darkcomet | 4581dedab46a4dea9c85a4239750157f50d4cc6de0aaaedd8654b8bcb0902306

General

Target

d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe
Size

3.8MB
MD5

d8fbc9d04599038ec366e5c80b187060
SHA1

ddb65f6db48826a8f6a3c656049497124ff085fb
SHA256

4581dedab46a4dea9c85a4239750157f50d4cc6de0aaaedd8654b8bcb0902306
SHA512

cb8e008a99a7d1825f7f0973eb136d25c1f850b2cf8203bcea1e290d83c042495a4f3811aad22794727f008565fb656697f7c630a66724e51c519dac88a87a6e
SSDEEP

98304:oJwakG4fYrq1HJvpliCQHawbzBbGSlaUEI96kdQDanpqHrO3ndI3/lL/v7zVwwX7:oJwakG4fYrq1HJvpliCQHawbzBbGSlaB

Score

10^/10

darkcomet persistence rat trojan upx

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mcsft.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mcsft.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mcsft.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

mcsft.exemcsft.exe

pid process

4740 mcsft.exe
5060 mcsft.exe

pid	process
4740	mcsft.exe
5060	mcsft.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5060-31-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-34-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-35-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-36-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-37-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-40-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-41-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-38-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-42-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-44-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-46-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-48-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-50-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-52-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral2/memory/5060-54-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Users\\Admin\\AppData\\Roaming\\mcsft.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mcsft.exe

description pid process target process

PID 4740 set thread context of 5060 4740 mcsft.exe mcsft.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4740 set thread context of 5060	4740	mcsft.exe	mcsft.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mcsft.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mcsft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mcsft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mcsft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	mcsft.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

mcsft.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier mcsft.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	mcsft.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

mcsft.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5060	mcsft.exe
Token: SeSecurityPrivilege	5060	mcsft.exe
Token: SeTakeOwnershipPrivilege	5060	mcsft.exe
Token: SeLoadDriverPrivilege	5060	mcsft.exe
Token: SeSystemProfilePrivilege	5060	mcsft.exe
Token: SeSystemtimePrivilege	5060	mcsft.exe
Token: SeProfSingleProcessPrivilege	5060	mcsft.exe
Token: SeIncBasePriorityPrivilege	5060	mcsft.exe
Token: SeCreatePagefilePrivilege	5060	mcsft.exe
Token: SeBackupPrivilege	5060	mcsft.exe
Token: SeRestorePrivilege	5060	mcsft.exe
Token: SeShutdownPrivilege	5060	mcsft.exe
Token: SeDebugPrivilege	5060	mcsft.exe
Token: SeSystemEnvironmentPrivilege	5060	mcsft.exe
Token: SeChangeNotifyPrivilege	5060	mcsft.exe
Token: SeRemoteShutdownPrivilege	5060	mcsft.exe
Token: SeUndockPrivilege	5060	mcsft.exe
Token: SeManageVolumePrivilege	5060	mcsft.exe
Token: SeImpersonatePrivilege	5060	mcsft.exe
Token: SeCreateGlobalPrivilege	5060	mcsft.exe
Token: 33	5060	mcsft.exe
Token: 34	5060	mcsft.exe
Token: 35	5060	mcsft.exe
Token: 36	5060	mcsft.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exemcsft.exemcsft.exe

pid process

2740 d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe
4740 mcsft.exe
5060 mcsft.exe

pid	process
2740	d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe
4740	mcsft.exe
5060	mcsft.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.execmd.exemcsft.exe

description	pid	process	target process
PID 2740 wrote to memory of 4340	2740	d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe	cmd.exe
PID 2740 wrote to memory of 4340	2740	d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe	cmd.exe
PID 2740 wrote to memory of 4340	2740	d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe	cmd.exe
PID 4340 wrote to memory of 3232	4340	cmd.exe	reg.exe
PID 4340 wrote to memory of 3232	4340	cmd.exe	reg.exe
PID 4340 wrote to memory of 3232	4340	cmd.exe	reg.exe
PID 2740 wrote to memory of 4740	2740	d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe	mcsft.exe
PID 2740 wrote to memory of 4740	2740	d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe	mcsft.exe
PID 2740 wrote to memory of 4740	2740	d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe	mcsft.exe
PID 4740 wrote to memory of 5060	4740	mcsft.exe	mcsft.exe
PID 4740 wrote to memory of 5060	4740	mcsft.exe	mcsft.exe
PID 4740 wrote to memory of 5060	4740	mcsft.exe	mcsft.exe
PID 4740 wrote to memory of 5060	4740	mcsft.exe	mcsft.exe
PID 4740 wrote to memory of 5060	4740	mcsft.exe	mcsft.exe
PID 4740 wrote to memory of 5060	4740	mcsft.exe	mcsft.exe
PID 4740 wrote to memory of 5060	4740	mcsft.exe	mcsft.exe
PID 4740 wrote to memory of 5060	4740	mcsft.exe	mcsft.exe

C:\Users\Admin\AppData\Local\Temp\d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xhgTS.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f
3⤵
- Adds Run key to start application
PID:3232

C:\Users\Admin\AppData\Roaming\mcsft.exe
"C:\Users\Admin\AppData\Roaming\mcsft.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740

C:\Users\Admin\AppData\Roaming\mcsft.exe
C:\Users\Admin\AppData\Roaming\mcsft.exe
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xhgTS.txt
Filesize
135B

MD5
a5feca573884d76f559b996d45e8ad9a

SHA1
0e81a993f3af4e31d60653dc2513186f0495f1c8

SHA256
c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f

SHA512
a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda

Download Submit
C:\Users\Admin\AppData\Roaming\mcsft.txt
Filesize
3.8MB

MD5
1a904c6988b6f9e5a80747b5a080b398

SHA1
3a4725e09045b87952995cb21e761fde3f60f872

SHA256
c61d0f92f9dc6958990fd1493e90414cf990f9214d11072a52085c4ad6391110

SHA512
1d45a44f2830939cfb45b4c664fcac83dca00a26c909ab4ba082d97267070d70029c0db295885febd592a8e85481bb00e17d20407939f9daf12eff1e45e0267b

Download Submit
memory/2740-0-0x0000000000400000-0x00000000007C4000-memory.dmp

Filesize
3.8MB

Download
memory/5060-40-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-38-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-35-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-36-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-37-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-31-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-41-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-42-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-44-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-46-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-48-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-50-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-52-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5060-54-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads