Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/02/2025, 07:30
250205-jb9afaxrdl 1005/02/2025, 07:08
250205-hx7s3axlak 1001/10/2022, 23:07
221001-235ensceam 10Analysis
-
max time kernel
156s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
win10v2004-20220812-en
General
-
Target
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
-
Size
582KB
-
MD5
6ee8965f23ab498defe80b79ab2ca52c
-
SHA1
0d74605007a81bf44052dcf43385b236d9401c66
-
SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
-
SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
SSDEEP
12288:3w3BadD1/+wudvYWgktZiE0SJObe2HhcduQ6H6fI:GadVpupYWgktZigsS2Haub6
Malware Config
Extracted
darkcomet
DataProtector13.05.2013
vierus330.no-ip.org:9751
DCMIN_MUTEX-P9NPCV7
-
gencode
Ch5FEfuRL0mp
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\cmiadapter.exe" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 4212 cmiadapter.exe 764 PrintConfig.exe 4864 cmiadapter.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cmiadapter.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation PrintConfig.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe File opened for modification C:\Windows\assembly\Desktop.ini 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4388 set thread context of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 764 set thread context of 2876 764 PrintConfig.exe 98 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe File created C:\Windows\assembly\Desktop.ini 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe File opened for modification C:\Windows\assembly\Desktop.ini 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3256 3108 WerFault.exe 89 1536 2876 WerFault.exe 98 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4212 cmiadapter.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe 4212 cmiadapter.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe Token: SeDebugPrivilege 4212 cmiadapter.exe Token: SeDebugPrivilege 764 PrintConfig.exe Token: SeDebugPrivilege 4864 cmiadapter.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 3108 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 89 PID 4388 wrote to memory of 4212 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 92 PID 4388 wrote to memory of 4212 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 92 PID 4388 wrote to memory of 4212 4388 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 92 PID 4212 wrote to memory of 2528 4212 cmiadapter.exe 94 PID 4212 wrote to memory of 2528 4212 cmiadapter.exe 94 PID 4212 wrote to memory of 2528 4212 cmiadapter.exe 94 PID 2528 wrote to memory of 392 2528 cmd.exe 96 PID 2528 wrote to memory of 392 2528 cmd.exe 96 PID 2528 wrote to memory of 392 2528 cmd.exe 96 PID 4212 wrote to memory of 764 4212 cmiadapter.exe 97 PID 4212 wrote to memory of 764 4212 cmiadapter.exe 97 PID 4212 wrote to memory of 764 4212 cmiadapter.exe 97 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 2876 764 PrintConfig.exe 98 PID 764 wrote to memory of 4864 764 PrintConfig.exe 101 PID 764 wrote to memory of 4864 764 PrintConfig.exe 101 PID 764 wrote to memory of 4864 764 PrintConfig.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe"C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵PID:3108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 5243⤵
- Program crash
PID:3256
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f4⤵
- Modifies WinLogon for persistence
PID:392
-
-
-
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵PID:2876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 5365⤵
- Program crash
PID:1536
-
-
-
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3108 -ip 31081⤵PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2876 -ip 28761⤵PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
Filesize
582KB
MD56ee8965f23ab498defe80b79ab2ca52c
SHA10d74605007a81bf44052dcf43385b236d9401c66
SHA2560314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA5129a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
Filesize
582KB
MD56ee8965f23ab498defe80b79ab2ca52c
SHA10d74605007a81bf44052dcf43385b236d9401c66
SHA2560314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA5129a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0