Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29-06-2024 12:40
General
-
Target
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
-
Size
3.9MB
-
MD5
f27d249fcd2da61d8cc70487604d8fd0
-
SHA1
fb2e59f60a39c49feb4e7c4e6f2c7a82695cf037
-
SHA256
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db
-
SHA512
d9c1d9319081cf33900e456cf0975f9ab356b3d2fbe1d43113d4e184342ca5b02472c439f2edd5272ad27f3a57a955dde7e3f05e487e3acfdd043d4e1d554b39
-
SSDEEP
98304:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBAlB6D4tyX6kuT4IkQApCgvms0Cv05J5Cz:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBz
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoNle.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exe"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DoNle.txtFilesize
139B
MD5173bcce4810d4901872d0ef4f0bfea4e
SHA1561b03fdfe68b6419fddf57f32e1aab9a6126a2f
SHA25610ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d
SHA5122401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e
-
C:\Users\Admin\AppData\Roaming\Soundcrd.txtFilesize
3.9MB
MD56011d9a65795ee49a33c13f938cb5ce2
SHA16af478cdb452fcfd23dcc0c0116bd25e40b8d75e
SHA2565b97efa636e3b79e120c2812c3af211e6c2f9b2bfc11ba12632a3b3ea8ad02f6
SHA5121d3170c6fd2211ca4e62f65b72480da3748c9b035a071f56220d9c13d55b4717e930e86e12bf2100d29b6e723d956581611961762ab330b6ff6f2e32c91a1b7a
-
memory/2096-45-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2096-49-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2096-43-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2096-44-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4108-0-0x0000000000400000-0x00000000007E8000-memory.dmpFilesize
3.9MB
-
memory/5116-48-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-55-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-37-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-41-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-36-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-35-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-34-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-33-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-31-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-50-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-53-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-38-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-57-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-59-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-61-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-63-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-65-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-67-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-69-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-71-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-73-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-75-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB