darkcomet | abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
Size

3.9MB
MD5

f27d249fcd2da61d8cc70487604d8fd0
SHA1

fb2e59f60a39c49feb4e7c4e6f2c7a82695cf037
SHA256

abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db
SHA512

d9c1d9319081cf33900e456cf0975f9ab356b3d2fbe1d43113d4e184342ca5b02472c439f2edd5272ad27f3a57a955dde7e3f05e487e3acfdd043d4e1d554b39
SSDEEP

98304:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBAlB6D4tyX6kuT4IkQApCgvms0Cv05J5Cz:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBz

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Soundcrd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe
Executes dropped EXE 3 IoCs

Processes:

Soundcrd.exeSoundcrd.exeSoundcrd.exe

pid process

2680 Soundcrd.exe
2712 Soundcrd.exe
2788 Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Soundcrd.exe

pid	process
2680	Soundcrd.exe
2712	Soundcrd.exe
2788	Soundcrd.exe

Loads dropped DLL 7 IoCs

Processes:

abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exeSoundcrd.exe

pid	process
2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
2680	Soundcrd.exe
2680	Soundcrd.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2712-48-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-50-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2788-56-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2788-55-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2788-59-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2788-53-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2712-52-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-60-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-62-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-61-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-63-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-65-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-64-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2788-67-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2712-66-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-68-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-71-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-75-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-77-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-81-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-83-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-87-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-89-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2712-93-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Soundcrd.exe

description pid process target process

PID 2680 set thread context of 2712 2680 Soundcrd.exe Soundcrd.exe
PID 2680 set thread context of 2788 2680 Soundcrd.exe Soundcrd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2680 set thread context of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 set thread context of 2788	2680	Soundcrd.exe	Soundcrd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Soundcrd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Soundcrd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

Soundcrd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Soundcrd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Soundcrd.exeSoundcrd.exe

description	pid	process
Token: SeDebugPrivilege	2788	Soundcrd.exe
Token: SeIncreaseQuotaPrivilege	2712	Soundcrd.exe
Token: SeSecurityPrivilege	2712	Soundcrd.exe
Token: SeTakeOwnershipPrivilege	2712	Soundcrd.exe
Token: SeLoadDriverPrivilege	2712	Soundcrd.exe
Token: SeSystemProfilePrivilege	2712	Soundcrd.exe
Token: SeSystemtimePrivilege	2712	Soundcrd.exe
Token: SeProfSingleProcessPrivilege	2712	Soundcrd.exe
Token: SeIncBasePriorityPrivilege	2712	Soundcrd.exe
Token: SeCreatePagefilePrivilege	2712	Soundcrd.exe
Token: SeBackupPrivilege	2712	Soundcrd.exe
Token: SeRestorePrivilege	2712	Soundcrd.exe
Token: SeShutdownPrivilege	2712	Soundcrd.exe
Token: SeDebugPrivilege	2712	Soundcrd.exe
Token: SeSystemEnvironmentPrivilege	2712	Soundcrd.exe
Token: SeChangeNotifyPrivilege	2712	Soundcrd.exe
Token: SeRemoteShutdownPrivilege	2712	Soundcrd.exe
Token: SeUndockPrivilege	2712	Soundcrd.exe
Token: SeManageVolumePrivilege	2712	Soundcrd.exe
Token: SeImpersonatePrivilege	2712	Soundcrd.exe
Token: SeCreateGlobalPrivilege	2712	Soundcrd.exe
Token: 33	2712	Soundcrd.exe
Token: 34	2712	Soundcrd.exe
Token: 35	2712	Soundcrd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exeSoundcrd.exeSoundcrd.exe

pid process

2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
2680 Soundcrd.exe
2788 Soundcrd.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.execmd.exeSoundcrd.exe

description	pid	process	target process
PID 2136 wrote to memory of 2656	2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2656	2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2656	2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe	cmd.exe
PID 2136 wrote to memory of 2656	2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe	cmd.exe
PID 2656 wrote to memory of 2596	2656	cmd.exe	reg.exe
PID 2656 wrote to memory of 2596	2656	cmd.exe	reg.exe
PID 2656 wrote to memory of 2596	2656	cmd.exe	reg.exe
PID 2656 wrote to memory of 2596	2656	cmd.exe	reg.exe
PID 2136 wrote to memory of 2680	2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe	Soundcrd.exe
PID 2136 wrote to memory of 2680	2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe	Soundcrd.exe
PID 2136 wrote to memory of 2680	2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe	Soundcrd.exe
PID 2136 wrote to memory of 2680	2136	abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe	Soundcrd.exe
PID 2680 wrote to memory of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2712	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2788	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2788	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2788	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2788	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2788	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2788	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2788	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2788	2680	Soundcrd.exe	Soundcrd.exe
PID 2680 wrote to memory of 2788	2680	Soundcrd.exe	Soundcrd.exe

C:\Users\Admin\AppData\Local\Temp\abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zMelH.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
3⤵
- Adds Run key to start application
PID:2596

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zMelH.bat
Filesize
139B

MD5
173bcce4810d4901872d0ef4f0bfea4e

SHA1
561b03fdfe68b6419fddf57f32e1aab9a6126a2f

SHA256
10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

SHA512
2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

Download Submit
\Users\Admin\AppData\Roaming\Soundcrd.exe
Filesize
3.9MB

MD5
4e238d4d9a0828f9f64e73afa3efecc2

SHA1
159e224228bb04844d1b8ba6f6a7a14b71cd81bd

SHA256
190d03c555b435115850d24576dca6a984457e317eb4ab3e551181fcfd7373a8

SHA512
649a5fd3a6a54e087eee4ae51443a15229ccdaf83826403e6719cdc4790b9b16d27162f7e5c3285100413bcb4b8518ac7387a3fca6d50792e59b6cded57b0645

Download Submit
memory/2136-0-0x0000000000400000-0x00000000007E8000-memory.dmp

Filesize
3.9MB

Download
memory/2712-68-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-65-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-93-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-89-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-87-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-83-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-52-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-60-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-61-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-63-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-50-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-64-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-81-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-66-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-48-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-71-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-75-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2712-77-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2788-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2788-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2788-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2788-55-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2788-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download