Malware Analysis Report

2024-08-06 17:56

Sample ID 240628-j5chkazamc
Target 8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
SHA256 8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001
Tags
darkcomet privateeye persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001

Threat Level: Known bad

The file 8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

darkcomet privateeye persistence rat trojan upx

Darkcomet

Executes dropped EXE

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Gathers network information

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-28 08:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 08:14

Reported

2024-06-28 08:17

Platform

win7-20240220-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe"

Signatures

Darkcomet

trojan rat darkcomet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1620 set thread context of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 2604 set thread context of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 set thread context of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Enumerates physical storage devices

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1620 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1620 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1620 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1620 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1620 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1620 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1620 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1620 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 2120 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2120 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2120 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2120 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2784 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2784 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2784 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2784 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2784 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2784 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2456 wrote to memory of 1360 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1360 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1360 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 1360 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VXNHAFMV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ratblackshades.no-ip.biz udp

Files

memory/2120-13-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1620-16-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1620-14-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2120-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2120-7-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1620-20-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2120-22-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1620-21-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2120-5-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2120-3-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1620-2-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

MD5 0dcd659623aaedbd8c9d5bb9fb309271
SHA1 77a0bddc53ca0f73b9228eaeb0c167734d672060
SHA256 3afccf0e6b832ffecbe50acb85ed909578d630def15d05c4c0bcfe6e877bec67
SHA512 44e5299fe78d1b4fc538f6d7782d570e099cb28816f567100c3bfea985f58a7913d7182d77abd72c9ab88212f95fbd311c205b678825b03225c5acff9f334bcd

memory/2304-51-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-56-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2120-64-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2604-61-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2304-60-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2604-59-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2304-58-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-53-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-49-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-73-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-70-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2456-68-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2304-71-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-72-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-75-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-74-0x0000000000400000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VXNHAFMV.bat

MD5 cac890d00365d07b9ca89def17cc3a36
SHA1 6fa99679ede791c16b5d3e6d243a98e8bbdb7eab
SHA256 4f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da
SHA512 124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1

memory/2784-79-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2304-80-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-81-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-82-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-83-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-84-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-85-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-86-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-87-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-88-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-89-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-90-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-91-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-92-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-93-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2304-94-0x0000000000400000-0x00000000004B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 08:14

Reported

2024-06-28 08:17

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe"

Signatures

Darkcomet

trojan rat darkcomet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1500 set thread context of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 2704 set thread context of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 set thread context of 3260 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\ipconfig.exe

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 1500 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe
PID 2324 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2324 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2324 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 2704 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
PID 1396 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1396 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1396 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1396 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1396 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe C:\Windows\SysWOW64\ipconfig.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e41a1f9b8d1af6933a29a5864130f5d9f30dd8a8bd6571cd208fc20db473001_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\system32\ipconfig.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 272

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp
US 8.8.8.8:53 ratblackshades.no-ip.biz udp

Files

memory/1500-2-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2324-5-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1500-7-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1500-6-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1500-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2324-3-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

MD5 d50a16d4981310391332e4a626a7130c
SHA1 cd0aa734ab80535d462a651ba7ad61d93f0c27e4
SHA256 fac7914e8034d0485fb6d1701443932b6d3e7b7eb01c470e413b42a88ebdac36
SHA512 7f9e06e73a02cccaa1d1259e61113c09e6e6c47e8e251b62b24af429c24d6d1e7bb2be5a90a41a15ddf5eb4f999dab5fd12cd6f5e3ce2111bd02eb1cbf5b88c3

memory/2324-18-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3260-24-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2704-27-0x0000000000400000-0x0000000000483000-memory.dmp

memory/3260-29-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2704-28-0x0000000000400000-0x0000000000483000-memory.dmp

memory/3260-30-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-34-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-37-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-35-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-36-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1396-38-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3260-40-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-41-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-42-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-43-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-44-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-45-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-46-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-47-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-48-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-49-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/3260-50-0x0000000000400000-0x00000000004B7000-memory.dmp