Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/02/2025, 07:32
250205-jc74rswpdw 1005/02/2025, 07:10
250205-hzekasxlej 1001/10/2022, 22:04
221001-1y9cdsafgm 10Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe
Resource
win10v2004-20220812-en
General
-
Target
e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe
-
Size
686KB
-
MD5
012a1196493ab7f81db07c2bee6a0302
-
SHA1
4210c6b6036381428c5f74c6ef0eed02fb8926e2
-
SHA256
e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
-
SHA512
60a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9
-
SSDEEP
12288:DsrDj72TynbM+b233JvdepuKGMXO/iXv89/w2t+09F/8bERxYp2cjR/gQQu4cbWh:DYh3b233dKHXcX/w2t+09F/8biDcdglx
Malware Config
Extracted
darkcomet
Opfer
tima.myftp.biz:1001
DCMIN_MUTEX-750S66E
-
InstallPath
Windows\taskhost.exe
-
gencode
xmB35GD9pqNN
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
NT Kernel & Systeam
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows\\taskhost.exe" e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe -
Executes dropped EXE 2 IoCs
pid Process 268 taskhost.exe 1832 taskhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 268 taskhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\NT Kernel & Systeam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows\\taskhost.exe" e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1948 set thread context of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 268 set thread context of 1832 268 taskhost.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeIncreaseQuotaPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeSecurityPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeTakeOwnershipPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeLoadDriverPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeSystemProfilePrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeSystemtimePrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeProfSingleProcessPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeIncBasePriorityPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeCreatePagefilePrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeBackupPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeRestorePrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeShutdownPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeDebugPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeSystemEnvironmentPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeChangeNotifyPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeRemoteShutdownPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeUndockPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeManageVolumePrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeImpersonatePrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeCreateGlobalPrivilege 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: 33 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: 34 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: 35 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeDebugPrivilege 268 taskhost.exe Token: SeIncreaseQuotaPrivilege 1832 taskhost.exe Token: SeSecurityPrivilege 1832 taskhost.exe Token: SeTakeOwnershipPrivilege 1832 taskhost.exe Token: SeLoadDriverPrivilege 1832 taskhost.exe Token: SeSystemProfilePrivilege 1832 taskhost.exe Token: SeSystemtimePrivilege 1832 taskhost.exe Token: SeProfSingleProcessPrivilege 1832 taskhost.exe Token: SeIncBasePriorityPrivilege 1832 taskhost.exe Token: SeCreatePagefilePrivilege 1832 taskhost.exe Token: SeBackupPrivilege 1832 taskhost.exe Token: SeRestorePrivilege 1832 taskhost.exe Token: SeShutdownPrivilege 1832 taskhost.exe Token: SeDebugPrivilege 1832 taskhost.exe Token: SeSystemEnvironmentPrivilege 1832 taskhost.exe Token: SeChangeNotifyPrivilege 1832 taskhost.exe Token: SeRemoteShutdownPrivilege 1832 taskhost.exe Token: SeUndockPrivilege 1832 taskhost.exe Token: SeManageVolumePrivilege 1832 taskhost.exe Token: SeImpersonatePrivilege 1832 taskhost.exe Token: SeCreateGlobalPrivilege 1832 taskhost.exe Token: 33 1832 taskhost.exe Token: 34 1832 taskhost.exe Token: 35 1832 taskhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1832 taskhost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 1948 wrote to memory of 2012 1948 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 28 PID 2012 wrote to memory of 268 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 29 PID 2012 wrote to memory of 268 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 29 PID 2012 wrote to memory of 268 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 29 PID 2012 wrote to memory of 268 2012 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 29 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30 PID 268 wrote to memory of 1832 268 taskhost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe"C:\Users\Admin\AppData\Local\Temp\e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\Windows\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\Windows\taskhost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Local\Temp\Windows\taskhost.exe
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1832
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
686KB
MD5012a1196493ab7f81db07c2bee6a0302
SHA14210c6b6036381428c5f74c6ef0eed02fb8926e2
SHA256e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
SHA51260a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9
-
Filesize
686KB
MD5012a1196493ab7f81db07c2bee6a0302
SHA14210c6b6036381428c5f74c6ef0eed02fb8926e2
SHA256e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
SHA51260a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9
-
Filesize
686KB
MD5012a1196493ab7f81db07c2bee6a0302
SHA14210c6b6036381428c5f74c6ef0eed02fb8926e2
SHA256e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
SHA51260a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9
-
Filesize
686KB
MD5012a1196493ab7f81db07c2bee6a0302
SHA14210c6b6036381428c5f74c6ef0eed02fb8926e2
SHA256e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
SHA51260a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9
-
Filesize
686KB
MD5012a1196493ab7f81db07c2bee6a0302
SHA14210c6b6036381428c5f74c6ef0eed02fb8926e2
SHA256e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
SHA51260a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9