Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
171s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19/09/2022, 07:39
General
-
Target
629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe
-
Size
421KB
-
MD5
0a9ec679a384121c95204d4c259202ef
-
SHA1
44e703e7ddafe82e6bbdc119760a07f69471ca32
-
SHA256
629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
-
SHA512
195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8
-
SSDEEP
12288:RaG4mtL6wfPAdTqrNH30dC0dM17/PmX2A:Rz4mtL6wH2QNX4C0dM1DmmA
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies firewall policy service 2 TTPs 3 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe"C:\Users\Admin\AppData\Local\Temp\629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exeC:\Users\Admin\AppData\Local\Temp\629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\system32\isass.exe"C:\system32\isass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\system32\isass.exeC:\system32\isass.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 6004⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 6004⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1792 -ip 17921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4876 -ip 48761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1792 -ip 17921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4876 -ip 48761⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
421KB
MD50a9ec679a384121c95204d4c259202ef
SHA144e703e7ddafe82e6bbdc119760a07f69471ca32
SHA256629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
SHA512195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8
-
Filesize
421KB
MD50a9ec679a384121c95204d4c259202ef
SHA144e703e7ddafe82e6bbdc119760a07f69471ca32
SHA256629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
SHA512195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8
-
Filesize
421KB
MD50a9ec679a384121c95204d4c259202ef
SHA144e703e7ddafe82e6bbdc119760a07f69471ca32
SHA256629dc4304f9c36caf5cae2c23bba026298f40de00e87a2f3116488f642cac4bc
SHA512195e4c1e52a245839de83da5cce409049fb1e10c5af3763659a68de0b0e310932056cb0a8456e0bff2d8fb43e8c40fcf59084cc88387bce2e4276109388d0cc8
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB