Analysis Overview
SHA256
6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a
Threat Level: Known bad
The file 6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Darkcomet family
Ramnit
Ramnit family
Executes dropped EXE
Loads dropped DLL
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-27 22:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-27 22:46
Reported
2025-02-27 22:49
Platform
win7-20250207-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Darkcomet
Darkcomet family
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446858263" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2AC3FA1-F55C-11EF-9981-C62FFBBDC457} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B2A77CE1-F55C-11EF-9981-C62FFBBDC457} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe
"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:340993 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp |
Files
memory/1616-0-0x0000000000400000-0x00000000004D0000-memory.dmp
\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
| MD5 | d5ca6e1f080abc64bbb11e098acbeabb |
| SHA1 | 1849634bf5a65e1baddddd4452c99dfa003e2647 |
| SHA256 | 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae |
| SHA512 | aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161 |
memory/1732-11-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1616-12-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1616-10-0x0000000000360000-0x00000000003BD000-memory.dmp
memory/1616-9-0x0000000000360000-0x00000000003BD000-memory.dmp
memory/1732-14-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1732-15-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1732-16-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1732-17-0x0000000000400000-0x000000000045D000-memory.dmp
memory/1732-13-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B2A77CE1-F55C-11EF-9981-C62FFBBDC457}.dat
| MD5 | c125780be7b71fdf216cc8f9513506d4 |
| SHA1 | e74bc7c4aaf88ee79d7ebc6c2bc5d1d69da5b2b7 |
| SHA256 | 0b69540af596caaa293b449e505d107d73d5d3d6a0f7b3449fc6c148f4c46aba |
| SHA512 | b296c2039c35dbf546f2006a300a7dda2b5da87c86c35c377fb876188b22d89a08562c0801dd4ade809377690fc0b8c9e89586e8ced004f4b5d87e17301d7b40 |
memory/1616-19-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/1732-21-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE88E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1616-36-0x0000000000400000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\TarF744.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/1616-137-0x0000000000400000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f2bb387f282c6049da4ccb144e590cc |
| SHA1 | d7900cdb207b452c722dc6d55a25bf3357e2b9a9 |
| SHA256 | fb39b872088c159570524e098b18e94fe822f30515656f7c78d120eea184b1ea |
| SHA512 | ae4062a3ef2d47cd5f4fb96f7a8963f2ec0ee6f789799e0a7be1f4bc3ddb8a60790c9d24339f5d1e1b4a0f3f5bf5d47b315d1cd267e107bb0dd59f3fc8e3b804 |
memory/1616-334-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/1616-337-0x0000000000400000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5b430e9c7fedc04497a9c6d8e0d3cf5 |
| SHA1 | 37ecab8ffcd4cd1f9b94711f76641b2c96d902ae |
| SHA256 | b6cb548b3d7dd1dc92cf934466a5945f019eb413fe2f23a19598205df9296f85 |
| SHA512 | f0fcf2e1e21997775a4b22aade4222fb3fc244bd4f0e7bfb1e479df87068164536fe931b3415da1a8c0595758fe5ed7b636f4796e4edb07ec94fd2d332ce673a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ee6659a2c36342f56ddcd6dccf480ded |
| SHA1 | ca5bf991e7193e90822398606002e30efa07d221 |
| SHA256 | 5b292a6bcc8249099a731d7f2f4ff8508844ec6bc16b63caf9221c99214c74e3 |
| SHA512 | 01bee0c4e36ed522ee93731eff3ada71bddaab2d0829d4c5fe27bcaa492d739fdc321e39d5e561e4925589cdb6d0aca42611ff44eb6ceb114d9b57e504001343 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0456ce20734f12838a4df9573433eef9 |
| SHA1 | 270dfadad84bf3fef153c19e86770b491be03ede |
| SHA256 | b7163b6ca29954e7fc0a62b8e7e2a08e8f527b6c128f22e3ad79a3d10b3e89a2 |
| SHA512 | 96d061b3d5932ed3b2ffbba8d48aaca131957735152aa0d4293ddd76391fd97dbb57432918a628c6912cbc8f836c477073b4b49f27e3433a8af56a0326dc9c11 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 15e06708608003d2e694ad2023381f87 |
| SHA1 | 125498151ffbf9e98468e8e29dc421c731ec990d |
| SHA256 | 71bfc9720ee41cfadadd5fe042f690e6e92c9091064470d46f61e95b62d2bd14 |
| SHA512 | 24956ea88838bc47349e18bc33c3948c643daccc5a2db250e43f89e776def22c65fa7c01bdc2cdaf1219cd9bff9e9d48383e5a75820143a7980b1b86a5b1d23a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 86dcfe1613edb6cdb7688f80c21a350b |
| SHA1 | 8ed82fb7520f3b6f38112383b7731759baa18dee |
| SHA256 | 7abcac79319de40b7374f05558f313a0d295bea9ea02eaa8c9713466c453436b |
| SHA512 | 871c4e0358009a1de300bf4ed0bd01258fcaa8fb8507f64598d6b5e6f2ce0acaf032bd9d412519a93474a3240f69982f28b5051c17f3a32b465c1e933bf1ad1c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb683931b113812c88325ab5f7e2f76f |
| SHA1 | 57cf185cbbf3cf7554e6c5cae947160e561b74a8 |
| SHA256 | 39c38a9e14022ecde0dade166c178f8dbd0687d783d70628d2eff039c6280358 |
| SHA512 | 3430763cfda9b97d1201f5c9e5767856f7d9e3f9f73cd77ec74d16d260b00220077efe832cbb6f7e883fb9d8cf4d9753e73746d8c6596e7d90d25c33134f77bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | faa84a7a2acf642e4d951a4dfb245b5b |
| SHA1 | c18d3cbe4ade991328aadce58bf5e3169ee01743 |
| SHA256 | 4e31a7211577ff4ce936380ac5f8e48debf9238e82342ca8388dd73f388161fd |
| SHA512 | 9797751d3f189d2b6b31b6500458ade53f2423cf0c459b8e993664ef2bb797d1ec4f20c183b103fa1a672158ba2e1cb4c7a1cc07e1a0dabdb53489cba48bed02 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60f966976f5f73b96b460a8f3a72f4f3 |
| SHA1 | bfc5afa7837f343e7b7dfededb0addc5a40ca086 |
| SHA256 | d181aee88353fe4f335878edf38ce83db0f3f6e5bdc72d54ef69acd5121e4e6a |
| SHA512 | fd912be31d8d9a3c65eb16ddabac5c208c38eda8146509851dac764b7948dcb55322ba1e001300570c30b4e3a8295a7a61bad46fcec14ef456d868e675cdd783 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f8346cf9748581b7f08949eae3635a34 |
| SHA1 | 78e72d202aebc41700c79fe1c447fda128f3bdc6 |
| SHA256 | 2dba7d3dc2f8b98ca6e731b02219736c0a1d7aa6a376c99c32b2918c07f4b860 |
| SHA512 | 77b2c66d64282676b7f9683fc9b4e49e7dd70220488765dc32d0ca9fc5bf5d285f1ddc99a6178082a80cefaf0a5ca81e10e7e8b5f7f8c6fe7a8075621d18e1d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 446c621dc0be0f3814d9a1cadc461ad1 |
| SHA1 | 66a702ca448eda1cba5d1f06c89ea147fde2d085 |
| SHA256 | 13f9ac672e005653f576a71bd940af9a97f305672bd080590a3f13dbf7158d2b |
| SHA512 | 637c7bf2315fc0cbfd427794a8835f036a351efc3b019abc33d1e03d6688a97ad4419118858e6d238c7fbdb452c2b3445cc5e6fec02dc3130f322b2f257deb9f |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-27 22:46
Reported
2025-02-27 22:49
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
Darkcomet
Darkcomet family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe
"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3588 -ip 3588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 264
Network
| Country | Destination | Domain | Proto |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp |
Files
memory/4896-0-0x0000000000400000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
| MD5 | d5ca6e1f080abc64bbb11e098acbeabb |
| SHA1 | 1849634bf5a65e1baddddd4452c99dfa003e2647 |
| SHA256 | 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae |
| SHA512 | aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161 |
memory/3588-6-0x0000000000560000-0x0000000000561000-memory.dmp
memory/3588-5-0x0000000000400000-0x000000000045D000-memory.dmp
memory/4896-7-0x00000000022B0000-0x00000000022B1000-memory.dmp
memory/4896-9-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/4896-10-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/4896-12-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/4896-14-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/4896-17-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/4896-19-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/4896-21-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/4896-23-0x0000000000400000-0x00000000004D0000-memory.dmp