Malware Analysis Report

2024-08-06 17:14

Sample ID 240515-fjkp9saa8z
Target 8218115a8aa9fb8785be01107156c940_NeikiAnalytics
SHA256 a91e2068f86ec6aaa7915412ff2bae036b094da03f7f313c69a35670b76e03e4
Tags
darkcomet guest16 evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a91e2068f86ec6aaa7915412ff2bae036b094da03f7f313c69a35670b76e03e4

Threat Level: Known bad

The file 8218115a8aa9fb8785be01107156c940_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 evasion persistence rat trojan

Modifies WinLogon for persistence

Darkcomet

Sets file to hidden

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Enumerates connected drives

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Modifies registry class

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-15 04:54

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 04:54

Reported

2024-05-15 04:56

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2724 set thread context of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2344 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2344 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2344 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2344 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2344 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2344 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2344 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2768 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2512 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2512 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2512 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2620 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2620 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2620 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2620 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2768 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2768 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2768 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2768 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2864 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1268 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1268 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1268 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1268 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1268 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1268 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1268 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scratch.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 0127.0.0.1

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\963642" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\963642" +s +h

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\scratch.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 0127.0.0.1

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\scratch.bat

MD5 34033297cecc95bc042f12d55baee4f8
SHA1 c5a8589ddb941085a17b9142c24e192aef586278
SHA256 23786dc398242e4b7064dbf0882d79e104a61f4eaa35739be16340b8788ccdd1
SHA512 4aec3968537e0e28bf292c2584573cac0949d7a3b474529c162f5e60972719c45026d7ad875e62716ca0717ce708de5c4a5799fa21322baf9899e8708169fe65

\Users\Admin\AppData\Local\Temp\963642\svhost.exe

MD5 8218115a8aa9fb8785be01107156c940
SHA1 3432a7c2271ac540d77083c788b0a5048a2dbf39
SHA256 a91e2068f86ec6aaa7915412ff2bae036b094da03f7f313c69a35670b76e03e4
SHA512 1cffa31dee900a30b1c9da9c862e516eddbc41eecb01d62fb57fe8dbf024d199e43aca2e5ec9cfc4014fda2491b28ebcf685a95e6be887fec4c4dddde268f9a9

memory/2768-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2768-18-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-32-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-39-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-38-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-36-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-30-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-29-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-26-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-24-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-22-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-20-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2768-40-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scratch.bat

MD5 c2cce54fa8060365fe52d501aa57b0f8
SHA1 ba76d4d144551ac8c8f2aaaf49cfab8e190fd7c7
SHA256 0db44e2288cd06d783b1d8284fe1fd61ed9aa2313a7e807d3c296eea260e285d
SHA512 4a9de825b59c4929228a6f08f43126ff7c83edb769aff3feb758b54652ecb041ca62582894bddee215df9a6e4df925676be1624eabec5a8e84d39ba6629e1c88

memory/2768-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 04:54

Reported

2024-05-15 04:56

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1456 set thread context of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4780 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4780 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4780 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 4780 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 4780 wrote to memory of 1456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 1456 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2808 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2796 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2796 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1720 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1720 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1720 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2808 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2808 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2808 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2908 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2072 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2072 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2072 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2072 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe
PID 2072 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8218115a8aa9fb8785be01107156c940_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\scratch.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 0127.0.0.1

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\963642" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\963642" +s +h

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\scratch.bat

C:\Windows\SysWOW64\PING.EXE

ping -n 0127.0.0.1

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
BE 2.17.107.131:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 131.107.17.2.in-addr.arpa udp
BE 2.17.107.131:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\scratch.bat

MD5 34033297cecc95bc042f12d55baee4f8
SHA1 c5a8589ddb941085a17b9142c24e192aef586278
SHA256 23786dc398242e4b7064dbf0882d79e104a61f4eaa35739be16340b8788ccdd1
SHA512 4aec3968537e0e28bf292c2584573cac0949d7a3b474529c162f5e60972719c45026d7ad875e62716ca0717ce708de5c4a5799fa21322baf9899e8708169fe65

C:\Users\Admin\AppData\Local\Temp\963642\svhost.exe

MD5 8218115a8aa9fb8785be01107156c940
SHA1 3432a7c2271ac540d77083c788b0a5048a2dbf39
SHA256 a91e2068f86ec6aaa7915412ff2bae036b094da03f7f313c69a35670b76e03e4
SHA512 1cffa31dee900a30b1c9da9c862e516eddbc41eecb01d62fb57fe8dbf024d199e43aca2e5ec9cfc4014fda2491b28ebcf685a95e6be887fec4c4dddde268f9a9

memory/2808-14-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2808-12-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2808-15-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2808-16-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2808-17-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scratch.bat

MD5 c2cce54fa8060365fe52d501aa57b0f8
SHA1 ba76d4d144551ac8c8f2aaaf49cfab8e190fd7c7
SHA256 0db44e2288cd06d783b1d8284fe1fd61ed9aa2313a7e807d3c296eea260e285d
SHA512 4a9de825b59c4929228a6f08f43126ff7c83edb769aff3feb758b54652ecb041ca62582894bddee215df9a6e4df925676be1624eabec5a8e84d39ba6629e1c88

memory/2808-85-0x0000000000400000-0x00000000004B2000-memory.dmp