Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 09:18

General

  • Target

    12cdbf473c84542951d19260e645ab59a20fa2427dac412d5fdf25b4486e7273.exe

  • Size

    827KB

  • MD5

    26743328ebdd1a217b93c66c9148ad7f

  • SHA1

    da547a2570a5948797d98113d948d8eadd45bcaf

  • SHA256

    12cdbf473c84542951d19260e645ab59a20fa2427dac412d5fdf25b4486e7273

  • SHA512

    418abdb611e2f2a7d5d15671086035359aaeda5d1d56507913cc7461a15533587e2033eb979608d708bf0ec13410ddf5f7d4dc4680f2e6364ee9dc630dd6cd33

  • SSDEEP

    24576:z1dlZo5svvY7yRsYW+dwY6+5jzHaLtnvU0TVDMmkrG:z1dlZoc+yRsYW+dw6DaLRM4

Score
10/10

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12cdbf473c84542951d19260e645ab59a20fa2427dac412d5fdf25b4486e7273.exe
    "C:\Users\Admin\AppData\Local\Temp\12cdbf473c84542951d19260e645ab59a20fa2427dac412d5fdf25b4486e7273.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Extracted\foto.exe.exe
      "C:\Extracted\foto.exe.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2968

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Extracted\foto.exe.exe

    Filesize

    811KB

    MD5

    9b9974782ababfe6b38af9016a596f9f

    SHA1

    40b7132139439e4a23c768bb40aabeaa5a256721

    SHA256

    68a13f94a0842fd8c61d85401d8ba5e3678e0049e2cb3261f2df6264a33f7fd6

    SHA512

    8677062870f490dc8f11960f042ef98f72dc8f13d8aba5c922130246696d7bc89eb57617898635f87a21eb6732d0bb15c9cc1474bf1fca2aed74cef7cfe3cb26

  • C:\Extracted\foto.exe.exe

    Filesize

    811KB

    MD5

    9b9974782ababfe6b38af9016a596f9f

    SHA1

    40b7132139439e4a23c768bb40aabeaa5a256721

    SHA256

    68a13f94a0842fd8c61d85401d8ba5e3678e0049e2cb3261f2df6264a33f7fd6

    SHA512

    8677062870f490dc8f11960f042ef98f72dc8f13d8aba5c922130246696d7bc89eb57617898635f87a21eb6732d0bb15c9cc1474bf1fca2aed74cef7cfe3cb26