to memory of 1184 380 comet.exe 154 PID 380 wrote to memory of 3988 380 comet.exe 156 PID 380 wrote to memory of 3988 380 comet.exe 156 PID 380 wrote to memory of 3988 380 comet.exe 156 PID 380 wrote to memory of 3464 380 comet.exe 160 PID 380 wrote to memory of 3464 380 comet.exe 160 PID 380 wrote to memory of 3464 380 comet.exe 160
Processes
-
C:\Users\Admin\AppData\Local\Temp\comet.exe"C:\Users\Admin\AppData\Local\Temp\comet.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "BPJY-OKYN"2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "DSWT-TFFW"2⤵
- Executes dropped EXE
PID:2248
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "LVIQ-BZKZ"2⤵
- Executes dropped EXE
PID:4340
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "SSWA-PWRQ"2⤵
- Executes dropped EXE
PID:2900
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"2⤵
- Executes dropped EXE
PID:1856
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "UVLZ-OTKN"2⤵
- Executes dropped EXE
PID:3628
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "GAWK-LWAF"2⤵
- Executes dropped EXE
PID:1032
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "YMBW-QNTC"2⤵
- Executes dropped EXE
PID:2700
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "EKFV-OXXG"2⤵
- Executes dropped EXE
PID:4744
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "AGYY-TFIR"2⤵
- Executes dropped EXE
PID:1428
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "KVKA-DZNW"2⤵
- Executes dropped EXE
PID:3720
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "SQCD-VUAH"2⤵
- Executes dropped EXE
PID:2592
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "CIUD-OPYI"2⤵
- Executes dropped EXE
PID:420
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "DQJF-XCLS"2⤵
- Executes dropped EXE
PID:2392
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "DJMU-CSYF"2⤵
- Executes dropped EXE
PID:4436
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "WIDX-VUKF"2⤵
- Executes dropped EXE
PID:3800
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "GRWL-KFDV"2⤵
- Executes dropped EXE
PID:4460
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "WBXN-PIYP"2⤵
- Executes dropped EXE
PID:1676
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "EJZL-IFEJ"2⤵
- Executes dropped EXE
PID:3228
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "KPGF-LBNI"2⤵
- Executes dropped EXE
PID:4500
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "FDZG-GAIY"2⤵
- Executes dropped EXE
PID:4948
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "GQYA-VLPO"2⤵
- Executes dropped EXE
PID:3084
-
-
C:\Windows\Fonts\AMIDEWINx64.EXE"C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "JNTL-UZXA"2⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\IME\Volumeid.exe"C:\Windows\IME\Volumeid.exe" C: "MNAV-YXJV"2⤵
- Executes dropped EXE
PID:3988
-
-
C:\Windows\IME\Volumeid.exe"C:\Windows\IME\Volumeid.exe" D: "OOHL-ISID"2⤵
- Executes dropped EXE
PID:3464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD564ae4aa4904d3b259dda8cc53769064f
SHA124be8fb54afd8182652819b9a307b6f66f3fc58d
SHA2562c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4
SHA5126c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16
-
Filesize
228KB
MD54d867033b27c8a603de4885b449c4923
SHA1f1ace1a241bab6efb3c7059a68b6e9bbe258da83
SHA25622a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3
SHA512b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702