Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 04:04

General

  • Target

    New Order.exe

  • Size

    964KB

  • MD5

    ac117adca6eb38e0063d02f6ac8d021f

  • SHA1

    1dc3841438485efadf7604ae3215e2800526868d

  • SHA256

    02f1f6593d82e544a37a26d89e6b882be7722033acf1d95b298b8a44da792f24

  • SHA512

    457ab69e3f894833cb07ea849f3cc461b13bc82bbf3df63ca03181a41335edea77e2a74a8d349e94c4944286f6be09dc9b1b7f49e3180b94bdd030d15f49482b

  • SSDEEP

    24576:xljYTN54L+QagyUW4O058i2He5JUCRiYHk97g:xljYfMOfmxJHp07g

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

blackhills.ddns.net:54984

213.183.58.34:54984

Mutex

9fd2d890-5f33-430f-9a78-84171c54b2be

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    213.183.58.34

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2017-05-07T18:41:54.173511636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    54984

  • default_group

    Lord

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    9fd2d890-5f33-430f-9a78-84171c54b2be

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    blackhills.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

darkcomet

Botnet

God Bless me

C2

blackhills.ddns.net:1040

213.183.58.34:1040

Mutex

DC_MUTEX-1L423YQ

Attributes
  • InstallPath

    MSDCSC\svchost.exe

  • gencode

    hxfmXvFjpU5G

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Windows security bypass 2 TTPs 2 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z41"
      2⤵
      • Creates scheduled task(s)
      PID:2556
    • C:\Users\Admin\AppData\Local\Temp\server.exeserver.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exeserver.exe"
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Users\Admin\AppData\Local\Temp\New Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\New Order.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\New Order.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1580
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:2728
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1868
        • C:\Users\Admin\AppData\Roaming\MSDCSC\svchost.exe
          "C:\Users\Admin\AppData\Roaming\MSDCSC\svchost.exe"
          3⤵
          • Executes dropped EXE
          PID:2084
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z316"
            4⤵
            • Creates scheduled task(s)
            PID:3056
      • C:\Users\Admin\AppData\Local\Temp\New Order.exe
        "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
        2⤵
        • Executes dropped EXE
        PID:340
      • C:\Users\Admin\AppData\Local\Temp\New Order.exe
        "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
        2⤵
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • Adds Run key to start application
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2412
        • C:\Windows\SysWOW64\notepad.exe
          notepad
          3⤵
            PID:540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\z41

        Filesize

        1KB

        MD5

        5139391680d9b0a7ffe932684767e9bf

        SHA1

        f5cd775301834887f3d922d1d51accf500e48eab

        SHA256

        997c1abdbee27f210be506397b7b0bb3eecd21f54a7c2be3beca4f5134a6790c

        SHA512

        0e8e5d9d801966b20a6d4be69d587f10e711d1910b0ed001fea0f4178c7c7b1d9ddeb38ac88fc2a2e5e8b9e515c2094db182e4cec1f581cc5b1ee9b1f6703381

      • \Users\Admin\AppData\Local\Temp\New Order.exe

        Filesize

        964KB

        MD5

        ac117adca6eb38e0063d02f6ac8d021f

        SHA1

        1dc3841438485efadf7604ae3215e2800526868d

        SHA256

        02f1f6593d82e544a37a26d89e6b882be7722033acf1d95b298b8a44da792f24

        SHA512

        457ab69e3f894833cb07ea849f3cc461b13bc82bbf3df63ca03181a41335edea77e2a74a8d349e94c4944286f6be09dc9b1b7f49e3180b94bdd030d15f49482b

      • \Users\Admin\AppData\Local\Temp\server.exeserver.exe

        Filesize

        202KB

        MD5

        d1ec545c456123fbf732b150fcd004ad

        SHA1

        ea9bce20767f3cd291da26b50d26169ddbc46260

        SHA256

        f6bd8ce890fb83d0a91d1253f1bdf755ad239c83f9072331d08bc003cc211d70

        SHA512

        3823f6af2282d9ec8052869799c154513a76e34609b5408198c019bd3973437fc03c6c9aa04c4d8347d98fa3f8b5c36a9f6c0754f2b1c87dd049b97d85803690

      • memory/1660-0-0x0000000074B61000-0x0000000074B62000-memory.dmp

        Filesize

        4KB

      • memory/1660-1-0x0000000074B60000-0x000000007510B000-memory.dmp

        Filesize

        5.7MB

      • memory/1660-2-0x0000000074B60000-0x000000007510B000-memory.dmp

        Filesize

        5.7MB

      • memory/1660-161-0x0000000074B60000-0x000000007510B000-memory.dmp

        Filesize

        5.7MB

      • memory/1868-47-0x0000000000080000-0x0000000000081000-memory.dmp

        Filesize

        4KB

      • memory/1868-75-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

      • memory/2532-43-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2532-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2532-39-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2532-33-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2532-27-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2532-24-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2532-21-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2532-19-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2532-31-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2532-36-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB

      • memory/2532-18-0x0000000000400000-0x00000000004B2000-memory.dmp

        Filesize

        712KB