Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
order list.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
order list.exe
Resource
win10v2004-20240419-en
General
-
Target
New Order.exe
-
Size
964KB
-
MD5
ac117adca6eb38e0063d02f6ac8d021f
-
SHA1
1dc3841438485efadf7604ae3215e2800526868d
-
SHA256
02f1f6593d82e544a37a26d89e6b882be7722033acf1d95b298b8a44da792f24
-
SHA512
457ab69e3f894833cb07ea849f3cc461b13bc82bbf3df63ca03181a41335edea77e2a74a8d349e94c4944286f6be09dc9b1b7f49e3180b94bdd030d15f49482b
-
SSDEEP
24576:xljYTN54L+QagyUW4O058i2He5JUCRiYHk97g:xljYfMOfmxJHp07g
Malware Config
Extracted
darkcomet
God Bless me
blackhills.ddns.net:1040
213.183.58.34:1040
DC_MUTEX-1L423YQ
-
InstallPath
MSDCSC\svchost.exe
-
gencode
hxfmXvFjpU5G
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
New Order.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\svchost.exe" New Order.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
New Order.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" New Order.exe -
Processes:
New Order.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" New Order.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" New Order.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 3904 attrib.exe 3224 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
New Order.exeNew Order.exesvchost.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation New Order.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation New Order.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 5 IoCs
Processes:
server.exeserver.exeNew Order.exesvchost.exeNew Order.exeNew Order.exepid Process 1668 server.exeserver.exe 1676 New Order.exe 3840 svchost.exe 3872 New Order.exe 1960 New Order.exe -
Processes:
New Order.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" New Order.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" New Order.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
New Order.exeNew Order.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\svchost.exe" New Order.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\svchost.exe" New Order.exe -
Processes:
server.exeserver.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA server.exeserver.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
New Order.exedescription pid Process procid_target PID 2636 set thread context of 1676 2636 New Order.exe 97 PID 2636 set thread context of 1960 2636 New Order.exe 107 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 1952 schtasks.exe 3508 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
New Order.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ New Order.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
New Order.exeserver.exeserver.exepid Process 2636 New Order.exe 2636 New Order.exe 1668 server.exeserver.exe 1668 server.exeserver.exe 1668 server.exeserver.exe 1668 server.exeserver.exe 2636 New Order.exe 2636 New Order.exe 2636 New Order.exe 2636 New Order.exe 1668 server.exeserver.exe 1668 server.exeserver.exe 1668 server.exeserver.exe 1668 server.exeserver.exe 1668 server.exeserver.exe 1668 server.exeserver.exe 1668 server.exeserver.exe 1668 server.exeserver.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
server.exeserver.exeNew Order.exepid Process 1668 server.exeserver.exe 1960 New Order.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
New Order.exeNew Order.exeserver.exeserver.exeNew Order.exedescription pid Process Token: SeDebugPrivilege 2636 New Order.exe Token: SeIncreaseQuotaPrivilege 1676 New Order.exe Token: SeSecurityPrivilege 1676 New Order.exe Token: SeTakeOwnershipPrivilege 1676 New Order.exe Token: SeLoadDriverPrivilege 1676 New Order.exe Token: SeSystemProfilePrivilege 1676 New Order.exe Token: SeSystemtimePrivilege 1676 New Order.exe Token: SeProfSingleProcessPrivilege 1676 New Order.exe Token: SeIncBasePriorityPrivilege 1676 New Order.exe Token: SeCreatePagefilePrivilege 1676 New Order.exe Token: SeBackupPrivilege 1676 New Order.exe Token: SeRestorePrivilege 1676 New Order.exe Token: SeShutdownPrivilege 1676 New Order.exe Token: SeDebugPrivilege 1676 New Order.exe Token: SeSystemEnvironmentPrivilege 1676 New Order.exe Token: SeChangeNotifyPrivilege 1676 New Order.exe Token: SeRemoteShutdownPrivilege 1676 New Order.exe Token: SeUndockPrivilege 1676 New Order.exe Token: SeManageVolumePrivilege 1676 New Order.exe Token: SeImpersonatePrivilege 1676 New Order.exe Token: SeCreateGlobalPrivilege 1676 New Order.exe Token: 33 1676 New Order.exe Token: 34 1676 New Order.exe Token: 35 1676 New Order.exe Token: 36 1676 New Order.exe Token: SeDebugPrivilege 1668 server.exeserver.exe Token: SeIncreaseQuotaPrivilege 1960 New Order.exe Token: SeSecurityPrivilege 1960 New Order.exe Token: SeTakeOwnershipPrivilege 1960 New Order.exe Token: SeLoadDriverPrivilege 1960 New Order.exe Token: SeSystemProfilePrivilege 1960 New Order.exe Token: SeSystemtimePrivilege 1960 New Order.exe Token: SeProfSingleProcessPrivilege 1960 New Order.exe Token: SeIncBasePriorityPrivilege 1960 New Order.exe Token: SeCreatePagefilePrivilege 1960 New Order.exe Token: SeBackupPrivilege 1960 New Order.exe Token: SeRestorePrivilege 1960 New Order.exe Token: SeShutdownPrivilege 1960 New Order.exe Token: SeDebugPrivilege 1960 New Order.exe Token: SeSystemEnvironmentPrivilege 1960 New Order.exe Token: SeChangeNotifyPrivilege 1960 New Order.exe Token: SeRemoteShutdownPrivilege 1960 New Order.exe Token: SeUndockPrivilege 1960 New Order.exe Token: SeManageVolumePrivilege 1960 New Order.exe Token: SeImpersonatePrivilege 1960 New Order.exe Token: SeCreateGlobalPrivilege 1960 New Order.exe Token: 33 1960 New Order.exe Token: 34 1960 New Order.exe Token: 35 1960 New Order.exe Token: 36 1960 New Order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New Order.exepid Process 1960 New Order.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
New Order.exeNew Order.execmd.execmd.exedescription pid Process procid_target PID 2636 wrote to memory of 1952 2636 New Order.exe 94 PID 2636 wrote to memory of 1952 2636 New Order.exe 94 PID 2636 wrote to memory of 1952 2636 New Order.exe 94 PID 2636 wrote to memory of 1668 2636 New Order.exe 96 PID 2636 wrote to memory of 1668 2636 New Order.exe 96 PID 2636 wrote to memory of 1668 2636 New Order.exe 96 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 2636 wrote to memory of 1676 2636 New Order.exe 97 PID 1676 wrote to memory of 1704 1676 New Order.exe 98 PID 1676 wrote to memory of 1704 1676 New Order.exe 98 PID 1676 wrote to memory of 1704 1676 New Order.exe 98 PID 1676 wrote to memory of 1820 1676 New Order.exe 100 PID 1676 wrote to memory of 1820 1676 New Order.exe 100 PID 1676 wrote to memory of 1820 1676 New Order.exe 100 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1676 wrote to memory of 3588 1676 New Order.exe 101 PID 1820 wrote to memory of 3904 1820 cmd.exe 103 PID 1820 wrote to memory of 3904 1820 cmd.exe 103 PID 1820 wrote to memory of 3904 1820 cmd.exe 103 PID 1704 wrote to memory of 3224 1704 cmd.exe 104 PID 1704 wrote to memory of 3224 1704 cmd.exe 104 PID 1704 wrote to memory of 3224 1704 cmd.exe 104 PID 1676 wrote to memory of 3840 1676 New Order.exe 105 PID 1676 wrote to memory of 3840 1676 New Order.exe 105 PID 1676 wrote to memory of 3840 1676 New Order.exe 105 PID 2636 wrote to memory of 3872 2636 New Order.exe 106 PID 2636 wrote to memory of 3872 2636 New Order.exe 106 PID 2636 wrote to memory of 3872 2636 New Order.exe 106 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 PID 2636 wrote to memory of 1960 2636 New Order.exe 107 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 3904 attrib.exe 3224 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z214"2⤵
- Creates scheduled task(s)
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\server.exeserver.exe"C:\Users\Admin\AppData\Local\Temp\server.exeserver.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\New Order.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\New Order.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3224
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3904
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:3588
-
-
C:\Users\Admin\AppData\Roaming\MSDCSC\svchost.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3840 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z931"4⤵
- Creates scheduled task(s)
PID:3508
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Executes dropped EXE
PID:3872
-
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1960 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:4144
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
964KB
MD5ac117adca6eb38e0063d02f6ac8d021f
SHA11dc3841438485efadf7604ae3215e2800526868d
SHA25602f1f6593d82e544a37a26d89e6b882be7722033acf1d95b298b8a44da792f24
SHA512457ab69e3f894833cb07ea849f3cc461b13bc82bbf3df63ca03181a41335edea77e2a74a8d349e94c4944286f6be09dc9b1b7f49e3180b94bdd030d15f49482b
-
Filesize
202KB
MD5d1ec545c456123fbf732b150fcd004ad
SHA1ea9bce20767f3cd291da26b50d26169ddbc46260
SHA256f6bd8ce890fb83d0a91d1253f1bdf755ad239c83f9072331d08bc003cc211d70
SHA5123823f6af2282d9ec8052869799c154513a76e34609b5408198c019bd3973437fc03c6c9aa04c4d8347d98fa3f8b5c36a9f6c0754f2b1c87dd049b97d85803690
-
Filesize
1KB
MD522b5fc9f0e16f6461dcd8c723f7080fd
SHA19ee76ecdc30a66d6ddb655728cfbb5aff50cc9b7
SHA256871860b714b05d0c3065cf2c7cc7bcb5111b735a0e91e3a17a437edce865712b
SHA512d9913a1b7d1a18e61c733e8fa229a5b9626fe1757d1a86875025a9cc3e1cd05e0803a826d28590aa3958b61e7ebe0a9e198de5ec7ea817918c2ca15497618bae