Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 22:32
Behavioral task
behavioral1
Sample
5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe
Resource
win7-20220812-en
General
-
Target
5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe
-
Size
758KB
-
MD5
984cc506b7124dafeb1a401124d315b7
-
SHA1
e2938d7c3bfd74179fcb8f0b7e7c79e6c76f0798
-
SHA256
5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381
-
SHA512
de2d06123119f1ddea521fecda32130c25904235ee729ec168747f40f3ae9da484a64df67dc2aa7ad579cbab6eeebba325965e1c8d2ba83161660e397879a834
-
SSDEEP
12288:rXhpvNWw276S/DuoeFcfbmiJ99VPhYR5MTSHvLenELrWv1lZw4JuMkMh/fy452Ul:znAw2WWeFcfbP9VPSPMTSPL/rWvzq4JV
Malware Config
Extracted
darkcomet
Guest16
blinko.no-ip.biz:1604
DC_MUTEX-XEP2LCR
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Qx6wzbzu70U9
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 1 IoCs
pid Process 1800 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1992 attrib.exe 1104 attrib.exe -
Loads dropped DLL 2 IoCs
pid Process 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1800 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeSecurityPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeTakeOwnershipPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeLoadDriverPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeSystemProfilePrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeSystemtimePrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeProfSingleProcessPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeIncBasePriorityPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeCreatePagefilePrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeBackupPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeRestorePrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeShutdownPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeDebugPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeSystemEnvironmentPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeChangeNotifyPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeRemoteShutdownPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeUndockPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeManageVolumePrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeImpersonatePrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeCreateGlobalPrivilege 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: 33 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: 34 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: 35 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe Token: SeIncreaseQuotaPrivilege 1800 msdcsc.exe Token: SeSecurityPrivilege 1800 msdcsc.exe Token: SeTakeOwnershipPrivilege 1800 msdcsc.exe Token: SeLoadDriverPrivilege 1800 msdcsc.exe Token: SeSystemProfilePrivilege 1800 msdcsc.exe Token: SeSystemtimePrivilege 1800 msdcsc.exe Token: SeProfSingleProcessPrivilege 1800 msdcsc.exe Token: SeIncBasePriorityPrivilege 1800 msdcsc.exe Token: SeCreatePagefilePrivilege 1800 msdcsc.exe Token: SeBackupPrivilege 1800 msdcsc.exe Token: SeRestorePrivilege 1800 msdcsc.exe Token: SeShutdownPrivilege 1800 msdcsc.exe Token: SeDebugPrivilege 1800 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1800 msdcsc.exe Token: SeChangeNotifyPrivilege 1800 msdcsc.exe Token: SeRemoteShutdownPrivilege 1800 msdcsc.exe Token: SeUndockPrivilege 1800 msdcsc.exe Token: SeManageVolumePrivilege 1800 msdcsc.exe Token: SeImpersonatePrivilege 1800 msdcsc.exe Token: SeCreateGlobalPrivilege 1800 msdcsc.exe Token: 33 1800 msdcsc.exe Token: 34 1800 msdcsc.exe Token: 35 1800 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1800 msdcsc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1204 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 26 PID 2036 wrote to memory of 1204 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 26 PID 2036 wrote to memory of 1204 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 26 PID 2036 wrote to memory of 1204 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 26 PID 2036 wrote to memory of 1328 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 28 PID 2036 wrote to memory of 1328 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 28 PID 2036 wrote to memory of 1328 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 28 PID 2036 wrote to memory of 1328 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 28 PID 1204 wrote to memory of 1992 1204 cmd.exe 30 PID 1204 wrote to memory of 1992 1204 cmd.exe 30 PID 1204 wrote to memory of 1992 1204 cmd.exe 30 PID 1204 wrote to memory of 1992 1204 cmd.exe 30 PID 1328 wrote to memory of 1104 1328 cmd.exe 31 PID 1328 wrote to memory of 1104 1328 cmd.exe 31 PID 1328 wrote to memory of 1104 1328 cmd.exe 31 PID 1328 wrote to memory of 1104 1328 cmd.exe 31 PID 2036 wrote to memory of 1800 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 32 PID 2036 wrote to memory of 1800 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 32 PID 2036 wrote to memory of 1800 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 32 PID 2036 wrote to memory of 1800 2036 5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe 32 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1992 attrib.exe 1104 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe"C:\Users\Admin\AppData\Local\Temp\5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\5e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1104
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1800
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
758KB
MD5984cc506b7124dafeb1a401124d315b7
SHA1e2938d7c3bfd74179fcb8f0b7e7c79e6c76f0798
SHA2565e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381
SHA512de2d06123119f1ddea521fecda32130c25904235ee729ec168747f40f3ae9da484a64df67dc2aa7ad579cbab6eeebba325965e1c8d2ba83161660e397879a834
-
Filesize
758KB
MD5984cc506b7124dafeb1a401124d315b7
SHA1e2938d7c3bfd74179fcb8f0b7e7c79e6c76f0798
SHA2565e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381
SHA512de2d06123119f1ddea521fecda32130c25904235ee729ec168747f40f3ae9da484a64df67dc2aa7ad579cbab6eeebba325965e1c8d2ba83161660e397879a834
-
Filesize
758KB
MD5984cc506b7124dafeb1a401124d315b7
SHA1e2938d7c3bfd74179fcb8f0b7e7c79e6c76f0798
SHA2565e876286f3d2faa79f0627bf9bfd04f12f15fc2716457d308f8083611f8c1381
SHA512de2d06123119f1ddea521fecda32130c25904235ee729ec168747f40f3ae9da484a64df67dc2aa7ad579cbab6eeebba325965e1c8d2ba83161660e397879a834