Analysis
-
max time kernel
140s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2024 15:23
General
-
Target
jdhfdshdk.exe
-
Size
756KB
-
MD5
855fdcbb7f2b26216324afbd36d8b8b3
-
SHA1
b02b1ad03a4becd3f96b1e54e75a1eb8fbdd1e5e
-
SHA256
cebc3aaa8f0b183d42fa6e52020c2effaf73d997e6a095ef2e8a43c1e2dba3eb
-
SHA512
cde8d4887259b61a5e4479cdc1898a6508e902a690d9b38008f952408ace0eb3762aafc3b998571f11902b2db2ff0593edaee4400e302c83836fb6992cb57e69
-
SSDEEP
12288:t9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hN:HZ1xuVVjfFoynPaVBUR8f+kN10EBD
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-47YCESL
-
gencode
aL2JzXvVx9mA
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jdhfdshdk.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdhfdshdk.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{BB43E994-1378-47E4-9C4D-85852081FFDE} msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 3580 msedge.exe 3580 msedge.exe 4064 msedge.exe 4064 msedge.exe 6100 msedge.exe 6100 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
jdhfdshdk.exedescription pid process Token: SeIncreaseQuotaPrivilege 3852 jdhfdshdk.exe Token: SeSecurityPrivilege 3852 jdhfdshdk.exe Token: SeTakeOwnershipPrivilege 3852 jdhfdshdk.exe Token: SeLoadDriverPrivilege 3852 jdhfdshdk.exe Token: SeSystemProfilePrivilege 3852 jdhfdshdk.exe Token: SeSystemtimePrivilege 3852 jdhfdshdk.exe Token: SeProfSingleProcessPrivilege 3852 jdhfdshdk.exe Token: SeIncBasePriorityPrivilege 3852 jdhfdshdk.exe Token: SeCreatePagefilePrivilege 3852 jdhfdshdk.exe Token: SeBackupPrivilege 3852 jdhfdshdk.exe Token: SeRestorePrivilege 3852 jdhfdshdk.exe Token: SeShutdownPrivilege 3852 jdhfdshdk.exe Token: SeDebugPrivilege 3852 jdhfdshdk.exe Token: SeSystemEnvironmentPrivilege 3852 jdhfdshdk.exe Token: SeChangeNotifyPrivilege 3852 jdhfdshdk.exe Token: SeRemoteShutdownPrivilege 3852 jdhfdshdk.exe Token: SeUndockPrivilege 3852 jdhfdshdk.exe Token: SeManageVolumePrivilege 3852 jdhfdshdk.exe Token: SeImpersonatePrivilege 3852 jdhfdshdk.exe Token: SeCreateGlobalPrivilege 3852 jdhfdshdk.exe Token: 33 3852 jdhfdshdk.exe Token: 34 3852 jdhfdshdk.exe Token: 35 3852 jdhfdshdk.exe Token: 36 3852 jdhfdshdk.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
helppane.exemsedge.exepid process 2532 helppane.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe 4064 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
jdhfdshdk.exehelppane.exepid process 3852 jdhfdshdk.exe 2532 helppane.exe 2532 helppane.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
helppane.exemsedge.exedescription pid process target process PID 2532 wrote to memory of 4064 2532 helppane.exe msedge.exe PID 2532 wrote to memory of 4064 2532 helppane.exe msedge.exe PID 4064 wrote to memory of 2124 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2124 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 964 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 3580 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 3580 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe PID 4064 wrote to memory of 2564 4064 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jdhfdshdk.exe"C:\Users\Admin\AppData\Local\Temp\jdhfdshdk.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:3152
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=5288822⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe6e746f8,0x7fffe6e74708,0x7fffe6e747183⤵PID:2124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:23⤵PID:964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:83⤵PID:2564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵PID:4332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:13⤵PID:1984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:13⤵PID:5508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:13⤵PID:5796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4992 /prefetch:83⤵PID:6092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4968 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:6100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,9173650862956519589,9169647842862894767,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:13⤵PID:4108
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2264
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5b4cd1c7a486292a30089d0d2eb49aeda
SHA1de9d26260cf8b7a98c75f2a90deb9d48d2f388bb
SHA2564e2b788cb35f7f577ebc7bb17b100346972354fb5ecb98cf39a17fe18e00fd22
SHA51281c375051e08e147e7ccf7c10f1727e3635f5bf42c491ba3288f06a6717070c895f9df2ada80b985658b1bc43001d8f024d5b83e3c1328c5b481d444ff739734
-
Filesize
755B
MD5bca57f85c1714d11a34c112c01ba7e79
SHA138679d4fa209389dd1e20fa8dc54b3f62db2ffd1
SHA2562400a34282a8c5c91de8340ab17c808273a6939732f2afc7bbd2500bc576aea1
SHA512a1b640b42c7b33dd8b0f55c894e2ffd59bd70624c9c678ebf7294b2d19691536528ea9689a8cace095179fd9ed647f9452260ed61c7a011930e6cfaf5caf3d4e
-
Filesize
6KB
MD5ab2080de6ebda28d78a7722530ce7a37
SHA1373379d60dd3fd4dde97caf0e3e236cf9c14b7bd
SHA2567786dced59fc96262881e28bd31ed584b6b0cfec4c2b845c95147977b8402cb4
SHA512ba9ad12030e0866bb77a1f4704c77b449c59020d2e30686f14df449b9a6df3be961347060c1507ab1dcb0f81add99a55e892c36c0e83adc7d5716fd01858cd8d
-
Filesize
6KB
MD5392818901045948c4fd9a327eaeb8b45
SHA1fbce7c7ca939fd4d5169f20533a3daccb1b6c9a6
SHA2564719a2570e9f7c13ac330941332e09252d276c2691001ef67f460e5fb6e35b3f
SHA5128df110e2e3095121dd89306979bebb480d479dacb9bdafb14e478c14dbea49b8a73dc3455ddb323a76af897353528cbb86ce9a655b7876a95fc7ebcc125dae3a
-
Filesize
10KB
MD524e640fd6b27e277b329f1cbf3bb6187
SHA1ef053266183c79ccbbbbf598a1a5a58c1b4e28eb
SHA2561cdebc64e732c5d6c24b23694499266ca158564e67a7830fe44a1383b83bbcfc
SHA512626babfc61ef0da678ed836c56862790a76eff70b795a017f649965b27f3d99d771a04d24404ce6df1db2f5ba18d45e7801fb0223c303db7e24d69319b648973
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e