Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/02/2025, 07:30
250205-jb9afaxrdl 1005/02/2025, 07:08
250205-hx7s3axlak 1001/10/2022, 23:07
221001-235ensceam 10Analysis
-
max time kernel
153s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
win10v2004-20220812-en
General
-
Target
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
-
Size
582KB
-
MD5
6ee8965f23ab498defe80b79ab2ca52c
-
SHA1
0d74605007a81bf44052dcf43385b236d9401c66
-
SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
-
SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
SSDEEP
12288:3w3BadD1/+wudvYWgktZiE0SJObe2HhcduQ6H6fI:GadVpupYWgktZigsS2Haub6
Malware Config
Extracted
darkcomet
DataProtector13.05.2013
vierus330.no-ip.org:9751
DCMIN_MUTEX-P9NPCV7
-
gencode
Ch5FEfuRL0mp
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\cmiadapter.exe" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 2004 cmiadapter.exe 1464 PrintConfig.exe 1604 cmiadapter.exe -
Loads dropped DLL 3 IoCs
pid Process 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2004 cmiadapter.exe 1464 PrintConfig.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2032 set thread context of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 1464 set thread context of 1816 1464 PrintConfig.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2004 cmiadapter.exe 2004 cmiadapter.exe 1464 PrintConfig.exe 1464 PrintConfig.exe 1464 PrintConfig.exe 1464 PrintConfig.exe 1464 PrintConfig.exe 1464 PrintConfig.exe 1464 PrintConfig.exe 1604 cmiadapter.exe 1464 PrintConfig.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1464 PrintConfig.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1464 PrintConfig.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1464 PrintConfig.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1464 PrintConfig.exe 1604 cmiadapter.exe 1604 cmiadapter.exe 1604 cmiadapter.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe Token: SeDebugPrivilege 2004 cmiadapter.exe Token: SeIncreaseQuotaPrivilege 1880 svchost.exe Token: SeSecurityPrivilege 1880 svchost.exe Token: SeTakeOwnershipPrivilege 1880 svchost.exe Token: SeLoadDriverPrivilege 1880 svchost.exe Token: SeSystemProfilePrivilege 1880 svchost.exe Token: SeSystemtimePrivilege 1880 svchost.exe Token: SeProfSingleProcessPrivilege 1880 svchost.exe Token: SeIncBasePriorityPrivilege 1880 svchost.exe Token: SeCreatePagefilePrivilege 1880 svchost.exe Token: SeBackupPrivilege 1880 svchost.exe Token: SeRestorePrivilege 1880 svchost.exe Token: SeShutdownPrivilege 1880 svchost.exe Token: SeDebugPrivilege 1880 svchost.exe Token: SeSystemEnvironmentPrivilege 1880 svchost.exe Token: SeChangeNotifyPrivilege 1880 svchost.exe Token: SeRemoteShutdownPrivilege 1880 svchost.exe Token: SeUndockPrivilege 1880 svchost.exe Token: SeManageVolumePrivilege 1880 svchost.exe Token: SeImpersonatePrivilege 1880 svchost.exe Token: SeCreateGlobalPrivilege 1880 svchost.exe Token: 33 1880 svchost.exe Token: 34 1880 svchost.exe Token: 35 1880 svchost.exe Token: SeDebugPrivilege 1464 PrintConfig.exe Token: SeIncreaseQuotaPrivilege 1816 svchost.exe Token: SeSecurityPrivilege 1816 svchost.exe Token: SeTakeOwnershipPrivilege 1816 svchost.exe Token: SeLoadDriverPrivilege 1816 svchost.exe Token: SeSystemProfilePrivilege 1816 svchost.exe Token: SeSystemtimePrivilege 1816 svchost.exe Token: SeProfSingleProcessPrivilege 1816 svchost.exe Token: SeIncBasePriorityPrivilege 1816 svchost.exe Token: SeCreatePagefilePrivilege 1816 svchost.exe Token: SeBackupPrivilege 1816 svchost.exe Token: SeRestorePrivilege 1816 svchost.exe Token: SeShutdownPrivilege 1816 svchost.exe Token: SeDebugPrivilege 1816 svchost.exe Token: SeSystemEnvironmentPrivilege 1816 svchost.exe Token: SeChangeNotifyPrivilege 1816 svchost.exe Token: SeRemoteShutdownPrivilege 1816 svchost.exe Token: SeUndockPrivilege 1816 svchost.exe Token: SeManageVolumePrivilege 1816 svchost.exe Token: SeImpersonatePrivilege 1816 svchost.exe Token: SeCreateGlobalPrivilege 1816 svchost.exe Token: 33 1816 svchost.exe Token: 34 1816 svchost.exe Token: 35 1816 svchost.exe Token: SeDebugPrivilege 1604 cmiadapter.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1880 svchost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 1880 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 26 PID 2032 wrote to memory of 2004 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 27 PID 2032 wrote to memory of 2004 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 27 PID 2032 wrote to memory of 2004 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 27 PID 2032 wrote to memory of 2004 2032 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 27 PID 2004 wrote to memory of 1160 2004 cmiadapter.exe 28 PID 2004 wrote to memory of 1160 2004 cmiadapter.exe 28 PID 2004 wrote to memory of 1160 2004 cmiadapter.exe 28 PID 2004 wrote to memory of 1160 2004 cmiadapter.exe 28 PID 2004 wrote to memory of 1464 2004 cmiadapter.exe 30 PID 2004 wrote to memory of 1464 2004 cmiadapter.exe 30 PID 2004 wrote to memory of 1464 2004 cmiadapter.exe 30 PID 2004 wrote to memory of 1464 2004 cmiadapter.exe 30 PID 1160 wrote to memory of 1512 1160 cmd.exe 31 PID 1160 wrote to memory of 1512 1160 cmd.exe 31 PID 1160 wrote to memory of 1512 1160 cmd.exe 31 PID 1160 wrote to memory of 1512 1160 cmd.exe 31 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1816 1464 PrintConfig.exe 32 PID 1464 wrote to memory of 1604 1464 PrintConfig.exe 33 PID 1464 wrote to memory of 1604 1464 PrintConfig.exe 33 PID 1464 wrote to memory of 1604 1464 PrintConfig.exe 33 PID 1464 wrote to memory of 1604 1464 PrintConfig.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe"C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1880
-
-
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f4⤵
- Modifies WinLogon for persistence
PID:1512
-
-
-
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
582KB
MD56ee8965f23ab498defe80b79ab2ca52c
SHA10d74605007a81bf44052dcf43385b236d9401c66
SHA2560314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA5129a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
Filesize
582KB
MD56ee8965f23ab498defe80b79ab2ca52c
SHA10d74605007a81bf44052dcf43385b236d9401c66
SHA2560314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA5129a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0
-
Filesize
582KB
MD56ee8965f23ab498defe80b79ab2ca52c
SHA10d74605007a81bf44052dcf43385b236d9401c66
SHA2560314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA5129a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0