Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ad4b63444e...66.exe

windows7-x64

10

ad4b63444e...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 12:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe

  • Size

    1.1MB

  • MD5

    647c5dde7a82629ee388904031bfa96b

  • SHA1

    c73b8e712703e770d36b301fcf725fd0e6cb88f2

  • SHA256

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66

  • SHA512

    0bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a

  • SSDEEP

    24576:QUKoN0bUxgGa/pfBHDb+y1LXPeCXuLKdsOT:TK1A6ze/KdX

Score
10/10
darkcometisrstealerevasionpersistenceratspywarestealertrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 8 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe
    "C:\Users\Admin\AppData\Local\Temp\ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\ST.EXE
      "C:\Users\Admin\AppData\Local\Temp\ST.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Users\Admin\AppData\Local\Temp\ST.EXE
        /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
        3⤵
        • Executes dropped EXE
        PID:836
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 4
        3⤵
        • Runs ping.exe
        PID:3676
    • C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe
      "C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe"
      2⤵
      • Modifies security service
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies security service
        • Windows security bypass
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2332

Network

  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    151.122.125.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    151.122.125.40.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    14.110.152.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.110.152.52.in-addr.arpa
    IN PTR
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • flag-unknown
    DNS
    tonjo.servegame.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    tonjo.servegame.com
    IN A
    Response
  • 52.168.117.170:443
    322 B
     7
  • 8.252.51.254:80
    322 B
     7
  • 8.253.183.120:80
    322 B
     7
  • 104.80.225.205:443
    322 B
     7
  • 209.197.3.8:80
    322 B
     7
  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    130 B
     244 B
     2
    2

    DNS Request

    tonjo.servegame.com

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    151.122.125.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    151.122.125.40.in-addr.arpa

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    14.110.152.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    14.110.152.52.in-addr.arpa

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

  • 8.8.8.8:53
    tonjo.servegame.com
    dns
    iexplore.exe
    65 B
     122 B
     1
    1

    DNS Request

    tonjo.servegame.com

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe
    Filesize

    1.1MB

    MD5

    647c5dde7a82629ee388904031bfa96b

    SHA1

    c73b8e712703e770d36b301fcf725fd0e6cb88f2

    SHA256

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66

    SHA512

    0bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSDCSC\mssdcsc.exe
    Filesize

    1.1MB

    MD5

    647c5dde7a82629ee388904031bfa96b

    SHA1

    c73b8e712703e770d36b301fcf725fd0e6cb88f2

    SHA256

    ad4b63444e1ab0da9be8923f21494927dc9f6577c0fc268f9bc656fd497d2c66

    SHA512

    0bc9e989d3a27ef5ed2f1424fab902355c351ac40ecb613cb75a5d60ee295bcfdccd4840bf2f5eb2b15a53acd2cb5a6f37adb6d00e4e80e23268403243dfea5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ST.EXE
    Filesize

    196KB

    MD5

    dc5705be7750d65884d7635861f9cb7d

    SHA1

    98d13661de10e746c3abf2758a61f363168f3b09

    SHA256

    413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f

    SHA512

    daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ST.EXE
    Filesize

    196KB

    MD5

    dc5705be7750d65884d7635861f9cb7d

    SHA1

    98d13661de10e746c3abf2758a61f363168f3b09

    SHA256

    413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f

    SHA512

    daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ST.EXE
    Filesize

    196KB

    MD5

    dc5705be7750d65884d7635861f9cb7d

    SHA1

    98d13661de10e746c3abf2758a61f363168f3b09

    SHA256

    413c860837e089e5a84a5519f6e7310785a47a0a2bbb85f6aa2fd5800edf915f

    SHA512

    daa99d665343bf82e202539f003519af64a9a700e59d3fd299afecbb97cafd8ebf96d276095a0d33f8f0d713ef5f051207eb4357863cf7950a81dc54ad3fc4bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp.ini
    Filesize

    5B

    MD5

    d1ea279fb5559c020a1b4137dc4de237

    SHA1

    db6f8988af46b56216a6f0daf95ab8c9bdb57400

    SHA256

    fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

    SHA512

    720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    Download Submit

  • memory/216-152-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/836-144-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/836-143-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/836-142-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/836-139-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/2348-132-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2348-151-0x0000000000400000-0x0000000000518000-memory.dmp

    Filesize

    1.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.