Analysis Overview
SHA256
6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a
Threat Level: Known bad
The file 6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Ramnit family
Darkcomet family
Ramnit
Executes dropped EXE
Loads dropped DLL
UPX packed file
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-27 22:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-27 22:49
Reported
2025-02-27 22:52
Platform
win7-20240903-en
Max time kernel
141s
Max time network
158s
Command Line
Signatures
Darkcomet
Darkcomet family
Ramnit
Ramnit family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CEE8701-F55D-11EF-A17D-4A174794FC88} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CF0E861-F55D-11EF-A17D-4A174794FC88} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446858468" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe
"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp |
Files
memory/2672-0-0x0000000000400000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
| MD5 | d5ca6e1f080abc64bbb11e098acbeabb |
| SHA1 | 1849634bf5a65e1baddddd4452c99dfa003e2647 |
| SHA256 | 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae |
| SHA512 | aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161 |
memory/2756-15-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2756-14-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2756-13-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2756-12-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2672-11-0x0000000000540000-0x000000000059D000-memory.dmp
memory/2672-10-0x0000000000540000-0x000000000059D000-memory.dmp
memory/2756-17-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2756-16-0x0000000000400000-0x000000000045D000-memory.dmp
memory/2672-18-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/2756-9-0x00000000001F0000-0x00000000001F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2CEE8701-F55D-11EF-A17D-4A174794FC88}.dat
| MD5 | c19e57e8eec687b1b628a6c97eda6182 |
| SHA1 | e1cb3fc02ab3b9a9a03500e6e615ffbb47dc2469 |
| SHA256 | a685d2416082c4fd11abf085c23e86e4ab05abd3b72b29ad57e718c41bd93495 |
| SHA512 | f1de40f666d888a19f12ba40cc0462ea7f7f45efe8a247a028df01deeeef1b18c185d59e58cf671479e2cfec1f4c92fbc8994302829a07ad4c5d56f8db0aee2c |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2CF0E861-F55D-11EF-A17D-4A174794FC88}.dat
| MD5 | 28ec94b93e15858b3dcedf1f59467dde |
| SHA1 | f396fe161f011c928e1693e0d9ba23feeacef4b6 |
| SHA256 | a06b126c4c5ae68af827a131a777e2b460847bce16661da3a549d8780d088f97 |
| SHA512 | 3e8bd02ab4b63bf9d9ee08d64a039ebee196ce6c25985a957a6b9f518ec0551a7200e1d3a991aba1c48e5107f0250dd1ce212e8921b6c74c2f1e52da379e7082 |
memory/2756-21-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2DF5.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Cab2E86.tmp
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar2E8A.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49599cfa59e94999609fb4c520fe04a7 |
| SHA1 | cf1e294fdd7cc4db93091752c856f1571dc4763b |
| SHA256 | f8b23afb63dc629a88e810acb6c889d67ba4dadb1bab21c2781d368a63fe383d |
| SHA512 | d83f4193ec86eb837700da8b7d0df07b0cbea4cc251401ce627a9bfeff0f96b7b166bce6695f7fb2e392c611a7873d05bec14fe8a7e76cee420389ad06239c99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 512874db2896338c9e270e23a8b6b97f |
| SHA1 | 24e5bfce1f2f91cf7e39768bb38278adf02e3071 |
| SHA256 | 4bc8487dd517210e658df2767bd5222af8c637374beb1dbe439b4603f63aaf03 |
| SHA512 | a0dac5722b37941a702bfbf42910f2264b998c10e7af6906e102f046c0a5b61e6b72f3942ab72d6b9276e47b66947ceefd68db89b3059ce027df6562e7017fbf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22ae47e0e7ed61c748214695e3bba74b |
| SHA1 | f18dd47ecd98cf4f8a2043588a5417ead69d03da |
| SHA256 | e2bfc981ad79debdac128218c7d9d3593dcf4b0890df79258039150a00d8980e |
| SHA512 | 4a2dc815ccfd2f104cb64a6f4b996fd3e2e8f61de382b119a45d91c384d41c2b4b27820a005c7942da46527431ba712efb2d11654d2b7084c3c709260d05305c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96a2ba01c79885a66fccdba3df5f0ca8 |
| SHA1 | 844735c5c58bf553bde805d7fdb2965bf4bbdaf8 |
| SHA256 | da7fc1a145be50965d67c91c9cf5000affecd7394fd25dc2bb21628cc0158cfc |
| SHA512 | 68fdf51eb0a7034b8704fe122746b43ab7a1fd4dfbca0fc1d8ccf952f1393f5aded5e4f3c87e43c80bf398d4fe008d4761d9517548028cc59c908645422cfbeb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a82bdbe00b34081f9a5f53c5ec21b8d6 |
| SHA1 | 09b11decd8c9dc9f1b663ccf063dbf70013eab79 |
| SHA256 | 40f58b20ab50db92d50ba6ff1c343833b315e41fa350bccc05798cb5c996432f |
| SHA512 | 332df4c6ffb79eb36871a6b21107ad89108cfeb90e2babc41dc21c1a219b654c26365a547b5506e21a57bda85f7e313ecead36ef2847781c5d59e75d7da6e104 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d815ab791629e6c9be4465b638ab24b5 |
| SHA1 | 7d2df356626b5aeaff5425d6164ea8c77e32aeba |
| SHA256 | 41cab807b4330f058a0e2dec359e41c8cf45eab64cd5b5a046e94cac8ef15c07 |
| SHA512 | 672eaa3ec54aed05ab164e22bac7031b8d7c0c77d5aa7c6b1e9c84647d1057d3145abc7c6c9504db544e546e26c14cfc43045f2ee25d4e61ee5583b306ddb8b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5adee6e8f33b49493caed41893582d7b |
| SHA1 | 1bda57c9f397588b284f2e6f7c7ba1f9d1ce7d7e |
| SHA256 | dc1b50709705ba3a39d9e3cfd15745b4e9ce478b385c7da27073b9492e0fc36a |
| SHA512 | a21b075353cac4727d3b4bbcae1c2f190cef396cd423e496761ec4c62a02eb2cf9554176b016e0e7973f845f253807e8ba2117fb896ba2f7d00d76ec1aef95a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 630ed05d084c6eba62305fa3cb8fee94 |
| SHA1 | 3a4865a544183671eaf631e27063fbdfd73da714 |
| SHA256 | 5c1571fc7e4828de5834fb2344f2d6371dae0a0090580b669dac6696b3145639 |
| SHA512 | 9ef54a866bd2d92dc2de159eefabc5a01e35828de348a4c75a25c7db14db0e717a59b48376560c504114750aece8c944cb7dbca41e9a6ed15eddd34987f173fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9285a530a60601f9dfd338efa80225c |
| SHA1 | 88f93d13f046a10b069e44b7557fa9c686ca086a |
| SHA256 | 38d0a93b53a3493e9c0ffb158cf2ba48fe52a2ca21612591ae470a2104c336cc |
| SHA512 | 40bb8bf4290fe7ed513b1d8f1fb96d9caf3280303592c174bf6b7ef21f93accaf323093529586d463214a42dc14686deb9f5b1a39283a812910ab6aa0dfd47bb |
memory/2672-466-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/2672-497-0x0000000000540000-0x000000000059D000-memory.dmp
memory/2672-498-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/2672-499-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/2672-501-0x0000000000400000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bcfcd83fd35e5801b5ad7c17726223f1 |
| SHA1 | 956ea4e2f4e0484d2dedc86ecc9f1bb1872366fc |
| SHA256 | 96ceac208c80e5ff10da32ce6b328fa7775b0aa73ebab01967a50dd4a94aedc3 |
| SHA512 | 0bfef4e3c049cec7aeef8539b80a7522d7c5ed905ce34ce206118c5e6af93722debaf5c443326e428712305237f38aa52f5e6a95a0733c0786bbe5481fb6f579 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc0405d918cb4293fde546e986faae8b |
| SHA1 | 564896a2058967ac0bd32b32d8e8712aa989bcad |
| SHA256 | c871888a63f7415116c825d6e12dea87fa4fdac656868750b6bee0b6ddacb98b |
| SHA512 | 03276afeb76788acadf88ea2e2e6a44fb9ac05b788a9434df1124e91db2185efacc1aa4e54a75f0bee0643d408f6403995259579f1a39d0603e6b77c4693102b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 608ecb681a0874f6bcb7809828d77344 |
| SHA1 | 8810f0702d40c5a1065aa938458edbf8194b7800 |
| SHA256 | d7b8f77845f2ae0ddd58220f1596331645234f4e2f4a2d794c2c651f693315d1 |
| SHA512 | 47a5e36c40248e44e3939348de3dcf5d7750d6c0b43c8de06e79e9e05bb2b7d633e012d843a3311ca5f9ccd9b7a5cab15c80d613991f843db17b8c30a5093097 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 047e2ee84a27b656df8a8ff73c355b23 |
| SHA1 | fa792ccc826d35f08b99569d6d451c46e81ea88a |
| SHA256 | 5e0d741a568db1e8672abb3a14773786b1ce5cd8f90cda6eee8ca89fe44ce656 |
| SHA512 | 5ba76777422d96eab1732c38c4ff851af72a1e61d05b0513daebeebb954cadebcaee311073cd2ed31932449d67eace525b4d663fd6acc36f8d6c6453d3de8f08 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1618a0ecfbb1538fe6471989fe06586f |
| SHA1 | 495afe13f851c0d1a09b9db2b2464459d9c42fef |
| SHA256 | babf6f5bb178ac797f11a5d720bcfc3196be0cdf0ece7e16214f6b533b7f091c |
| SHA512 | 7d547cf0fbd647617b994a95cae1f0807083283160fa2445940ebdea080010e4b6bbd82f48aa0051fd07223313008cb621e05af541aeb692058a27aa5d6e1a11 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f499246395026f00c0d39d4287736d96 |
| SHA1 | c934a2bdeb75fcc31fd68a135339f8a60543f2d5 |
| SHA256 | d5728d137e92fbbb6529267106e8793f95e73feb80d30331b64c69ab5198adaf |
| SHA512 | 3bce98e73d5f7a920afcc92a0b4e2d2251b3b92a3715cd60dabc6768667dd99b1326e8ecf23f4acd8f0c3c5c4389f4337d1cc8035ce0a276dc6479fde779171f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a86bc8a7804d75a814da31d447b311a7 |
| SHA1 | 21a85540521fb743490033407ee013ec9183f2ca |
| SHA256 | 77b17c77fe3a8b3387af68f80217d5003b06b7d735f2d2802f0ce51c197ace36 |
| SHA512 | d2ef4f97b67127b184bea665acf8267749c3558cdaba4759d17b67d7577358ce386c0d5a3942ea0d4ec1c544b93de0ad5edfdd5d0abf133ed98f770a7a40b292 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5841e059b6a471e865ebdf496bd656c |
| SHA1 | f192e351baa5c7a7e45b37b4e1e20b92b7b58aa6 |
| SHA256 | 73233981cedeb7eb089f65ad1a2a9139916cc5febb478711745f79c3f7189f87 |
| SHA512 | b3cf60ae7d7f8e557498a7a5d6c471c8933ef632693f1ad281427ad1b05fecbdbb9bb6b026bbbec5ea9e2bf8a32e8aa394d82492cc9b93b4362757e1c0ee4623 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7941b68d6d9aca3eec535401e932b8f8 |
| SHA1 | 971df1b3560013cc70c583025e065a28d5b5dd08 |
| SHA256 | e3e00cd75609be90abd41ec8b9f44a19320fa3344dd6656712d26dc0c89ca331 |
| SHA512 | bb28bada3712a5373cb7e728a38b42c625cccf46816b178e8ad3f73b32bd9b8718a157b54a1b602a323aae486f8a2d878fdd2564ae7f70a042d8f183378057df |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c96434bce3bb13b3ca289138ede1768 |
| SHA1 | 01399ef80e53ba23fb718a7c39ac149806fe556c |
| SHA256 | 61d8bf33dc1866ca22c9d672d9faa2cea1be84264f131882f8a0ef37850f3eef |
| SHA512 | f6a59742f3360ea36a7ef05fa6869db5dbf7b958b6375705a5ca054e3afe2f0071b0c3d8a8f7169232b2e959c8cd388edbc2290b20732002111ba411ca69ff19 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-27 22:49
Reported
2025-02-27 22:52
Platform
win10v2004-20250217-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Darkcomet
Darkcomet family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe
"C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4272 -ip 4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 264
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.16.153.224:443 | www.bing.com | tcp |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp | |
| TR | 159.146.115.189:3131 | tcp |
Files
memory/1008-0-0x0000000000400000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
| MD5 | d5ca6e1f080abc64bbb11e098acbeabb |
| SHA1 | 1849634bf5a65e1baddddd4452c99dfa003e2647 |
| SHA256 | 30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae |
| SHA512 | aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161 |
memory/4272-5-0x0000000000400000-0x000000000045D000-memory.dmp
memory/4272-6-0x0000000001F10000-0x0000000001F11000-memory.dmp
memory/1008-7-0x00000000024F0000-0x00000000024F1000-memory.dmp
memory/1008-9-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/1008-10-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/1008-12-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/1008-14-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/1008-17-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/1008-19-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/1008-21-0x0000000000400000-0x00000000004D0000-memory.dmp
memory/1008-23-0x0000000000400000-0x00000000004D0000-memory.dmp