darkcomet | b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe
Size

592KB
MD5

98b51f04898b8757199f80df89f0ea80
SHA1

0e333d6fa0ec2ea43b354a4e09d531e3fd748901
SHA256

b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615
SHA512

7cf8b0c15731b856f9b197f99eb87db92b86c9bd04ad7ef0c0fb7efb0a79bffdca1c4c58c07156d8f0ad930384cf70a7b195db5d31d5e269b23ebdbd470da4f8
SSDEEP

12288:wcWRJxhIUKofd9S88itJsL6s8GwUF81yn0FI/6IC0XoS2:TW/xhIUKofSytJsL6HUP0OHCP

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Soundcrd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe
Executes dropped EXE 3 IoCs

Processes:

Soundcrd.exeSoundcrd.exeSoundcrd.exe

pid process

2844 Soundcrd.exe
2596 Soundcrd.exe
2848 Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Soundcrd.exe

pid	process
2844	Soundcrd.exe
2596	Soundcrd.exe
2848	Soundcrd.exe

Loads dropped DLL 6 IoCs

Processes:

b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exeSoundcrd.exe

pid	process
2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe
2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe
2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe
2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe
2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe
2844	Soundcrd.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2204-2-0x0000000000400000-0x00000000007EB000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
behavioral1/memory/2204-42-0x00000000038A0000-0x0000000003C8B000-memory.dmp	upx
behavioral1/memory/2204-47-0x0000000000400000-0x00000000007EB000-memory.dmp	upx
behavioral1/memory/2844-51-0x0000000000400000-0x00000000007EB000-memory.dmp	upx
behavioral1/memory/2848-62-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2596-63-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2848-61-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2844-65-0x0000000000400000-0x00000000007EB000-memory.dmp	upx
behavioral1/memory/2848-58-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2596-57-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-55-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-68-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-69-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-70-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-71-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-73-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-72-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-74-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2848-75-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2596-78-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-82-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-86-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-90-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-96-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2596-100-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Soundcrd.exe

description pid process target process

PID 2844 set thread context of 2596 2844 Soundcrd.exe Soundcrd.exe
PID 2844 set thread context of 2848 2844 Soundcrd.exe Soundcrd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2844 set thread context of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 set thread context of 2848	2844	Soundcrd.exe	Soundcrd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Soundcrd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Soundcrd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Soundcrd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

Soundcrd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Soundcrd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Soundcrd.exeSoundcrd.exe

description	pid	process
Token: SeDebugPrivilege	2848	Soundcrd.exe
Token: SeIncreaseQuotaPrivilege	2596	Soundcrd.exe
Token: SeSecurityPrivilege	2596	Soundcrd.exe
Token: SeTakeOwnershipPrivilege	2596	Soundcrd.exe
Token: SeLoadDriverPrivilege	2596	Soundcrd.exe
Token: SeSystemProfilePrivilege	2596	Soundcrd.exe
Token: SeSystemtimePrivilege	2596	Soundcrd.exe
Token: SeProfSingleProcessPrivilege	2596	Soundcrd.exe
Token: SeIncBasePriorityPrivilege	2596	Soundcrd.exe
Token: SeCreatePagefilePrivilege	2596	Soundcrd.exe
Token: SeBackupPrivilege	2596	Soundcrd.exe
Token: SeRestorePrivilege	2596	Soundcrd.exe
Token: SeShutdownPrivilege	2596	Soundcrd.exe
Token: SeDebugPrivilege	2596	Soundcrd.exe
Token: SeSystemEnvironmentPrivilege	2596	Soundcrd.exe
Token: SeChangeNotifyPrivilege	2596	Soundcrd.exe
Token: SeRemoteShutdownPrivilege	2596	Soundcrd.exe
Token: SeUndockPrivilege	2596	Soundcrd.exe
Token: SeManageVolumePrivilege	2596	Soundcrd.exe
Token: SeImpersonatePrivilege	2596	Soundcrd.exe
Token: SeCreateGlobalPrivilege	2596	Soundcrd.exe
Token: 33	2596	Soundcrd.exe
Token: 34	2596	Soundcrd.exe
Token: 35	2596	Soundcrd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exeSoundcrd.exeSoundcrd.exe

pid process

2204 b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe
2844 Soundcrd.exe
2848 Soundcrd.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.execmd.exeSoundcrd.exe

description	pid	process	target process
PID 2204 wrote to memory of 2740	2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe	cmd.exe
PID 2204 wrote to memory of 2740	2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe	cmd.exe
PID 2204 wrote to memory of 2740	2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe	cmd.exe
PID 2204 wrote to memory of 2740	2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe	cmd.exe
PID 2740 wrote to memory of 2688	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2688	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2688	2740	cmd.exe	reg.exe
PID 2740 wrote to memory of 2688	2740	cmd.exe	reg.exe
PID 2204 wrote to memory of 2844	2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe	Soundcrd.exe
PID 2204 wrote to memory of 2844	2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe	Soundcrd.exe
PID 2204 wrote to memory of 2844	2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe	Soundcrd.exe
PID 2204 wrote to memory of 2844	2204	b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe	Soundcrd.exe
PID 2844 wrote to memory of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2596	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2848	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2848	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2848	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2848	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2848	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2848	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2848	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2848	2844	Soundcrd.exe	Soundcrd.exe
PID 2844 wrote to memory of 2848	2844	Soundcrd.exe	Soundcrd.exe

C:\Users\Admin\AppData\Local\Temp\b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b6bbe147538898e448d30ee1e86f89bc1f1bb37ac6fa0960195cbd589e6bb615_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QuAPy.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
3⤵
- Adds Run key to start application
PID:2688

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QuAPy.bat
Filesize
139B

MD5
173bcce4810d4901872d0ef4f0bfea4e

SHA1
561b03fdfe68b6419fddf57f32e1aab9a6126a2f

SHA256
10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

SHA512
2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

Download Submit
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
Filesize
592KB

MD5
2cf025cb06e3d945756e7978e412410b

SHA1
830b16d5456810ce2d47f123a168d6f066c94386

SHA256
96b291eba7f017960997ba3c568c032080cc63682af6b4c7f9ae41b46a8f1474

SHA512
837957cb2cea46896080b9b9024c5708af9604875587fed29ebfebe34c641200a0163f192995cb6f32d588555e881652cbf3f425bfce94e1a94be4fde535d728

Download Submit
memory/2204-2-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2204-42-0x00000000038A0000-0x0000000003C8B000-memory.dmp

Filesize
3.9MB

Download
memory/2204-48-0x00000000038A0000-0x0000000003C8B000-memory.dmp

Filesize
3.9MB

Download
memory/2204-47-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2204-45-0x00000000038A0000-0x0000000003C8B000-memory.dmp

Filesize
3.9MB

Download
memory/2204-43-0x00000000038A0000-0x0000000003C8B000-memory.dmp

Filesize
3.9MB

Download
memory/2596-57-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-82-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-63-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-100-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-96-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-90-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-86-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-78-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-68-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-69-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-70-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-71-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-73-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-72-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2596-74-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2844-51-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2844-54-0x0000000002BC0000-0x0000000002FAB000-memory.dmp

Filesize
3.9MB

Download
memory/2844-65-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/2848-75-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2848-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2848-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2848-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download