Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/02/2025, 07:19
250205-h5lwkaxndj 1007/10/2022, 19:32
221007-x8zddsdeap 1001/10/2022, 23:37
221001-3mgjcadden 10Analysis
-
max time kernel
186s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/10/2022, 23:37
Behavioral task
behavioral1
Sample
c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe
Resource
win7-20220812-en
windows7-x64
19 signatures
150 seconds
General
-
Target
c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe
-
Size
658KB
-
MD5
01f80684f9ebae1fc31a67e9fc6b4eb8
-
SHA1
cd0a5f3d1b66fe80c07a99815c9fb15605c8198c
-
SHA256
c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede
-
SHA512
c68b087676e11e210aceaabbefa18122d109b3c383ee25a635a327c6d477a9d73637ab49093a02b1756d65291a105601130196f8dbec832940cf0103bb28a721
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hS:KZ1xuVVjfFoynPaVBUR8f+kN10EB8
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
idkwhat1235.no-ip.biz:6000
Mutex
DC_MUTEX-8JHYGAC
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
2bi6GSkz4SLb
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1812 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1672 attrib.exe 1468 attrib.exe -
Loads dropped DLL 2 IoCs
pid Process 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1812 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeSecurityPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeTakeOwnershipPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeLoadDriverPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeSystemProfilePrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeSystemtimePrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeProfSingleProcessPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeIncBasePriorityPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeCreatePagefilePrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeBackupPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeRestorePrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeShutdownPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeDebugPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeSystemEnvironmentPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeChangeNotifyPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeRemoteShutdownPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeUndockPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeManageVolumePrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeImpersonatePrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeCreateGlobalPrivilege 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: 33 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: 34 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: 35 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe Token: SeIncreaseQuotaPrivilege 1812 msdcsc.exe Token: SeSecurityPrivilege 1812 msdcsc.exe Token: SeTakeOwnershipPrivilege 1812 msdcsc.exe Token: SeLoadDriverPrivilege 1812 msdcsc.exe Token: SeSystemProfilePrivilege 1812 msdcsc.exe Token: SeSystemtimePrivilege 1812 msdcsc.exe Token: SeProfSingleProcessPrivilege 1812 msdcsc.exe Token: SeIncBasePriorityPrivilege 1812 msdcsc.exe Token: SeCreatePagefilePrivilege 1812 msdcsc.exe Token: SeBackupPrivilege 1812 msdcsc.exe Token: SeRestorePrivilege 1812 msdcsc.exe Token: SeShutdownPrivilege 1812 msdcsc.exe Token: SeDebugPrivilege 1812 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1812 msdcsc.exe Token: SeChangeNotifyPrivilege 1812 msdcsc.exe Token: SeRemoteShutdownPrivilege 1812 msdcsc.exe Token: SeUndockPrivilege 1812 msdcsc.exe Token: SeManageVolumePrivilege 1812 msdcsc.exe Token: SeImpersonatePrivilege 1812 msdcsc.exe Token: SeCreateGlobalPrivilege 1812 msdcsc.exe Token: 33 1812 msdcsc.exe Token: 34 1812 msdcsc.exe Token: 35 1812 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1812 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1604 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 28 PID 1784 wrote to memory of 1604 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 28 PID 1784 wrote to memory of 1604 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 28 PID 1784 wrote to memory of 1604 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 28 PID 1784 wrote to memory of 1692 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 30 PID 1784 wrote to memory of 1692 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 30 PID 1784 wrote to memory of 1692 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 30 PID 1784 wrote to memory of 1692 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 30 PID 1692 wrote to memory of 1672 1692 cmd.exe 32 PID 1692 wrote to memory of 1672 1692 cmd.exe 32 PID 1692 wrote to memory of 1672 1692 cmd.exe 32 PID 1692 wrote to memory of 1672 1692 cmd.exe 32 PID 1604 wrote to memory of 1468 1604 cmd.exe 33 PID 1604 wrote to memory of 1468 1604 cmd.exe 33 PID 1604 wrote to memory of 1468 1604 cmd.exe 33 PID 1604 wrote to memory of 1468 1604 cmd.exe 33 PID 1784 wrote to memory of 1812 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 34 PID 1784 wrote to memory of 1812 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 34 PID 1784 wrote to memory of 1812 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 34 PID 1784 wrote to memory of 1812 1784 c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe 34 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 PID 1812 wrote to memory of 1796 1812 msdcsc.exe 35 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1672 attrib.exe 1468 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe"C:\Users\Admin\AppData\Local\Temp\c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1468
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1672
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1812 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1796
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD501f80684f9ebae1fc31a67e9fc6b4eb8
SHA1cd0a5f3d1b66fe80c07a99815c9fb15605c8198c
SHA256c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede
SHA512c68b087676e11e210aceaabbefa18122d109b3c383ee25a635a327c6d477a9d73637ab49093a02b1756d65291a105601130196f8dbec832940cf0103bb28a721
-
Filesize
658KB
MD501f80684f9ebae1fc31a67e9fc6b4eb8
SHA1cd0a5f3d1b66fe80c07a99815c9fb15605c8198c
SHA256c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede
SHA512c68b087676e11e210aceaabbefa18122d109b3c383ee25a635a327c6d477a9d73637ab49093a02b1756d65291a105601130196f8dbec832940cf0103bb28a721
-
Filesize
658KB
MD501f80684f9ebae1fc31a67e9fc6b4eb8
SHA1cd0a5f3d1b66fe80c07a99815c9fb15605c8198c
SHA256c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede
SHA512c68b087676e11e210aceaabbefa18122d109b3c383ee25a635a327c6d477a9d73637ab49093a02b1756d65291a105601130196f8dbec832940cf0103bb28a721
-
Filesize
658KB
MD501f80684f9ebae1fc31a67e9fc6b4eb8
SHA1cd0a5f3d1b66fe80c07a99815c9fb15605c8198c
SHA256c879c4891a1eba5c4f3a1bf38e3ed8d530ce67721cab3b26547ff50190b55ede
SHA512c68b087676e11e210aceaabbefa18122d109b3c383ee25a635a327c6d477a9d73637ab49093a02b1756d65291a105601130196f8dbec832940cf0103bb28a721