darkcomet | 8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
Size

520KB
MD5

42bf129f0e8e8684a73343957010c260
SHA1

08a53f4ec0df529165714bad851c348d064bf18d
SHA256

8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001
SHA512

b370798551811e508a96d0fbf71f796f38a272ac6b31269a358d4325d1a0de4499b6d068d826dd51eba6a7dd59d9b20e643407a39ab2169283fc3421d82df022
SSDEEP

6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbQ:f9fC3hh29Ya77A90aFtDfT5IMbQ

Score

10^/10

darkcomet privateeye rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

PrivateEye

ratblackshades.no-ip.biz:1604

Mutex

DC_MUTEX-ACC1R98

Attributes

gencode
8GG5LVVGljSF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

2704 winupd.exe
1396 winupd.exe
3260 winupd.exe

pid	process
2704	winupd.exe
1396	winupd.exe
3260	winupd.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3260-24-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-30-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-42-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-43-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-44-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-46-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-47-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-48-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-49-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3260-50-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exewinupd.exe

description	pid	process	target process
PID 1500 set thread context of 2324	1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 2704 set thread context of 1396	2704	winupd.exe	winupd.exe
PID 2704 set thread context of 3260	2704	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1264 4632 WerFault.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4632 ipconfig.exe

pid	pid_target	process	target process
1264	4632	WerFault.exe	ipconfig.exe

pid	process
4632	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

winupd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3260	winupd.exe
Token: SeSecurityPrivilege	3260	winupd.exe
Token: SeTakeOwnershipPrivilege	3260	winupd.exe
Token: SeLoadDriverPrivilege	3260	winupd.exe
Token: SeSystemProfilePrivilege	3260	winupd.exe
Token: SeSystemtimePrivilege	3260	winupd.exe
Token: SeProfSingleProcessPrivilege	3260	winupd.exe
Token: SeIncBasePriorityPrivilege	3260	winupd.exe
Token: SeCreatePagefilePrivilege	3260	winupd.exe
Token: SeBackupPrivilege	3260	winupd.exe
Token: SeRestorePrivilege	3260	winupd.exe
Token: SeShutdownPrivilege	3260	winupd.exe
Token: SeDebugPrivilege	3260	winupd.exe
Token: SeSystemEnvironmentPrivilege	3260	winupd.exe
Token: SeChangeNotifyPrivilege	3260	winupd.exe
Token: SeRemoteShutdownPrivilege	3260	winupd.exe
Token: SeUndockPrivilege	3260	winupd.exe
Token: SeManageVolumePrivilege	3260	winupd.exe
Token: SeImpersonatePrivilege	3260	winupd.exe
Token: SeCreateGlobalPrivilege	3260	winupd.exe
Token: 33	3260	winupd.exe
Token: 34	3260	winupd.exe
Token: 35	3260	winupd.exe
Token: 36	3260	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exewinupd.exewinupd.exewinupd.exe

pid	process
1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
2324	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
2704	winupd.exe
1396	winupd.exe
3260	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exewinupd.exewinupd.exe

description	pid	process	target process
PID 1500 wrote to memory of 2324	1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324	1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324	1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324	1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324	1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324	1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324	1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324	1500	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 2324 wrote to memory of 2704	2324	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	winupd.exe
PID 2324 wrote to memory of 2704	2324	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	winupd.exe
PID 2324 wrote to memory of 2704	2324	8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe	winupd.exe
PID 2704 wrote to memory of 1396	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 1396	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 1396	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 1396	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 1396	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 1396	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 1396	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 1396	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 3260	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 3260	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 3260	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 3260	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 3260	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 3260	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 3260	2704	winupd.exe	winupd.exe
PID 2704 wrote to memory of 3260	2704	winupd.exe	winupd.exe
PID 1396 wrote to memory of 4632	1396	winupd.exe	ipconfig.exe
PID 1396 wrote to memory of 4632	1396	winupd.exe	ipconfig.exe
PID 1396 wrote to memory of 4632	1396	winupd.exe	ipconfig.exe
PID 1396 wrote to memory of 4632	1396	winupd.exe	ipconfig.exe
PID 1396 wrote to memory of 4632	1396	winupd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 272
6⤵
- Program crash
PID:1264

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4632 -ip 4632
1⤵
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
Filesize
520KB

MD5
d50a16d4981310391332e4a626a7130c

SHA1
cd0aa734ab80535d462a651ba7ad61d93f0c27e4

SHA256
fac7914e8034d0485fb6d1701443932b6d3e7b7eb01c470e413b42a88ebdac36

SHA512
7f9e06e73a02cccaa1d1259e61113c09e6e6c47e8e251b62b24af429c24d6d1e7bb2be5a90a41a15ddf5eb4f999dab5fd12cd6f5e3ce2111bd02eb1cbf5b88c3

Download Submit
memory/1396-38-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1500-7-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1500-6-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1500-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1500-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2324-5-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2324-3-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2324-18-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2704-28-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2704-27-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3260-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-42-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-24-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-30-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-43-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-44-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-46-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-48-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-49-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3260-50-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download