Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/02/2025, 07:32
250205-jc74rswpdw 1005/02/2025, 07:10
250205-hzekasxlej 1001/10/2022, 22:04
221001-1y9cdsafgm 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe
Resource
win10v2004-20220812-en
General
-
Target
e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe
-
Size
686KB
-
MD5
012a1196493ab7f81db07c2bee6a0302
-
SHA1
4210c6b6036381428c5f74c6ef0eed02fb8926e2
-
SHA256
e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
-
SHA512
60a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9
-
SSDEEP
12288:DsrDj72TynbM+b233JvdepuKGMXO/iXv89/w2t+09F/8bERxYp2cjR/gQQu4cbWh:DYh3b233dKHXcX/w2t+09F/8biDcdglx
Malware Config
Extracted
darkcomet
Opfer
tima.myftp.biz:1001
DCMIN_MUTEX-750S66E
-
InstallPath
Windows\taskhost.exe
-
gencode
xmB35GD9pqNN
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
NT Kernel & Systeam
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows\\taskhost.exe" e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe -
Executes dropped EXE 2 IoCs
pid Process 4724 taskhost.exe 3604 taskhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NT Kernel & Systeam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows\\taskhost.exe" e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4204 set thread context of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4724 set thread context of 3604 4724 taskhost.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeIncreaseQuotaPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeSecurityPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeTakeOwnershipPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeLoadDriverPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeSystemProfilePrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeSystemtimePrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeProfSingleProcessPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeIncBasePriorityPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeCreatePagefilePrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeBackupPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeRestorePrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeShutdownPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeDebugPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeSystemEnvironmentPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeChangeNotifyPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeRemoteShutdownPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeUndockPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeManageVolumePrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeImpersonatePrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeCreateGlobalPrivilege 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: 33 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: 34 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: 35 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: 36 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe Token: SeDebugPrivilege 4724 taskhost.exe Token: SeIncreaseQuotaPrivilege 3604 taskhost.exe Token: SeSecurityPrivilege 3604 taskhost.exe Token: SeTakeOwnershipPrivilege 3604 taskhost.exe Token: SeLoadDriverPrivilege 3604 taskhost.exe Token: SeSystemProfilePrivilege 3604 taskhost.exe Token: SeSystemtimePrivilege 3604 taskhost.exe Token: SeProfSingleProcessPrivilege 3604 taskhost.exe Token: SeIncBasePriorityPrivilege 3604 taskhost.exe Token: SeCreatePagefilePrivilege 3604 taskhost.exe Token: SeBackupPrivilege 3604 taskhost.exe Token: SeRestorePrivilege 3604 taskhost.exe Token: SeShutdownPrivilege 3604 taskhost.exe Token: SeDebugPrivilege 3604 taskhost.exe Token: SeSystemEnvironmentPrivilege 3604 taskhost.exe Token: SeChangeNotifyPrivilege 3604 taskhost.exe Token: SeRemoteShutdownPrivilege 3604 taskhost.exe Token: SeUndockPrivilege 3604 taskhost.exe Token: SeManageVolumePrivilege 3604 taskhost.exe Token: SeImpersonatePrivilege 3604 taskhost.exe Token: SeCreateGlobalPrivilege 3604 taskhost.exe Token: 33 3604 taskhost.exe Token: 34 3604 taskhost.exe Token: 35 3604 taskhost.exe Token: 36 3604 taskhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3604 taskhost.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 4204 wrote to memory of 1392 4204 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 85 PID 1392 wrote to memory of 4724 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 86 PID 1392 wrote to memory of 4724 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 86 PID 1392 wrote to memory of 4724 1392 e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe 86 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87 PID 4724 wrote to memory of 3604 4724 taskhost.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe"C:\Users\Admin\AppData\Local\Temp\e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56.exe
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\Windows\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\Windows\taskhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\Windows\taskhost.exe
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3604
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
686KB
MD5012a1196493ab7f81db07c2bee6a0302
SHA14210c6b6036381428c5f74c6ef0eed02fb8926e2
SHA256e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
SHA51260a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9
-
Filesize
686KB
MD5012a1196493ab7f81db07c2bee6a0302
SHA14210c6b6036381428c5f74c6ef0eed02fb8926e2
SHA256e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
SHA51260a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9
-
Filesize
686KB
MD5012a1196493ab7f81db07c2bee6a0302
SHA14210c6b6036381428c5f74c6ef0eed02fb8926e2
SHA256e968e7193747c1e610542f38a4db66864e8d0e10f6ba2c7b32a971958aef6c56
SHA51260a4b7358df12e759b46632eb20f2c7c2874b8f62cab5b2ff7ea2656ec98257b3165404041c59d57ab4db3ebaef52bc9d01a022594bba8be0d13c67d57a0c3c9