Overview

overview

10

Static

static

7

a8175b8544...cs.exe

windows7-x64

10

a8175b8544...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe

  • Size

    592KB

  • MD5

    caf13619e85c7ef3cea9571699eb1960

  • SHA1

    b930f261d0aabfa5752396b835550b59549f5a7f

  • SHA256

    a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91

  • SHA512

    c1d48391b610f02eb83ec23113c98fe5a062919999290bd1e1272264a5603a311454abcf3ef1953781080eba814c1de227d595b6ba96241f843f980d103b8013

  • SSDEEP

    12288:wcWRJxhIUKofd9S88itJsL6s8GwUF81yn0FI/6IC0XoS+:TW/xhIUKofSytJsL6HUP0OHC3

Score
10/10
darkcometpersistencerattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgpor.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2260
    • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
      "C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3232
      • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:208
      • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\qgpor.txt
    Filesize

    139B

    MD5

    173bcce4810d4901872d0ef4f0bfea4e

    SHA1

    561b03fdfe68b6419fddf57f32e1aab9a6126a2f

    SHA256

    10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

    SHA512

    2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Soundcrd.txt
    Filesize

    592KB

    MD5

    0e7f6a5ec41a635b8a231189d605206e

    SHA1

    c6229f8b5b5a09ac7d95660dcc37044c4c0c04b7

    SHA256

    321db5c4d090bf2434d0aa562731562ca82a17590330fc0b1ba69f4124d79c5a

    SHA512

    830eb309173b87006d01e07a3bcc2ca5abd168675203ecafe998305cf14de7941c62e4789b219012d4c4d3da02857b05fda1761e71a7b0af15157f6e392b23fc

    Download Submit
  • memory/208-51-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-72-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-60-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-33-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-35-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-50-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-56-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-44-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-46-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-68-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-52-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-76-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-49-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-64-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/208-36-0x0000000000400000-0x00000000004B5000-memory.dmp
    Filesize

    724KB

    Download
  • memory/372-30-0x0000000000400000-0x00000000007EB000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/372-0-0x0000000000400000-0x00000000007EB000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/3232-45-0x0000000000400000-0x00000000007EB000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/3232-28-0x0000000000400000-0x00000000007EB000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4320-42-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4320-53-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4320-40-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4320-37-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download