Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

4f14b97c7a...cd.exe

windows7-x64

10

4f14b97c7a...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f14b97c7ab69709f262f8ef0bb4fab6073a05fe28481fb85d1ef698552c41cd.exe

  • Size

    316KB

  • MD5

    57a8ba5e980c285cc124f766aab57a90

  • SHA1

    a2de9ff2121b705cf471a0eb88f379ea22ee0fae

  • SHA256

    4f14b97c7ab69709f262f8ef0bb4fab6073a05fe28481fb85d1ef698552c41cd

  • SHA512

    9562c65d46c9cfac30734ed4ff65a9c94769967a90fb02ec3a3bea520c77afd2a7571836bfe27cedf6d92c50ab448231592fb48e1c032ba799482ed557997265

  • SSDEEP

    6144:RHjwI7Ro8vT91lV7bjFZaChLXMe65ytmZLL0MdWnpQZh9h4/:ZjwARb91lVTFRjaYsuMd0QZh9u/

Score
10/10
darkcometevasionpersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f14b97c7ab69709f262f8ef0bb4fab6073a05fe28481fb85d1ef698552c41cd.exe
    "C:\Users\Admin\AppData\Local\Temp\4f14b97c7ab69709f262f8ef0bb4fab6073a05fe28481fb85d1ef698552c41cd.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
        PID:2624
      • C:\Windows\Windupdt\winupdate.exe
        "C:\Windows\Windupdt\winupdate.exe"
        2⤵
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          3⤵
            PID:1212
        • C:\Windows\SysWOW64\ping.exe
          ping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\4f14b97c7ab69709f262f8ef0bb4fab6073a05fe28481fb85d1ef698552c41cd.exe"
          2⤵
          • Runs ping.exe
          PID:2192

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Windupdt\winupdate.exe
        Filesize

        316KB

        MD5

        57a8ba5e980c285cc124f766aab57a90

        SHA1

        a2de9ff2121b705cf471a0eb88f379ea22ee0fae

        SHA256

        4f14b97c7ab69709f262f8ef0bb4fab6073a05fe28481fb85d1ef698552c41cd

        SHA512

        9562c65d46c9cfac30734ed4ff65a9c94769967a90fb02ec3a3bea520c77afd2a7571836bfe27cedf6d92c50ab448231592fb48e1c032ba799482ed557997265

        Download Submit

      • C:\Windows\Windupdt\winupdate.exe
        Filesize

        316KB

        MD5

        57a8ba5e980c285cc124f766aab57a90

        SHA1

        a2de9ff2121b705cf471a0eb88f379ea22ee0fae

        SHA256

        4f14b97c7ab69709f262f8ef0bb4fab6073a05fe28481fb85d1ef698552c41cd

        SHA512

        9562c65d46c9cfac30734ed4ff65a9c94769967a90fb02ec3a3bea520c77afd2a7571836bfe27cedf6d92c50ab448231592fb48e1c032ba799482ed557997265

        Download Submit

      • memory/4260-132-0x0000000000400000-0x00000000004E3000-memory.dmp

        Filesize

        908KB

        Download

      • memory/4260-134-0x0000000000400000-0x00000000004E3000-memory.dmp

        Filesize

        908KB

        Download

      • memory/4260-140-0x0000000000400000-0x00000000004E3000-memory.dmp

        Filesize

        908KB

        Download

      • memory/4828-141-0x0000000000400000-0x00000000004E3000-memory.dmp

        Filesize

        908KB

        Download

      • memory/4828-142-0x0000000000400000-0x00000000004E3000-memory.dmp

        Filesize

        908KB

        Download