Analysis Overview
SHA256
bbf8a678f59bd3cdb0bb4b1a3d2072829acf7d763016a586e683d38fe05e3d90
Threat Level: Known bad
The file comet.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Downloads MZ/PE file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious behavior: LoadsDriver
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 16:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 16:59
Reported
2024-05-18 17:02
Platform
win10v2004-20240508-en
Max time kernel
182s
Max time network
164s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\PLA\Rules\en-GB\winxsrcsv64.sys | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
| File created | C:\Windows\Fonts\AMIDEWINx64.EXE | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
| File created | C:\Windows\Fonts\amigendrv64.sys | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
| File created | C:\Windows\Fonts\amifldrv64.sys | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
| File created | C:\Windows\IME\Volumeid.exe | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\comet.exe
"C:\Users\Admin\AppData\Local\Temp\comet.exe"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "BPJY-OKYN"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "DSWT-TFFW"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "LVIQ-BZKZ"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "SSWA-PWRQ"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "UVLZ-OTKN"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "GAWK-LWAF"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "YMBW-QNTC"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "EKFV-OXXG"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "AGYY-TFIR"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "KVKA-DZNW"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "SQCD-VUAH"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "CIUD-OPYI"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "DQJF-XCLS"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "DJMU-CSYF"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "WIDX-VUKF"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "GRWL-KFDV"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "WBXN-PIYP"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "EJZL-IFEJ"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "KPGF-LBNI"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "FDZG-GAIY"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "GQYA-VLPO"
C:\Windows\Fonts\AMIDEWINx64.EXE
"C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "JNTL-UZXA"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" C: "MNAV-YXJV"
C:\Windows\IME\Volumeid.exe
"C:\Windows\IME\Volumeid.exe" D: "OOHL-ISID"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 123.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cold8.gofile.io | udp |
| US | 136.175.8.111:443 | cold8.gofile.io | tcp |
| US | 8.8.8.8:53 | cold2.gofile.io | udp |
| FR | 31.14.70.251:443 | cold2.gofile.io | tcp |
| US | 8.8.8.8:53 | cold1.gofile.io | udp |
| FR | 31.14.70.248:443 | cold1.gofile.io | tcp |
| US | 8.8.8.8:53 | store8.gofile.io | udp |
| US | 8.8.8.8:53 | 111.8.175.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.70.14.31.in-addr.arpa | udp |
| US | 206.168.191.31:443 | store8.gofile.io | tcp |
| US | 8.8.8.8:53 | 31.191.168.206.in-addr.arpa | udp |
Files
memory/380-0-0x000000007495E000-0x000000007495F000-memory.dmp
memory/380-1-0x0000000000FD0000-0x0000000001112000-memory.dmp
memory/380-2-0x0000000006090000-0x0000000006634000-memory.dmp
memory/380-3-0x0000000005B80000-0x0000000005C12000-memory.dmp
memory/380-4-0x0000000005B40000-0x0000000005B4A000-memory.dmp
memory/380-5-0x0000000074950000-0x0000000075100000-memory.dmp
memory/380-6-0x0000000006640000-0x0000000006852000-memory.dmp
memory/380-7-0x00000000071B0000-0x00000000071C2000-memory.dmp
memory/380-8-0x0000000074950000-0x0000000075100000-memory.dmp
memory/380-9-0x0000000009B70000-0x0000000009BAC000-memory.dmp
memory/380-10-0x000000007495E000-0x000000007495F000-memory.dmp
memory/380-11-0x0000000074950000-0x0000000075100000-memory.dmp
memory/380-12-0x0000000074950000-0x0000000075100000-memory.dmp
memory/380-14-0x0000000074950000-0x0000000075100000-memory.dmp
C:\Windows\Fonts\AMIDEWINx64.EXE
| MD5 | 64ae4aa4904d3b259dda8cc53769064f |
| SHA1 | 24be8fb54afd8182652819b9a307b6f66f3fc58d |
| SHA256 | 2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4 |
| SHA512 | 6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16 |
C:\Windows\IME\Volumeid.exe
| MD5 | 4d867033b27c8a603de4885b449c4923 |
| SHA1 | f1ace1a241bab6efb3c7059a68b6e9bbe258da83 |
| SHA256 | 22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3 |
| SHA512 | b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 16:59
Reported
2024-05-18 17:02
Platform
win11-20240426-en
Max time kernel
102s
Max time network
202s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\comet.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\comet.exe
"C:\Users\Admin\AppData\Local\Temp\comet.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
Files
memory/2548-0-0x000000007434E000-0x000000007434F000-memory.dmp
memory/2548-1-0x0000000000C00000-0x0000000000D42000-memory.dmp
memory/2548-2-0x0000000005F40000-0x00000000064E6000-memory.dmp
memory/2548-3-0x0000000005860000-0x00000000058F2000-memory.dmp
memory/2548-4-0x0000000074340000-0x0000000074AF1000-memory.dmp
memory/2548-5-0x0000000005810000-0x000000000581A000-memory.dmp
memory/2548-6-0x0000000005C80000-0x0000000005E92000-memory.dmp
memory/2548-7-0x0000000009200000-0x0000000009212000-memory.dmp
memory/2548-8-0x0000000074340000-0x0000000074AF1000-memory.dmp
memory/2548-9-0x0000000009C90000-0x0000000009CCC000-memory.dmp
memory/2548-10-0x000000007434E000-0x000000007434F000-memory.dmp
memory/2548-11-0x0000000074340000-0x0000000074AF1000-memory.dmp