darkcomet | 23f173c2ea208d35ebc04be8cebb189348a85228806c367756e72064899f25c0

Analysis

max time kernel
1s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f173c2ea208d35ebc04be8cebb189348a85228806c367756e72064899f25c0_NeikiAnalytics.exe
Size

3.9MB
MD5

783e407833fe0ad2c162e7b0235d9220
SHA1

f020644b862cc00c259341d4d5021d5689bd3994
SHA256

23f173c2ea208d35ebc04be8cebb189348a85228806c367756e72064899f25c0
SHA512

2762f16d80e4b8413b654f89dec715f3d561a021b9d879f5828e1794e87e4c622cdd389227f6dcc6b99326a2d78d75fae49df95e8667cd6f2031c47feb35c13a
SSDEEP

98304:alX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBAlB6D4tyX6kuT4IkQApCgvms0Cv05J5CR:alX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBR

Score

10^/10

darkcomet rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2424-1-0x0000000000400000-0x00000000007EC000-memory.dmp	upx
\Users\Admin\AppData\Roaming\Soundcrd.exe	upx
behavioral1/memory/2424-43-0x00000000039E0000-0x0000000003DCC000-memory.dmp	upx
behavioral1/memory/2424-46-0x0000000000400000-0x00000000007EC000-memory.dmp	upx
behavioral1/memory/2548-53-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-52-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-50-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2652-49-0x0000000000400000-0x00000000007EC000-memory.dmp	upx
behavioral1/memory/2640-57-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2652-61-0x0000000000400000-0x00000000007EC000-memory.dmp	upx
behavioral1/memory/2640-58-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2548-62-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2640-54-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2548-63-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-64-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-66-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-65-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2640-68-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2548-67-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2424-69-0x00000000039E0000-0x0000000003DCC000-memory.dmp	upx
behavioral1/memory/2548-72-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-76-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-80-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-84-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-88-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/2548-94-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

23f173c2ea208d35ebc04be8cebb189348a85228806c367756e72064899f25c0_NeikiAnalytics.exe

pid process

2424 23f173c2ea208d35ebc04be8cebb189348a85228806c367756e72064899f25c0_NeikiAnalytics.exe

pid	process
2424	23f173c2ea208d35ebc04be8cebb189348a85228806c367756e72064899f25c0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\23f173c2ea208d35ebc04be8cebb189348a85228806c367756e72064899f25c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23f173c2ea208d35ebc04be8cebb189348a85228806c367756e72064899f25c0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mtOIg.bat" "
2⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
3⤵
PID:2676

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
2⤵
PID:2652

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
PID:2548

C:\Users\Admin\AppData\Roaming\Soundcrd.exe
C:\Users\Admin\AppData\Roaming\Soundcrd.exe
3⤵
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mtOIg.bat
Filesize
139B

MD5
173bcce4810d4901872d0ef4f0bfea4e

SHA1
561b03fdfe68b6419fddf57f32e1aab9a6126a2f

SHA256
10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

SHA512
2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

Download Submit
\Users\Admin\AppData\Roaming\Soundcrd.exe
Filesize
3.9MB

MD5
2da1ebbe3afe1c7200cf853d9ad0adf4

SHA1
e30b04a6e30b37fa283116962c122daafe573f02

SHA256
a327468edef7d98d8ee1c015af7dee2e73c18fd1b5f5d00ee3661ecd84e15d57

SHA512
ab369fe7f201226c44a20105a30edf12ca47dbe44e7716ca5cba5dfcc69975df7948df43685f193bfedd0b78074ae3ea17c8f43277af1c9cc0a57998ccfd7af2

Download Submit
memory/2424-1-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2424-43-0x00000000039E0000-0x0000000003DCC000-memory.dmp

Filesize
3.9MB

Download
memory/2424-47-0x00000000039E0000-0x0000000003DCC000-memory.dmp

Filesize
3.9MB

Download
memory/2424-46-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2424-69-0x00000000039E0000-0x0000000003DCC000-memory.dmp

Filesize
3.9MB

Download
memory/2548-52-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-65-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-94-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-88-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-84-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-80-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-62-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-76-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-63-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-64-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-66-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-50-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-72-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-67-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2548-53-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2640-68-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2652-61-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download
memory/2652-49-0x0000000000400000-0x00000000007EC000-memory.dmp

Filesize
3.9MB

Download