darkcomet | a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
Size

592KB
MD5

caf13619e85c7ef3cea9571699eb1960
SHA1

b930f261d0aabfa5752396b835550b59549f5a7f
SHA256

a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91
SHA512

c1d48391b610f02eb83ec23113c98fe5a062919999290bd1e1272264a5603a311454abcf3ef1953781080eba814c1de227d595b6ba96241f843f980d103b8013
SSDEEP

12288:wcWRJxhIUKofd9S88itJsL6s8GwUF81yn0FI/6IC0XoS+:TW/xhIUKofSytJsL6HUP0OHC3

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Soundcrd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe
Executes dropped EXE 3 IoCs

Processes:

Soundcrd.exeSoundcrd.exeSoundcrd.exe

pid process

2596 Soundcrd.exe
2584 Soundcrd.exe
2364 Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Soundcrd.exe

pid	process
2596	Soundcrd.exe
2584	Soundcrd.exe
2364	Soundcrd.exe

Loads dropped DLL 6 IoCs

Processes:

a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exeSoundcrd.exe

pid	process
1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
2596	Soundcrd.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1900-0-0x0000000000400000-0x00000000007EB000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
behavioral1/memory/1900-44-0x0000000000400000-0x00000000007EB000-memory.dmp	upx
behavioral1/memory/2596-46-0x0000000000400000-0x00000000007EB000-memory.dmp	upx
behavioral1/memory/2584-53-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-51-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-54-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-55-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-56-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-57-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2364-58-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2584-59-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-66-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2364-63-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2364-62-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2584-67-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-68-0x0000000000400000-0x00000000007EB000-memory.dmp	upx
behavioral1/memory/2584-69-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2364-70-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2584-73-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-77-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-81-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-85-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-89-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2584-93-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Soundcrd.exe

description pid process target process

PID 2596 set thread context of 2584 2596 Soundcrd.exe Soundcrd.exe
PID 2596 set thread context of 2364 2596 Soundcrd.exe Soundcrd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2596 set thread context of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 set thread context of 2364	2596	Soundcrd.exe	Soundcrd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Soundcrd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Soundcrd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

Soundcrd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Soundcrd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Soundcrd.exeSoundcrd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2584	Soundcrd.exe
Token: SeSecurityPrivilege	2584	Soundcrd.exe
Token: SeTakeOwnershipPrivilege	2584	Soundcrd.exe
Token: SeLoadDriverPrivilege	2584	Soundcrd.exe
Token: SeSystemProfilePrivilege	2584	Soundcrd.exe
Token: SeSystemtimePrivilege	2584	Soundcrd.exe
Token: SeProfSingleProcessPrivilege	2584	Soundcrd.exe
Token: SeIncBasePriorityPrivilege	2584	Soundcrd.exe
Token: SeCreatePagefilePrivilege	2584	Soundcrd.exe
Token: SeBackupPrivilege	2584	Soundcrd.exe
Token: SeRestorePrivilege	2584	Soundcrd.exe
Token: SeShutdownPrivilege	2584	Soundcrd.exe
Token: SeDebugPrivilege	2584	Soundcrd.exe
Token: SeSystemEnvironmentPrivilege	2584	Soundcrd.exe
Token: SeDebugPrivilege	2364	Soundcrd.exe
Token: SeChangeNotifyPrivilege	2584	Soundcrd.exe
Token: SeRemoteShutdownPrivilege	2584	Soundcrd.exe
Token: SeUndockPrivilege	2584	Soundcrd.exe
Token: SeManageVolumePrivilege	2584	Soundcrd.exe
Token: SeImpersonatePrivilege	2584	Soundcrd.exe
Token: SeCreateGlobalPrivilege	2584	Soundcrd.exe
Token: 33	2584	Soundcrd.exe
Token: 34	2584	Soundcrd.exe
Token: 35	2584	Soundcrd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exeSoundcrd.exeSoundcrd.exe

pid process

1900 a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
2596 Soundcrd.exe
2364 Soundcrd.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.execmd.exeSoundcrd.exe

description	pid	process	target process
PID 1900 wrote to memory of 2684	1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe	cmd.exe
PID 1900 wrote to memory of 2684	1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe	cmd.exe
PID 1900 wrote to memory of 2684	1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe	cmd.exe
PID 1900 wrote to memory of 2684	1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe	cmd.exe
PID 2684 wrote to memory of 2708	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2708	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2708	2684	cmd.exe	reg.exe
PID 2684 wrote to memory of 2708	2684	cmd.exe	reg.exe
PID 1900 wrote to memory of 2596	1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe	Soundcrd.exe
PID 1900 wrote to memory of 2596	1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe	Soundcrd.exe
PID 1900 wrote to memory of 2596	1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe	Soundcrd.exe
PID 1900 wrote to memory of 2596	1900	a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe	Soundcrd.exe
PID 2596 wrote to memory of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2584	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2364	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2364	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2364	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2364	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2364	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2364	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2364	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2364	2596	Soundcrd.exe	Soundcrd.exe
PID 2596 wrote to memory of 2364	2596	Soundcrd.exe	Soundcrd.exe

C:\Users\Admin\AppData\Local\Temp\a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BRuvM.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
3⤵
- Adds Run key to start application
PID:2708

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BRuvM.bat
Filesize
139B

MD5
173bcce4810d4901872d0ef4f0bfea4e

SHA1
561b03fdfe68b6419fddf57f32e1aab9a6126a2f

SHA256
10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

SHA512
2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

Download Submit
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
Filesize
592KB

MD5
bdb5e1da363bb2351bfcd6d8826e312d

SHA1
359fd537ab64283f9e465c6ae0f34711f1bcbb9c

SHA256
79b2df6b0d97202ec640b79dd80fd1b53a979ee039f72b843246b353e663ab74

SHA512
87897d1492768bab84bf999d6a74b7bb137486067026cc37d9d32f0796be91b16924f95f847c990b85bd7079fc55998c1a68eaa32f7d58ebcd0d92592342e981

Download Submit
memory/1900-44-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/1900-43-0x0000000003900000-0x0000000003CEB000-memory.dmp

Filesize
3.9MB

Download
memory/1900-0-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2364-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2364-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2364-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2364-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2584-53-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-57-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-59-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-66-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-54-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-51-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-67-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-93-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-69-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-89-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-73-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-56-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-81-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2584-85-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-46-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2596-68-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download