Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 09:18
Behavioral task
behavioral1
Sample
5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
Resource
win7-20220812-en
windows7-x64
16 signatures
150 seconds
General
-
Target
5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe
-
Size
681KB
-
MD5
4e0811569886759752e02fe7cb9d2a90
-
SHA1
b7d1288f56c430e1e65b5034c938b38a986f228a
-
SHA256
5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e
-
SHA512
b9c7ab963b07d1416d5f119c52a8c2577157b7a780d73678e54aa871ac67f42f81a2f3d0af88568e1b3395d2609d5a0fb628b85c1ba40a88e70aa9f0445a763e
-
SSDEEP
12288:r9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hD:lZ1xuVVjfFoynPaVBUR8f+kN10EBB
Malware Config
Extracted
Family
darkcomet
Botnet
jaja
C2
darkcomet9912.no-ip.biz:80
darkcomet9912.no-ip.biz:82
darkcomet9912.no-ip.biz:10048
81.190.65.57:10048
81.190.65.57:82
81.190.65.57:80
Mutex
DC_MUTEX-E9RCJ06
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
1ue7ZRVqVhWU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Update
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2704 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4656 attrib.exe 2292 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2704 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeSecurityPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeTakeOwnershipPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeLoadDriverPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeSystemProfilePrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeSystemtimePrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeProfSingleProcessPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeIncBasePriorityPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeCreatePagefilePrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeBackupPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeRestorePrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeShutdownPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeDebugPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeSystemEnvironmentPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeChangeNotifyPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeRemoteShutdownPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeUndockPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeManageVolumePrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeImpersonatePrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeCreateGlobalPrivilege 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: 33 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: 34 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: 35 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: 36 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe Token: SeIncreaseQuotaPrivilege 2704 msdcsc.exe Token: SeSecurityPrivilege 2704 msdcsc.exe Token: SeTakeOwnershipPrivilege 2704 msdcsc.exe Token: SeLoadDriverPrivilege 2704 msdcsc.exe Token: SeSystemProfilePrivilege 2704 msdcsc.exe Token: SeSystemtimePrivilege 2704 msdcsc.exe Token: SeProfSingleProcessPrivilege 2704 msdcsc.exe Token: SeIncBasePriorityPrivilege 2704 msdcsc.exe Token: SeCreatePagefilePrivilege 2704 msdcsc.exe Token: SeBackupPrivilege 2704 msdcsc.exe Token: SeRestorePrivilege 2704 msdcsc.exe Token: SeShutdownPrivilege 2704 msdcsc.exe Token: SeDebugPrivilege 2704 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2704 msdcsc.exe Token: SeChangeNotifyPrivilege 2704 msdcsc.exe Token: SeRemoteShutdownPrivilege 2704 msdcsc.exe Token: SeUndockPrivilege 2704 msdcsc.exe Token: SeManageVolumePrivilege 2704 msdcsc.exe Token: SeImpersonatePrivilege 2704 msdcsc.exe Token: SeCreateGlobalPrivilege 2704 msdcsc.exe Token: 33 2704 msdcsc.exe Token: 34 2704 msdcsc.exe Token: 35 2704 msdcsc.exe Token: 36 2704 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2704 msdcsc.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3064 wrote to memory of 1292 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 82 PID 3064 wrote to memory of 1292 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 82 PID 3064 wrote to memory of 1292 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 82 PID 3064 wrote to memory of 3668 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 84 PID 3064 wrote to memory of 3668 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 84 PID 3064 wrote to memory of 3668 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 84 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 3064 wrote to memory of 392 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 85 PID 1292 wrote to memory of 4656 1292 cmd.exe 88 PID 1292 wrote to memory of 4656 1292 cmd.exe 88 PID 1292 wrote to memory of 4656 1292 cmd.exe 88 PID 3064 wrote to memory of 2704 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 87 PID 3064 wrote to memory of 2704 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 87 PID 3064 wrote to memory of 2704 3064 5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe 87 PID 3668 wrote to memory of 2292 3668 cmd.exe 89 PID 3668 wrote to memory of 2292 3668 cmd.exe 89 PID 3668 wrote to memory of 2292 3668 cmd.exe 89 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 PID 2704 wrote to memory of 1060 2704 msdcsc.exe 90 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4656 attrib.exe 2292 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe"C:\Users\Admin\AppData\Local\Temp\5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\5033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4656
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2292
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵PID:392
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1060
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
681KB
MD54e0811569886759752e02fe7cb9d2a90
SHA1b7d1288f56c430e1e65b5034c938b38a986f228a
SHA2565033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e
SHA512b9c7ab963b07d1416d5f119c52a8c2577157b7a780d73678e54aa871ac67f42f81a2f3d0af88568e1b3395d2609d5a0fb628b85c1ba40a88e70aa9f0445a763e
-
Filesize
681KB
MD54e0811569886759752e02fe7cb9d2a90
SHA1b7d1288f56c430e1e65b5034c938b38a986f228a
SHA2565033b6023262057f028bc8f1863e1568b77c3748c58d0a2dfc752167605f522e
SHA512b9c7ab963b07d1416d5f119c52a8c2577157b7a780d73678e54aa871ac67f42f81a2f3d0af88568e1b3395d2609d5a0fb628b85c1ba40a88e70aa9f0445a763e