Malware Analysis Report

2024-08-06 17:56

Sample ID 240621-fgc8eaycpb
Target 3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
SHA256 3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04
Tags
darkcomet privateeye persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04

Threat Level: Known bad

The file 3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

darkcomet privateeye persistence rat trojan upx

Darkcomet

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Gathers network information

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-21 04:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 04:50

Reported

2024-06-21 04:52

Platform

win7-20240221-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe"

Signatures

Darkcomet

trojan rat darkcomet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1312 set thread context of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 2660 set thread context of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 set thread context of 2564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1312 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1732 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1732 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1732 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1732 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2660 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2480 wrote to memory of 1924 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1924 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1924 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1924 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ORGAXGPF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ratblackshades.no-ip.biz udp

Files

memory/1312-2-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1732-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1732-18-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1312-17-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1312-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1732-7-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1732-5-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1732-3-0x0000000000400000-0x0000000000407000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

MD5 e2e447321cf4900a73f088e90c8c6629
SHA1 321a897b3282275300536523f800af545f711da8
SHA256 86d1345bcdcaa0d00385314fc4d1aba3e6bf80d2546dd09609f17c171f915c38
SHA512 191772637d86808ae7a613b5580908d2175346015f803be35001e2479a96c78bcc06bbe5202a5279eb2e7e8c7ca0815f91294936ceb8a33367fa85128159fecb

memory/2660-34-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2564-57-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1732-64-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2564-61-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2660-60-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2564-59-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-54-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-53-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-50-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2480-68-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2564-72-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-71-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-70-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-73-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-74-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-75-0x0000000000400000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ORGAXGPF.bat

MD5 cac890d00365d07b9ca89def17cc3a36
SHA1 6fa99679ede791c16b5d3e6d243a98e8bbdb7eab
SHA256 4f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da
SHA512 124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1

memory/2604-79-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2564-80-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-81-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-82-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-83-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-84-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-85-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-86-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-87-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-88-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-89-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-90-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-91-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-92-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-93-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2564-94-0x0000000000400000-0x00000000004B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 04:50

Reported

2024-06-21 04:52

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe"

Signatures

Darkcomet

trojan rat darkcomet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1044 set thread context of 992 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1996 set thread context of 3136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 set thread context of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\ipconfig.exe

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1044 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1044 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1044 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1044 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1044 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1044 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 1044 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe
PID 992 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 992 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 992 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1996 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 3136 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3136 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3136 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3136 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 3136 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3f1b7ec8bdee408951c0b30718f0ea9d35ab8ec0055e968f2ec920b016579a04_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3944 -ip 3944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 272

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp

Files

memory/992-2-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1044-6-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1044-4-0x0000000000400000-0x0000000000414000-memory.dmp

memory/992-7-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1044-9-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

MD5 26b6d78aa810cae21cb58c2106ef3741
SHA1 957dbda51c93f77062c6b1d31956d8d2f4a0227a
SHA256 927db7561b47d0ef29620062039739cdb775701dc340fa87fb4db38395bd628d
SHA512 d3f19d5b2ad6bfa153517da8602ac48f880af61f76abd9a45d3fc46f8a901d19d256c6449584720e078ad9e3e964dc668d1a8970a23b034e07beff1521e58945

memory/992-18-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4340-28-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3136-36-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4340-35-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-34-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-38-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-37-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1996-33-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1996-32-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4340-31-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-25-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1996-24-0x0000000000400000-0x0000000000483000-memory.dmp

memory/3136-39-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4340-41-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-42-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-43-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-44-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-45-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-46-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-47-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-48-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-49-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4340-50-0x0000000000400000-0x00000000004B7000-memory.dmp