Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 16:02
Behavioral task
behavioral1
Sample
707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
Resource
win7-20220812-en
General
-
Target
707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe
-
Size
661KB
-
MD5
081479fd083ec172e9a7c23caba03bb1
-
SHA1
e7cb1abdef3384ca5ac1a31c2c791a84304926e9
-
SHA256
707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02
-
SHA512
261cab6c1c3cdba1783b89a15c3b4c6e3e7bee8a4b129c9c9abf511d35f7f4658fea67a561ce775498a7a9df4311357670119ba67acc1f210830baf8c147a900
-
SSDEEP
12288:MXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452UR:anAw2WWeFcfbP9VPSPMTSPL/rWvzq4Jh
Malware Config
Extracted
darkcomet
Guest16
shizzlekid.zapto.org:1919
DC_MUTEX-NE6UK92
-
InstallPath
MSDCSC\microsoft.exe
-
gencode
YcKFVzKEhbEr
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Microsoft
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\microsoft.exe" 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe -
Executes dropped EXE 1 IoCs
pid Process 1916 microsoft.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 808 attrib.exe -
Loads dropped DLL 2 IoCs
pid Process 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\Documents\\MSDCSC\\microsoft.exe" 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1916 microsoft.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeSecurityPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeTakeOwnershipPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeLoadDriverPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeSystemProfilePrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeSystemtimePrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeProfSingleProcessPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeIncBasePriorityPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeCreatePagefilePrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeBackupPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeRestorePrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeShutdownPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeDebugPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeSystemEnvironmentPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeChangeNotifyPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeRemoteShutdownPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeUndockPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeManageVolumePrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeImpersonatePrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeCreateGlobalPrivilege 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: 33 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: 34 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: 35 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe Token: SeIncreaseQuotaPrivilege 1916 microsoft.exe Token: SeSecurityPrivilege 1916 microsoft.exe Token: SeTakeOwnershipPrivilege 1916 microsoft.exe Token: SeLoadDriverPrivilege 1916 microsoft.exe Token: SeSystemProfilePrivilege 1916 microsoft.exe Token: SeSystemtimePrivilege 1916 microsoft.exe Token: SeProfSingleProcessPrivilege 1916 microsoft.exe Token: SeIncBasePriorityPrivilege 1916 microsoft.exe Token: SeCreatePagefilePrivilege 1916 microsoft.exe Token: SeBackupPrivilege 1916 microsoft.exe Token: SeRestorePrivilege 1916 microsoft.exe Token: SeShutdownPrivilege 1916 microsoft.exe Token: SeDebugPrivilege 1916 microsoft.exe Token: SeSystemEnvironmentPrivilege 1916 microsoft.exe Token: SeChangeNotifyPrivilege 1916 microsoft.exe Token: SeRemoteShutdownPrivilege 1916 microsoft.exe Token: SeUndockPrivilege 1916 microsoft.exe Token: SeManageVolumePrivilege 1916 microsoft.exe Token: SeImpersonatePrivilege 1916 microsoft.exe Token: SeCreateGlobalPrivilege 1916 microsoft.exe Token: 33 1916 microsoft.exe Token: 34 1916 microsoft.exe Token: 35 1916 microsoft.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1916 microsoft.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 976 wrote to memory of 1388 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe 27 PID 976 wrote to memory of 1388 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe 27 PID 976 wrote to memory of 1388 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe 27 PID 976 wrote to memory of 1388 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe 27 PID 1388 wrote to memory of 808 1388 cmd.exe 29 PID 1388 wrote to memory of 808 1388 cmd.exe 29 PID 1388 wrote to memory of 808 1388 cmd.exe 29 PID 1388 wrote to memory of 808 1388 cmd.exe 29 PID 976 wrote to memory of 1916 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe 30 PID 976 wrote to memory of 1916 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe 30 PID 976 wrote to memory of 1916 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe 30 PID 976 wrote to memory of 1916 976 707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe 30 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 PID 1916 wrote to memory of 2024 1916 microsoft.exe 31 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 808 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe"C:\Users\Admin\AppData\Local\Temp\707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:808
-
-
-
C:\Users\Admin\Documents\MSDCSC\microsoft.exe"C:\Users\Admin\Documents\MSDCSC\microsoft.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:2024
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD5081479fd083ec172e9a7c23caba03bb1
SHA1e7cb1abdef3384ca5ac1a31c2c791a84304926e9
SHA256707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02
SHA512261cab6c1c3cdba1783b89a15c3b4c6e3e7bee8a4b129c9c9abf511d35f7f4658fea67a561ce775498a7a9df4311357670119ba67acc1f210830baf8c147a900
-
Filesize
661KB
MD5081479fd083ec172e9a7c23caba03bb1
SHA1e7cb1abdef3384ca5ac1a31c2c791a84304926e9
SHA256707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02
SHA512261cab6c1c3cdba1783b89a15c3b4c6e3e7bee8a4b129c9c9abf511d35f7f4658fea67a561ce775498a7a9df4311357670119ba67acc1f210830baf8c147a900
-
Filesize
661KB
MD5081479fd083ec172e9a7c23caba03bb1
SHA1e7cb1abdef3384ca5ac1a31c2c791a84304926e9
SHA256707cae5691796c3ebdd8940831948d0e49965e33e4f0384edba8e1969158bd02
SHA512261cab6c1c3cdba1783b89a15c3b4c6e3e7bee8a4b129c9c9abf511d35f7f4658fea67a561ce775498a7a9df4311357670119ba67acc1f210830baf8c147a900