Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
order list.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
order list.exe
Resource
win10v2004-20240419-en
General
-
Target
New Order.exe
-
Size
964KB
-
MD5
ac117adca6eb38e0063d02f6ac8d021f
-
SHA1
1dc3841438485efadf7604ae3215e2800526868d
-
SHA256
02f1f6593d82e544a37a26d89e6b882be7722033acf1d95b298b8a44da792f24
-
SHA512
457ab69e3f894833cb07ea849f3cc461b13bc82bbf3df63ca03181a41335edea77e2a74a8d349e94c4944286f6be09dc9b1b7f49e3180b94bdd030d15f49482b
-
SSDEEP
24576:xljYTN54L+QagyUW4O058i2He5JUCRiYHk97g:xljYfMOfmxJHp07g
Malware Config
Extracted
nanocore
1.2.2.0
blackhills.ddns.net:54984
213.183.58.34:54984
9fd2d890-5f33-430f-9a78-84171c54b2be
-
activate_away_mode
true
-
backup_connection_host
213.183.58.34
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-05-07T18:41:54.173511636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Lord
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9fd2d890-5f33-430f-9a78-84171c54b2be
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
blackhills.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
darkcomet
God Bless me
blackhills.ddns.net:1040
213.183.58.34:1040
DC_MUTEX-1L423YQ
-
InstallPath
MSDCSC\svchost.exe
-
gencode
hxfmXvFjpU5G
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
New Order.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\svchost.exe" New Order.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
New Order.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" New Order.exe -
Processes:
New Order.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" New Order.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" New Order.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 1580 attrib.exe 2728 attrib.exe -
Executes dropped EXE 5 IoCs
Processes:
server.exeserver.exeNew Order.exesvchost.exeNew Order.exeNew Order.exepid Process 2496 server.exeserver.exe 2532 New Order.exe 2084 svchost.exe 340 New Order.exe 2412 New Order.exe -
Loads dropped DLL 7 IoCs
Processes:
New Order.exeNew Order.exepid Process 1660 New Order.exe 1660 New Order.exe 1660 New Order.exe 2532 New Order.exe 2532 New Order.exe 1660 New Order.exe 1660 New Order.exe -
Processes:
New Order.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" New Order.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" New Order.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
New Order.exeNew Order.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\svchost.exe" New Order.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\svchost.exe" New Order.exe -
Processes:
server.exeserver.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA server.exeserver.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
New Order.exedescription pid Process procid_target PID 1660 set thread context of 2532 1660 New Order.exe 31 PID 1660 set thread context of 2412 1660 New Order.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2556 schtasks.exe 3056 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
New Order.exeserver.exeserver.exepid Process 1660 New Order.exe 1660 New Order.exe 2496 server.exeserver.exe 2496 server.exeserver.exe 2496 server.exeserver.exe 1660 New Order.exe 1660 New Order.exe 1660 New Order.exe 1660 New Order.exe 2496 server.exeserver.exe 2496 server.exeserver.exe 2496 server.exeserver.exe 2496 server.exeserver.exe 2496 server.exeserver.exe 2496 server.exeserver.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
server.exeserver.exeNew Order.exepid Process 2496 server.exeserver.exe 2412 New Order.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
New Order.exeNew Order.exeserver.exeserver.exeNew Order.exedescription pid Process Token: SeDebugPrivilege 1660 New Order.exe Token: SeIncreaseQuotaPrivilege 2532 New Order.exe Token: SeSecurityPrivilege 2532 New Order.exe Token: SeTakeOwnershipPrivilege 2532 New Order.exe Token: SeLoadDriverPrivilege 2532 New Order.exe Token: SeSystemProfilePrivilege 2532 New Order.exe Token: SeSystemtimePrivilege 2532 New Order.exe Token: SeProfSingleProcessPrivilege 2532 New Order.exe Token: SeIncBasePriorityPrivilege 2532 New Order.exe Token: SeCreatePagefilePrivilege 2532 New Order.exe Token: SeBackupPrivilege 2532 New Order.exe Token: SeRestorePrivilege 2532 New Order.exe Token: SeShutdownPrivilege 2532 New Order.exe Token: SeDebugPrivilege 2532 New Order.exe Token: SeSystemEnvironmentPrivilege 2532 New Order.exe Token: SeChangeNotifyPrivilege 2532 New Order.exe Token: SeRemoteShutdownPrivilege 2532 New Order.exe Token: SeUndockPrivilege 2532 New Order.exe Token: SeManageVolumePrivilege 2532 New Order.exe Token: SeImpersonatePrivilege 2532 New Order.exe Token: SeCreateGlobalPrivilege 2532 New Order.exe Token: 33 2532 New Order.exe Token: 34 2532 New Order.exe Token: 35 2532 New Order.exe Token: SeDebugPrivilege 2496 server.exeserver.exe Token: SeIncreaseQuotaPrivilege 2412 New Order.exe Token: SeSecurityPrivilege 2412 New Order.exe Token: SeTakeOwnershipPrivilege 2412 New Order.exe Token: SeLoadDriverPrivilege 2412 New Order.exe Token: SeSystemProfilePrivilege 2412 New Order.exe Token: SeSystemtimePrivilege 2412 New Order.exe Token: SeProfSingleProcessPrivilege 2412 New Order.exe Token: SeIncBasePriorityPrivilege 2412 New Order.exe Token: SeCreatePagefilePrivilege 2412 New Order.exe Token: SeBackupPrivilege 2412 New Order.exe Token: SeRestorePrivilege 2412 New Order.exe Token: SeShutdownPrivilege 2412 New Order.exe Token: SeDebugPrivilege 2412 New Order.exe Token: SeSystemEnvironmentPrivilege 2412 New Order.exe Token: SeChangeNotifyPrivilege 2412 New Order.exe Token: SeRemoteShutdownPrivilege 2412 New Order.exe Token: SeUndockPrivilege 2412 New Order.exe Token: SeManageVolumePrivilege 2412 New Order.exe Token: SeImpersonatePrivilege 2412 New Order.exe Token: SeCreateGlobalPrivilege 2412 New Order.exe Token: 33 2412 New Order.exe Token: 34 2412 New Order.exe Token: 35 2412 New Order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New Order.exepid Process 2412 New Order.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
New Order.exeNew Order.execmd.execmd.exedescription pid Process procid_target PID 1660 wrote to memory of 2556 1660 New Order.exe 28 PID 1660 wrote to memory of 2556 1660 New Order.exe 28 PID 1660 wrote to memory of 2556 1660 New Order.exe 28 PID 1660 wrote to memory of 2556 1660 New Order.exe 28 PID 1660 wrote to memory of 2496 1660 New Order.exe 30 PID 1660 wrote to memory of 2496 1660 New Order.exe 30 PID 1660 wrote to memory of 2496 1660 New Order.exe 30 PID 1660 wrote to memory of 2496 1660 New Order.exe 30 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 1660 wrote to memory of 2532 1660 New Order.exe 31 PID 2532 wrote to memory of 2908 2532 New Order.exe 32 PID 2532 wrote to memory of 2908 2532 New Order.exe 32 PID 2532 wrote to memory of 2908 2532 New Order.exe 32 PID 2532 wrote to memory of 2908 2532 New Order.exe 32 PID 2532 wrote to memory of 2996 2532 New Order.exe 34 PID 2532 wrote to memory of 2996 2532 New Order.exe 34 PID 2532 wrote to memory of 2996 2532 New Order.exe 34 PID 2532 wrote to memory of 2996 2532 New Order.exe 34 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2532 wrote to memory of 1868 2532 New Order.exe 36 PID 2908 wrote to memory of 1580 2908 cmd.exe 38 PID 2908 wrote to memory of 1580 2908 cmd.exe 38 PID 2908 wrote to memory of 1580 2908 cmd.exe 38 PID 2908 wrote to memory of 1580 2908 cmd.exe 38 PID 2996 wrote to memory of 2728 2996 cmd.exe 37 PID 2996 wrote to memory of 2728 2996 cmd.exe 37 PID 2996 wrote to memory of 2728 2996 cmd.exe 37 PID 2996 wrote to memory of 2728 2996 cmd.exe 37 PID 2532 wrote to memory of 2084 2532 New Order.exe 39 PID 2532 wrote to memory of 2084 2532 New Order.exe 39 PID 2532 wrote to memory of 2084 2532 New Order.exe 39 PID 2532 wrote to memory of 2084 2532 New Order.exe 39 PID 1660 wrote to memory of 340 1660 New Order.exe 40 PID 1660 wrote to memory of 340 1660 New Order.exe 40 PID 1660 wrote to memory of 340 1660 New Order.exe 40 PID 1660 wrote to memory of 340 1660 New Order.exe 40 PID 1660 wrote to memory of 2412 1660 New Order.exe 41 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 1580 attrib.exe 2728 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z41"2⤵
- Creates scheduled task(s)
PID:2556
-
-
C:\Users\Admin\AppData\Local\Temp\server.exeserver.exe"C:\Users\Admin\AppData\Local\Temp\server.exeserver.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\New Order.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\New Order.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2728
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1868
-
-
C:\Users\Admin\AppData\Roaming\MSDCSC\svchost.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\svchost.exe"3⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z316"4⤵
- Creates scheduled task(s)
PID:3056
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Executes dropped EXE
PID:340
-
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2412 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:540
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55139391680d9b0a7ffe932684767e9bf
SHA1f5cd775301834887f3d922d1d51accf500e48eab
SHA256997c1abdbee27f210be506397b7b0bb3eecd21f54a7c2be3beca4f5134a6790c
SHA5120e8e5d9d801966b20a6d4be69d587f10e711d1910b0ed001fea0f4178c7c7b1d9ddeb38ac88fc2a2e5e8b9e515c2094db182e4cec1f581cc5b1ee9b1f6703381
-
Filesize
964KB
MD5ac117adca6eb38e0063d02f6ac8d021f
SHA11dc3841438485efadf7604ae3215e2800526868d
SHA25602f1f6593d82e544a37a26d89e6b882be7722033acf1d95b298b8a44da792f24
SHA512457ab69e3f894833cb07ea849f3cc461b13bc82bbf3df63ca03181a41335edea77e2a74a8d349e94c4944286f6be09dc9b1b7f49e3180b94bdd030d15f49482b
-
Filesize
202KB
MD5d1ec545c456123fbf732b150fcd004ad
SHA1ea9bce20767f3cd291da26b50d26169ddbc46260
SHA256f6bd8ce890fb83d0a91d1253f1bdf755ad239c83f9072331d08bc003cc211d70
SHA5123823f6af2282d9ec8052869799c154513a76e34609b5408198c019bd3973437fc03c6c9aa04c4d8347d98fa3f8b5c36a9f6c0754f2b1c87dd049b97d85803690