darkcomet | be59e12f00679d181237c8a17dc2586a6e3c37f5913d6098cca89999229fa437

General

Target

sonic v kino lanq‮iva.exe
Size

803KB
MD5

a7b16915c0b8e2dd71737ebae5b9a8e8
SHA1

cfafbeb08b6d2379827c69d2f1fa522852d8ce8e
SHA256

be59e12f00679d181237c8a17dc2586a6e3c37f5913d6098cca89999229fa437
SHA512

482090b7ce2860c19bc59ea7c1ee6f2972e26bce398ceee2aff754fb0a8a56129cd48c3cc85ea13e3d6a51379c704362c72c10f79ae313eb58891a0ed0136ee4

Score

10^/10

darkcomet neshta persistence rat spyware stealer trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Detect Neshta Payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Откл антивируса.exe	family_neshta
\Users\Admin\AppData\Local\Temp\Откл антивируса.exe	family_neshta
\Users\Admin\AppData\Local\Temp\Откл антивируса.exe	family_neshta
\Users\Admin\AppData\Local\Temp\Откл антивируса.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\Откл антивируса.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

Откл антивируса.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Откл антивируса.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

Откл антивируса.exe

pid process

1052 Откл антивируса.exe
Loads dropped DLL 4 IoCs

Processes:

sonic v kino lanq‮iva.exe

pid process

1100 sonic v kino lanq‮iva.exe
1100 sonic v kino lanq‮iva.exe
1100 sonic v kino lanq‮iva.exe
1100 sonic v kino lanq‮iva.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1052	Откл антивируса.exe

pid	process
1100	sonic v kino lanq‮iva.exe
1100	sonic v kino lanq‮iva.exe
1100	sonic v kino lanq‮iva.exe
1100	sonic v kino lanq‮iva.exe

Drops file in Program Files directory 64 IoCs

Processes:

Откл антивируса.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	Откл антивируса.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Откл антивируса.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	Откл антивируса.exe

Drops file in Windows directory 1 IoCs

Processes:

Откл антивируса.exe

description ioc process

File opened for modification C:\Windows\svchost.com Откл антивируса.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	Откл антивируса.exe

Modifies registry class 1 IoCs

Processes:

Откл антивируса.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Откл антивируса.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

sonic v kino lanq‮iva.exe

description	pid	process	target process
PID 1100 wrote to memory of 1052	1100	sonic v kino lanq‮iva.exe	Откл антивируса.exe
PID 1100 wrote to memory of 1052	1100	sonic v kino lanq‮iva.exe	Откл антивируса.exe
PID 1100 wrote to memory of 1052	1100	sonic v kino lanq‮iva.exe	Откл антивируса.exe
PID 1100 wrote to memory of 1052	1100	sonic v kino lanq‮iva.exe	Откл антивируса.exe

C:\Users\Admin\AppData\Local\Temp\sonic v kino lanq‮iva.exe
"C:\Users\Admin\AppData\Local\Temp\sonic v kino lanq‮iva.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\Откл антивируса.exe
"C:\Users\Admin\AppData\Local\Temp\Откл антивируса.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1052

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Откл антивируса.exe
Filesize
1.2MB

MD5
74cece15ab7500a40d78259742744104

SHA1
c012cc88f1a3040d66dc59b1d3d91caa44dc53cf

SHA256
f6166dc6b17e465ec09b6bc03b5ded9d98d39ed1edd971baecbb89fef6ea773f

SHA512
7cdd4828a98792f40d1b8bb9e46a7f394040f3219b4ea622b61acf3257c3549deb6fe596664f12d8204af8dc374b365d6ec68f081bfee22f6045756f85b68d60

Download Submit
\Users\Admin\AppData\Local\Temp\Откл антивируса.exe
Filesize
1.2MB

MD5
74cece15ab7500a40d78259742744104

SHA1
c012cc88f1a3040d66dc59b1d3d91caa44dc53cf

SHA256
f6166dc6b17e465ec09b6bc03b5ded9d98d39ed1edd971baecbb89fef6ea773f

SHA512
7cdd4828a98792f40d1b8bb9e46a7f394040f3219b4ea622b61acf3257c3549deb6fe596664f12d8204af8dc374b365d6ec68f081bfee22f6045756f85b68d60

Download Submit
\Users\Admin\AppData\Local\Temp\Откл антивируса.exe
Filesize
1.2MB

MD5
74cece15ab7500a40d78259742744104

SHA1
c012cc88f1a3040d66dc59b1d3d91caa44dc53cf

SHA256
f6166dc6b17e465ec09b6bc03b5ded9d98d39ed1edd971baecbb89fef6ea773f

SHA512
7cdd4828a98792f40d1b8bb9e46a7f394040f3219b4ea622b61acf3257c3549deb6fe596664f12d8204af8dc374b365d6ec68f081bfee22f6045756f85b68d60

Download Submit
\Users\Admin\AppData\Local\Temp\Откл антивируса.exe
Filesize
1.2MB

MD5
74cece15ab7500a40d78259742744104

SHA1
c012cc88f1a3040d66dc59b1d3d91caa44dc53cf

SHA256
f6166dc6b17e465ec09b6bc03b5ded9d98d39ed1edd971baecbb89fef6ea773f

SHA512
7cdd4828a98792f40d1b8bb9e46a7f394040f3219b4ea622b61acf3257c3549deb6fe596664f12d8204af8dc374b365d6ec68f081bfee22f6045756f85b68d60

Download Submit
\Users\Admin\AppData\Local\Temp\Откл антивируса.exe
Filesize
1.2MB

MD5
74cece15ab7500a40d78259742744104

SHA1
c012cc88f1a3040d66dc59b1d3d91caa44dc53cf

SHA256
f6166dc6b17e465ec09b6bc03b5ded9d98d39ed1edd971baecbb89fef6ea773f

SHA512
7cdd4828a98792f40d1b8bb9e46a7f394040f3219b4ea622b61acf3257c3549deb6fe596664f12d8204af8dc374b365d6ec68f081bfee22f6045756f85b68d60

Download Submit
memory/1052-59-0x0000000000000000-mapping.dmp

Download
memory/1100-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads