darkcomet | 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1

General

Target

4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Size

283KB
MD5

d34affe27303efd466527f7e2580a950
SHA1

515522de0fc8f037c5f5800b1c1db784f5390b87
SHA256

4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1
SHA512

930d9a31e7e141a8c4af56cac68fb5d0e676c8b2ddb7acc77334dde474f8eeb33ca4295983eb76f3e9d8e6b0890b79f5c647110286c9b17e7059b9ada8b9504f
SSDEEP

6144:VcNYS99KGGyqRFIqU7lT73sctFM7Pz4pSXJSzAnh:VcWB1zktFSUxAh

Score

10^/10

darkcomet slave evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

C2

bssbig.no-ip.org:699

zymic99k.no-ip.org:699

Mutex

DC_MUTEX-9UYCUYX

Attributes

InstallPath
winlogon.exe
gencode
6dYodXAtJ1da
install
true
offline_keylogger
true
persistence
true
reg_key
winlogon

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\winlogon.exe"	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2896 attrib.exe
4064 attrib.exe

pid	process
2896	attrib.exe
4064	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1404-0-0x0000000000400000-0x00000000004C7000-memory.dmp	upx
C:\Windows\SysWOW64\winlogon.exe	upx
behavioral2/memory/1404-62-0x0000000000400000-0x00000000004C7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\winlogon.exe"	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

Drops file in System32 directory 3 IoCs

Processes:

4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winlogon.exe	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\winlogon.exe	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeSecurityPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeTakeOwnershipPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeSystemProfilePrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeSystemtimePrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeProfSingleProcessPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeCreatePagefilePrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeBackupPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeRestorePrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeDebugPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeSystemEnvironmentPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeChangeNotifyPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeRemoteShutdownPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeUndockPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeManageVolumePrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeImpersonatePrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: 33	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: 34	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: 35	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Token: 36	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.execmd.execmd.exe

description	pid	process	target process
PID 1404 wrote to memory of 1464	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe	cmd.exe
PID 1404 wrote to memory of 1464	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe	cmd.exe
PID 1404 wrote to memory of 1464	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe	cmd.exe
PID 1404 wrote to memory of 3972	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe	cmd.exe
PID 1404 wrote to memory of 3972	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe	cmd.exe
PID 1404 wrote to memory of 3972	1404	4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe	cmd.exe
PID 1464 wrote to memory of 2896	1464	cmd.exe	attrib.exe
PID 1464 wrote to memory of 2896	1464	cmd.exe	attrib.exe
PID 1464 wrote to memory of 2896	1464	cmd.exe	attrib.exe
PID 3972 wrote to memory of 4064	3972	cmd.exe	attrib.exe
PID 3972 wrote to memory of 4064	3972	cmd.exe	attrib.exe
PID 3972 wrote to memory of 4064	3972	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2896 attrib.exe
4064 attrib.exe

pid	process
2896	attrib.exe
4064	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
2⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winlogon.exe
Filesize
283KB

MD5
d34affe27303efd466527f7e2580a950

SHA1
515522de0fc8f037c5f5800b1c1db784f5390b87

SHA256
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1

SHA512
930d9a31e7e141a8c4af56cac68fb5d0e676c8b2ddb7acc77334dde474f8eeb33ca4295983eb76f3e9d8e6b0890b79f5c647110286c9b17e7059b9ada8b9504f

Download Submit
memory/1404-0-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/1404-1-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1404-62-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads