darkcomet | 2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
Size

520KB
MD5

9796eb898d3dd8b1bb02fa21b3f653e0
SHA1

4265029d07074436a1843c343a06f47f9d2c099b
SHA256

2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be
SHA512

e63a634b40e227bfbd5cb7fe63425f3be30fa12929529e9e440453b9b19840508b20119ac8b84ea0cb73b40e3103633dedb833ceed8b47fda98c667fce14672a
SSDEEP

6144:f9GGo2CwtGg6eeihEfph2CMvvqqSaYwpncOeC66AOa0aFtVEQfTo1ozVqMbx:f9fC3hh29Ya77A90aFtDfT5IMbx

Score

10^/10

darkcomet privateeye rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

PrivateEye

ratblackshades.no-ip.biz:1604

Mutex

DC_MUTEX-ACC1R98

Attributes

gencode
8GG5LVVGljSF
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

winupd.exewinupd.exewinupd.exe

pid process

1200 winupd.exe
4552 winupd.exe
4948 winupd.exe

pid	process
1200	winupd.exe
4552	winupd.exe
4948	winupd.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4948-29-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-31-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-35-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-34-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-37-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-36-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-25-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-40-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-42-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-43-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-44-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-46-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-47-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4948-48-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exewinupd.exe

description	pid	process	target process
PID 3128 set thread context of 4776	3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
PID 1200 set thread context of 4552	1200	winupd.exe	winupd.exe
PID 1200 set thread context of 4948	1200	winupd.exe	winupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

848 4568 WerFault.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4568 ipconfig.exe

pid	pid_target	process	target process
848	4568	WerFault.exe	ipconfig.exe

pid	process
4568	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

winupd.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4948	winupd.exe
Token: SeSecurityPrivilege	4948	winupd.exe
Token: SeTakeOwnershipPrivilege	4948	winupd.exe
Token: SeLoadDriverPrivilege	4948	winupd.exe
Token: SeSystemProfilePrivilege	4948	winupd.exe
Token: SeSystemtimePrivilege	4948	winupd.exe
Token: SeProfSingleProcessPrivilege	4948	winupd.exe
Token: SeIncBasePriorityPrivilege	4948	winupd.exe
Token: SeCreatePagefilePrivilege	4948	winupd.exe
Token: SeBackupPrivilege	4948	winupd.exe
Token: SeRestorePrivilege	4948	winupd.exe
Token: SeShutdownPrivilege	4948	winupd.exe
Token: SeDebugPrivilege	4948	winupd.exe
Token: SeSystemEnvironmentPrivilege	4948	winupd.exe
Token: SeChangeNotifyPrivilege	4948	winupd.exe
Token: SeRemoteShutdownPrivilege	4948	winupd.exe
Token: SeUndockPrivilege	4948	winupd.exe
Token: SeManageVolumePrivilege	4948	winupd.exe
Token: SeImpersonatePrivilege	4948	winupd.exe
Token: SeCreateGlobalPrivilege	4948	winupd.exe
Token: 33	4948	winupd.exe
Token: 34	4948	winupd.exe
Token: 35	4948	winupd.exe
Token: 36	4948	winupd.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exewinupd.exewinupd.exewinupd.exe

pid	process
3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
4776	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
1200	winupd.exe
4552	winupd.exe
4948	winupd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exewinupd.exewinupd.exe

description	pid	process	target process
PID 3128 wrote to memory of 4776	3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
PID 3128 wrote to memory of 4776	3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
PID 3128 wrote to memory of 4776	3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
PID 3128 wrote to memory of 4776	3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
PID 3128 wrote to memory of 4776	3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
PID 3128 wrote to memory of 4776	3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
PID 3128 wrote to memory of 4776	3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
PID 3128 wrote to memory of 4776	3128	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
PID 4776 wrote to memory of 1200	4776	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	winupd.exe
PID 4776 wrote to memory of 1200	4776	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	winupd.exe
PID 4776 wrote to memory of 1200	4776	2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe	winupd.exe
PID 1200 wrote to memory of 4552	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4552	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4552	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4552	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4552	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4552	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4552	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4552	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4948	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4948	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4948	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4948	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4948	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4948	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4948	1200	winupd.exe	winupd.exe
PID 1200 wrote to memory of 4948	1200	winupd.exe	winupd.exe
PID 4552 wrote to memory of 4568	4552	winupd.exe	ipconfig.exe
PID 4552 wrote to memory of 4568	4552	winupd.exe	ipconfig.exe
PID 4552 wrote to memory of 4568	4552	winupd.exe	ipconfig.exe
PID 4552 wrote to memory of 4568	4552	winupd.exe	ipconfig.exe
PID 4552 wrote to memory of 4568	4552	winupd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f5a4ef689e44124705c9f4c288e62ba7771b58e408aa9295db061eee333b8be_NeikiAnalytics.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
5⤵
- Gathers network information
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 272
6⤵
- Program crash
PID:848

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4568 -ip 4568
1⤵
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
Filesize
520KB

MD5
b3ca8cc7f4ccd395b1d9f50c74162758

SHA1
49b35e0dae74a31ff2fac0517fa46417790e369c

SHA256
f5faec4d7c1681a1f5533602572d7be6fa694829b23148bd29128451105a5f31

SHA512
63ac0b53f3d1d1ddb6d1e670a100529de2b54a113d48d55e13097c26b296085532b5a13d5d9ba8b26c91558bd6f1a33a58d026a6dcef1bc49d018bef4a7e9b2c

Download Submit
memory/1200-28-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3128-7-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3128-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3128-6-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/3128-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4552-38-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4776-8-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4776-3-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4776-19-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4948-34-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-40-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-31-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-37-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-36-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-29-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-35-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-42-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-43-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-44-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-46-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-47-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4948-48-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download