Analysis

  • max time kernel
    182s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2024, 16:59

General

  • Target

    comet.exe

  • Size

    1.2MB

  • MD5

    3761df3c55454663ca4aa500b31b41ca

  • SHA1

    7e81974259a65b2e3e8631645974f37f147bac06

  • SHA256

    bbf8a678f59bd3cdb0bb4b1a3d2072829acf7d763016a586e683d38fe05e3d90

  • SHA512

    013ba37b0858bf8ebf8e278f435ea429a7ac859e3f8db52b9fc7955dc69200ed73447e0eca79d62096236e20ed474aee8e7d07515ce7bb929804abe60eda52da

  • SSDEEP

    24576:ZiNJjDBAOySeTQcPTAcySiDNpfVkqgfPyU8/oa8reuaDOR:ZMJjDaOyN70nS4pfVkqgy6r3a6

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 25 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: LoadsDriver 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\comet.exe
    "C:\Users\Admin\AppData\Local\Temp\comet.exe"
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "BPJY-OKYN"
      2⤵
      • Executes dropped EXE
      PID:1688
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "DSWT-TFFW"
      2⤵
      • Executes dropped EXE
      PID:2248
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "LVIQ-BZKZ"
      2⤵
      • Executes dropped EXE
      PID:4340
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "SSWA-PWRQ"
      2⤵
      • Executes dropped EXE
      PID:2900
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"
      2⤵
      • Executes dropped EXE
      PID:1856
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "UVLZ-OTKN"
      2⤵
      • Executes dropped EXE
      PID:3628
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "GAWK-LWAF"
      2⤵
      • Executes dropped EXE
      PID:1032
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "YMBW-QNTC"
      2⤵
      • Executes dropped EXE
      PID:2700
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "EKFV-OXXG"
      2⤵
      • Executes dropped EXE
      PID:4744
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "AGYY-TFIR"
      2⤵
      • Executes dropped EXE
      PID:1428
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "KVKA-DZNW"
      2⤵
      • Executes dropped EXE
      PID:3720
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "SQCD-VUAH"
      2⤵
      • Executes dropped EXE
      PID:2592
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "CIUD-OPYI"
      2⤵
      • Executes dropped EXE
      PID:420
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "DQJF-XCLS"
      2⤵
      • Executes dropped EXE
      PID:2392
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "DJMU-CSYF"
      2⤵
      • Executes dropped EXE
      PID:4436
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "WIDX-VUKF"
      2⤵
      • Executes dropped EXE
      PID:3800
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "GRWL-KFDV"
      2⤵
      • Executes dropped EXE
      PID:4460
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "WBXN-PIYP"
      2⤵
      • Executes dropped EXE
      PID:1676
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "EJZL-IFEJ"
      2⤵
      • Executes dropped EXE
      PID:3228
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "KPGF-LBNI"
      2⤵
      • Executes dropped EXE
      PID:4500
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "FDZG-GAIY"
      2⤵
      • Executes dropped EXE
      PID:4948
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "GQYA-VLPO"
      2⤵
      • Executes dropped EXE
      PID:3084
    • C:\Windows\Fonts\AMIDEWINx64.EXE
      "C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "JNTL-UZXA"
      2⤵
      • Executes dropped EXE
      PID:1184
    • C:\Windows\IME\Volumeid.exe
      "C:\Windows\IME\Volumeid.exe" C: "MNAV-YXJV"
      2⤵
      • Executes dropped EXE
      PID:3988
    • C:\Windows\IME\Volumeid.exe
      "C:\Windows\IME\Volumeid.exe" D: "OOHL-ISID"
      2⤵
      • Executes dropped EXE
      PID:3464

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Fonts\AMIDEWINx64.EXE

          Filesize

          377KB

          MD5

          64ae4aa4904d3b259dda8cc53769064f

          SHA1

          24be8fb54afd8182652819b9a307b6f66f3fc58d

          SHA256

          2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

          SHA512

          6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

        • C:\Windows\IME\Volumeid.exe

          Filesize

          228KB

          MD5

          4d867033b27c8a603de4885b449c4923

          SHA1

          f1ace1a241bab6efb3c7059a68b6e9bbe258da83

          SHA256

          22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

          SHA512

          b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

        • memory/380-8-0x0000000074950000-0x0000000075100000-memory.dmp

          Filesize

          7.7MB

        • memory/380-9-0x0000000009B70000-0x0000000009BAC000-memory.dmp

          Filesize

          240KB

        • memory/380-4-0x0000000005B40000-0x0000000005B4A000-memory.dmp

          Filesize

          40KB

        • memory/380-5-0x0000000074950000-0x0000000075100000-memory.dmp

          Filesize

          7.7MB

        • memory/380-6-0x0000000006640000-0x0000000006852000-memory.dmp

          Filesize

          2.1MB

        • memory/380-7-0x00000000071B0000-0x00000000071C2000-memory.dmp

          Filesize

          72KB

        • memory/380-0-0x000000007495E000-0x000000007495F000-memory.dmp

          Filesize

          4KB

        • memory/380-3-0x0000000005B80000-0x0000000005C12000-memory.dmp

          Filesize

          584KB

        • memory/380-10-0x000000007495E000-0x000000007495F000-memory.dmp

          Filesize

          4KB

        • memory/380-11-0x0000000074950000-0x0000000075100000-memory.dmp

          Filesize

          7.7MB

        • memory/380-12-0x0000000074950000-0x0000000075100000-memory.dmp

          Filesize

          7.7MB

        • memory/380-14-0x0000000074950000-0x0000000075100000-memory.dmp

          Filesize

          7.7MB

        • memory/380-2-0x0000000006090000-0x0000000006634000-memory.dmp

          Filesize

          5.6MB

        • memory/380-1-0x0000000000FD0000-0x0000000001112000-memory.dmp

          Filesize

          1.3MB