Analysis Overview
SHA256
40df0baf051090f518f217c285992c7ce6c432b6989412ae6ef512ab8fc29b70
Threat Level: Known bad
The file ba1e42b0fc454c041dd89ab04d9615c0N.exe was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Executes dropped EXE
UPX packed file
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-31 13:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-31 13:10
Reported
2024-07-31 13:12
Platform
win7-20240704-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Darkcomet
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Support GFX = "C:\\Users\\Admin\\AppData\\Roaming\\Xpers\\Gpers.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1672 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe |
| PID 2796 set thread context of 2764 | N/A | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe |
| PID 2796 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe"
C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TTFNE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe" /f
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe
"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe
"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"
C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe
"C:\Users\Admin\AppData\Roaming\Xpers\Gpers.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | betclock.zapto.org | udp |
Files
memory/1672-3-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1672-2-0x000000000044D000-0x000000000044E000-memory.dmp
memory/3068-4-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3068-16-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3068-20-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1672-17-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3068-15-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3068-14-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3068-12-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3068-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3068-8-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3068-6-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TTFNE.bat
| MD5 | 1967df2848438f32a1572914428221ae |
| SHA1 | cd88b3e8351f3685c22a2db7f67e5b9b2777fa13 |
| SHA256 | 1236575bc8ddb8a9e4509ce7491a67ca57c14c9f1a5bed19e23e4bd721a99574 |
| SHA512 | b16afa9bd878c4ddfccc6765c25e2774e3e1b9a65c06f18de1a048ea73e110aa41ffd4fb0d24ce3c13c792766e273459b3217a0275ea652646b648d9c6bf6dd3 |
\Users\Admin\AppData\Roaming\Xpers\Gpers.exe
| MD5 | 33d89699c0f4801ea2fb997714a38e7c |
| SHA1 | 37c40a7e7024e38e911150e3ed708f3e89fc4860 |
| SHA256 | a5c42ab6cec3973a59d2dfeae4300f1415eff646506e6e06eb349fc23870837e |
| SHA512 | cf8ee6909ae358d2bd5ee7a87f9ea90ff6da786b9c79bf7ab51bad0c2237a09efd1296706f4f177ce213d06fcdd2d5feef6984b26cf0f8ca7cf03fbf065eacfb |
memory/2796-61-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2704-82-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-77-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-74-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-72-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-97-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-96-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-95-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-94-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-93-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/3068-89-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2704-88-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2796-87-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2704-86-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-98-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2764-99-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2704-100-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-102-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-103-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-105-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-107-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-109-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-111-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-113-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-115-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-117-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/2704-119-0x0000000000400000-0x00000000004B7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-31 13:10
Reported
2024-07-31 13:12
Platform
win10v2004-20240730-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba1e42b0fc454c041dd89ab04d9615c0N.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2416 -ip 2416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 468
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2416-2-0x000000000044D000-0x000000000044E000-memory.dmp
memory/2416-3-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2416-4-0x0000000000400000-0x0000000000453000-memory.dmp