Malware Analysis Report

2025-04-13 22:44

Sample ID 250227-2p8vya11hy
Target 6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a
SHA256 6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a
Tags
darkcomet ramnit guest16 banker discovery rat spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a

Threat Level: Known bad

The file 6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a was found to be: Known bad.

Malicious Activity Summary

darkcomet ramnit guest16 banker discovery rat spyware stealer trojan upx worm

Darkcomet

Darkcomet family

Ramnit

Ramnit family

Executes dropped EXE

Loads dropped DLL

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 22:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 22:46

Reported

2025-02-27 22:49

Platform

win7-20250207-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Ramnit

trojan spyware stealer worm banker ramnit

Ramnit family

ramnit

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446858263" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2AC3FA1-F55C-11EF-9981-C62FFBBDC457} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2A77CE1-F55C-11EF-9981-C62FFBBDC457} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
PID 1616 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
PID 1616 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
PID 1616 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
PID 1732 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2364 wrote to memory of 2976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2364 wrote to memory of 2976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2364 wrote to memory of 2976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe

"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:340993 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp

Files

memory/1616-0-0x0000000000400000-0x00000000004D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/1732-11-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1616-12-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1616-10-0x0000000000360000-0x00000000003BD000-memory.dmp

memory/1616-9-0x0000000000360000-0x00000000003BD000-memory.dmp

memory/1732-14-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1732-15-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1732-16-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1732-17-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1732-13-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B2A77CE1-F55C-11EF-9981-C62FFBBDC457}.dat

MD5 c125780be7b71fdf216cc8f9513506d4
SHA1 e74bc7c4aaf88ee79d7ebc6c2bc5d1d69da5b2b7
SHA256 0b69540af596caaa293b449e505d107d73d5d3d6a0f7b3449fc6c148f4c46aba
SHA512 b296c2039c35dbf546f2006a300a7dda2b5da87c86c35c377fb876188b22d89a08562c0801dd4ade809377690fc0b8c9e89586e8ced004f4b5d87e17301d7b40

memory/1616-19-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1732-21-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE88E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1616-36-0x0000000000400000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\TarF744.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/1616-137-0x0000000000400000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f2bb387f282c6049da4ccb144e590cc
SHA1 d7900cdb207b452c722dc6d55a25bf3357e2b9a9
SHA256 fb39b872088c159570524e098b18e94fe822f30515656f7c78d120eea184b1ea
SHA512 ae4062a3ef2d47cd5f4fb96f7a8963f2ec0ee6f789799e0a7be1f4bc3ddb8a60790c9d24339f5d1e1b4a0f3f5bf5d47b315d1cd267e107bb0dd59f3fc8e3b804

memory/1616-334-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1616-337-0x0000000000400000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5b430e9c7fedc04497a9c6d8e0d3cf5
SHA1 37ecab8ffcd4cd1f9b94711f76641b2c96d902ae
SHA256 b6cb548b3d7dd1dc92cf934466a5945f019eb413fe2f23a19598205df9296f85
SHA512 f0fcf2e1e21997775a4b22aade4222fb3fc244bd4f0e7bfb1e479df87068164536fe931b3415da1a8c0595758fe5ed7b636f4796e4edb07ec94fd2d332ce673a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee6659a2c36342f56ddcd6dccf480ded
SHA1 ca5bf991e7193e90822398606002e30efa07d221
SHA256 5b292a6bcc8249099a731d7f2f4ff8508844ec6bc16b63caf9221c99214c74e3
SHA512 01bee0c4e36ed522ee93731eff3ada71bddaab2d0829d4c5fe27bcaa492d739fdc321e39d5e561e4925589cdb6d0aca42611ff44eb6ceb114d9b57e504001343

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0456ce20734f12838a4df9573433eef9
SHA1 270dfadad84bf3fef153c19e86770b491be03ede
SHA256 b7163b6ca29954e7fc0a62b8e7e2a08e8f527b6c128f22e3ad79a3d10b3e89a2
SHA512 96d061b3d5932ed3b2ffbba8d48aaca131957735152aa0d4293ddd76391fd97dbb57432918a628c6912cbc8f836c477073b4b49f27e3433a8af56a0326dc9c11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15e06708608003d2e694ad2023381f87
SHA1 125498151ffbf9e98468e8e29dc421c731ec990d
SHA256 71bfc9720ee41cfadadd5fe042f690e6e92c9091064470d46f61e95b62d2bd14
SHA512 24956ea88838bc47349e18bc33c3948c643daccc5a2db250e43f89e776def22c65fa7c01bdc2cdaf1219cd9bff9e9d48383e5a75820143a7980b1b86a5b1d23a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86dcfe1613edb6cdb7688f80c21a350b
SHA1 8ed82fb7520f3b6f38112383b7731759baa18dee
SHA256 7abcac79319de40b7374f05558f313a0d295bea9ea02eaa8c9713466c453436b
SHA512 871c4e0358009a1de300bf4ed0bd01258fcaa8fb8507f64598d6b5e6f2ce0acaf032bd9d412519a93474a3240f69982f28b5051c17f3a32b465c1e933bf1ad1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb683931b113812c88325ab5f7e2f76f
SHA1 57cf185cbbf3cf7554e6c5cae947160e561b74a8
SHA256 39c38a9e14022ecde0dade166c178f8dbd0687d783d70628d2eff039c6280358
SHA512 3430763cfda9b97d1201f5c9e5767856f7d9e3f9f73cd77ec74d16d260b00220077efe832cbb6f7e883fb9d8cf4d9753e73746d8c6596e7d90d25c33134f77bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 faa84a7a2acf642e4d951a4dfb245b5b
SHA1 c18d3cbe4ade991328aadce58bf5e3169ee01743
SHA256 4e31a7211577ff4ce936380ac5f8e48debf9238e82342ca8388dd73f388161fd
SHA512 9797751d3f189d2b6b31b6500458ade53f2423cf0c459b8e993664ef2bb797d1ec4f20c183b103fa1a672158ba2e1cb4c7a1cc07e1a0dabdb53489cba48bed02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60f966976f5f73b96b460a8f3a72f4f3
SHA1 bfc5afa7837f343e7b7dfededb0addc5a40ca086
SHA256 d181aee88353fe4f335878edf38ce83db0f3f6e5bdc72d54ef69acd5121e4e6a
SHA512 fd912be31d8d9a3c65eb16ddabac5c208c38eda8146509851dac764b7948dcb55322ba1e001300570c30b4e3a8295a7a61bad46fcec14ef456d868e675cdd783

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8346cf9748581b7f08949eae3635a34
SHA1 78e72d202aebc41700c79fe1c447fda128f3bdc6
SHA256 2dba7d3dc2f8b98ca6e731b02219736c0a1d7aa6a376c99c32b2918c07f4b860
SHA512 77b2c66d64282676b7f9683fc9b4e49e7dd70220488765dc32d0ca9fc5bf5d285f1ddc99a6178082a80cefaf0a5ca81e10e7e8b5f7f8c6fe7a8075621d18e1d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 446c621dc0be0f3814d9a1cadc461ad1
SHA1 66a702ca448eda1cba5d1f06c89ea147fde2d085
SHA256 13f9ac672e005653f576a71bd940af9a97f305672bd080590a3f13dbf7158d2b
SHA512 637c7bf2315fc0cbfd427794a8835f036a351efc3b019abc33d1e03d6688a97ad4419118858e6d238c7fbdb452c2b3445cc5e6fec02dc3130f322b2f257deb9f

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 22:46

Reported

2025-02-27 22:49

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe

"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3588 -ip 3588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 264

Network

Country Destination Domain Proto
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp
TR 159.146.115.189:3131 tcp

Files

memory/4896-0-0x0000000000400000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

MD5 d5ca6e1f080abc64bbb11e098acbeabb
SHA1 1849634bf5a65e1baddddd4452c99dfa003e2647
SHA256 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae
SHA512 aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

memory/3588-6-0x0000000000560000-0x0000000000561000-memory.dmp

memory/3588-5-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4896-7-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/4896-9-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/4896-10-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/4896-12-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/4896-14-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/4896-17-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/4896-19-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/4896-21-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/4896-23-0x0000000000400000-0x00000000004D0000-memory.dmp