Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 02:04
Behavioral task
behavioral1
Sample
59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe
Resource
win7-20220901-en
General
-
Target
59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe
-
Size
659KB
-
MD5
4e91146d12250f89a4392770d4e89313
-
SHA1
b24be6a2eccfb8c6f7955cd5f6929d44ebcdd13e
-
SHA256
59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23
-
SHA512
feb1d1055e14c702c61c41bdcee1c76dcef637abe242a46b56b1547f8a5e2a34225f2562379c785ed040c032d3891e5a003271020d958ed1215b7d00786d1d50
-
SSDEEP
12288:G9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hw:iZ1xuVVjfFoynPaVBUR8f+kN10EBm
Malware Config
Extracted
darkcomet
Lena
94.180.46.70:1604
DC_MUTEX-UA0ZG0W
-
InstallPath
windlogon.exe
-
gencode
wZvu2vV0X3gE
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
windlogon
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\windlogon.exe" 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile windlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" windlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" windlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" windlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" windlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" windlogon.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" windlogon.exe -
Executes dropped EXE 1 IoCs
pid Process 1500 windlogon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" windlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" windlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windlogon = "C:\\Windows\\system32\\windlogon.exe" 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\windlogon.exe 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe File opened for modification C:\Windows\SysWOW64\ 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe File created C:\Windows\SysWOW64\windlogon.exe 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeSecurityPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeTakeOwnershipPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeLoadDriverPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeSystemProfilePrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeSystemtimePrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeProfSingleProcessPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeIncBasePriorityPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeCreatePagefilePrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeBackupPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeRestorePrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeShutdownPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeDebugPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeSystemEnvironmentPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeChangeNotifyPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeRemoteShutdownPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeUndockPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeManageVolumePrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeImpersonatePrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeCreateGlobalPrivilege 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: 33 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: 34 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: 35 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: 36 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe Token: SeIncreaseQuotaPrivilege 1500 windlogon.exe Token: SeSecurityPrivilege 1500 windlogon.exe Token: SeTakeOwnershipPrivilege 1500 windlogon.exe Token: SeLoadDriverPrivilege 1500 windlogon.exe Token: SeSystemProfilePrivilege 1500 windlogon.exe Token: SeSystemtimePrivilege 1500 windlogon.exe Token: SeProfSingleProcessPrivilege 1500 windlogon.exe Token: SeIncBasePriorityPrivilege 1500 windlogon.exe Token: SeCreatePagefilePrivilege 1500 windlogon.exe Token: SeBackupPrivilege 1500 windlogon.exe Token: SeRestorePrivilege 1500 windlogon.exe Token: SeShutdownPrivilege 1500 windlogon.exe Token: SeDebugPrivilege 1500 windlogon.exe Token: SeSystemEnvironmentPrivilege 1500 windlogon.exe Token: SeChangeNotifyPrivilege 1500 windlogon.exe Token: SeRemoteShutdownPrivilege 1500 windlogon.exe Token: SeUndockPrivilege 1500 windlogon.exe Token: SeManageVolumePrivilege 1500 windlogon.exe Token: SeImpersonatePrivilege 1500 windlogon.exe Token: SeCreateGlobalPrivilege 1500 windlogon.exe Token: 33 1500 windlogon.exe Token: 34 1500 windlogon.exe Token: 35 1500 windlogon.exe Token: 36 1500 windlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1500 windlogon.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3724 wrote to memory of 1500 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe 80 PID 3724 wrote to memory of 1500 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe 80 PID 3724 wrote to memory of 1500 3724 59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe 80 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 PID 1500 wrote to memory of 3408 1500 windlogon.exe 81 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" windlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion windlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern windlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe"C:\Users\Admin\AppData\Local\Temp\59235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\windlogon.exe"C:\Windows\system32\windlogon.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1500 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:3408
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
659KB
MD54e91146d12250f89a4392770d4e89313
SHA1b24be6a2eccfb8c6f7955cd5f6929d44ebcdd13e
SHA25659235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23
SHA512feb1d1055e14c702c61c41bdcee1c76dcef637abe242a46b56b1547f8a5e2a34225f2562379c785ed040c032d3891e5a003271020d958ed1215b7d00786d1d50
-
Filesize
659KB
MD54e91146d12250f89a4392770d4e89313
SHA1b24be6a2eccfb8c6f7955cd5f6929d44ebcdd13e
SHA25659235141af41313f250d39a900b34389e30acba1bca01465859e0bd7dc5daf23
SHA512feb1d1055e14c702c61c41bdcee1c76dcef637abe242a46b56b1547f8a5e2a34225f2562379c785ed040c032d3891e5a003271020d958ed1215b7d00786d1d50