Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
256s -
max time network
337s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 08:04
Static task
static1
Behavioral task
behavioral1
Sample
b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe
Resource
win7-20221111-en
General
-
Target
b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe
-
Size
514KB
-
MD5
db3160e357420f805f554a593171eaf1
-
SHA1
f7b3bca65953e9f9965634e778c95af250d585c3
-
SHA256
b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874
-
SHA512
a3e80b118129f9cd8a2e0eadb186455ce44cf1eeb4f3c292d692922af762702cda0077862e8b1a5c7fcac43d60e2b8a71a2713927870c3c35e34957737528170
-
SSDEEP
12288:/YQpuKMf6NF5s/GA34LzKtDzNZbNlZlb5uplce:LuKMf6D54F34LevbNl75uT
Malware Config
Extracted
darkcomet
malay
myzaki.zapto.org:80
myzaki.zapto.org:81
myzaki.zapto.org:82
myzaki.zapto.org:83
myzaki.zapto.org:84
myzaki.zapto.org:85
myzaki.zapto.org:5050
DC_MUTEX-LF08XVX
-
InstallPath
skype\skype.exe
-
gencode
krp31zzMQMFc
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Skype
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\skype\\skype.exe" vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 1568 skype.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 432 attrib.exe 1816 attrib.exe -
Loads dropped DLL 1 IoCs
pid Process 564 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win Update = "C:\\Users\\Admin\\AppData\\Roaming\\Win Update.exe" b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Windows\\system32\\skype\\skype.exe" vbc.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\skype\ vbc.exe File created C:\Windows\SysWOW64\skype\skype.exe vbc.exe File opened for modification C:\Windows\SysWOW64\skype\skype.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 540 set thread context of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 564 vbc.exe Token: SeSecurityPrivilege 564 vbc.exe Token: SeTakeOwnershipPrivilege 564 vbc.exe Token: SeLoadDriverPrivilege 564 vbc.exe Token: SeSystemProfilePrivilege 564 vbc.exe Token: SeSystemtimePrivilege 564 vbc.exe Token: SeProfSingleProcessPrivilege 564 vbc.exe Token: SeIncBasePriorityPrivilege 564 vbc.exe Token: SeCreatePagefilePrivilege 564 vbc.exe Token: SeBackupPrivilege 564 vbc.exe Token: SeRestorePrivilege 564 vbc.exe Token: SeShutdownPrivilege 564 vbc.exe Token: SeDebugPrivilege 564 vbc.exe Token: SeSystemEnvironmentPrivilege 564 vbc.exe Token: SeChangeNotifyPrivilege 564 vbc.exe Token: SeRemoteShutdownPrivilege 564 vbc.exe Token: SeUndockPrivilege 564 vbc.exe Token: SeManageVolumePrivilege 564 vbc.exe Token: SeImpersonatePrivilege 564 vbc.exe Token: SeCreateGlobalPrivilege 564 vbc.exe Token: 33 564 vbc.exe Token: 34 564 vbc.exe Token: 35 564 vbc.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 540 wrote to memory of 564 540 b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe 28 PID 564 wrote to memory of 1364 564 vbc.exe 29 PID 564 wrote to memory of 1364 564 vbc.exe 29 PID 564 wrote to memory of 1364 564 vbc.exe 29 PID 564 wrote to memory of 1364 564 vbc.exe 29 PID 564 wrote to memory of 1820 564 vbc.exe 31 PID 564 wrote to memory of 1820 564 vbc.exe 31 PID 564 wrote to memory of 1820 564 vbc.exe 31 PID 564 wrote to memory of 1820 564 vbc.exe 31 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 1364 wrote to memory of 1816 1364 cmd.exe 35 PID 1364 wrote to memory of 1816 1364 cmd.exe 35 PID 1364 wrote to memory of 1816 1364 cmd.exe 35 PID 1364 wrote to memory of 1816 1364 cmd.exe 35 PID 1820 wrote to memory of 432 1820 cmd.exe 34 PID 1820 wrote to memory of 432 1820 cmd.exe 34 PID 1820 wrote to memory of 432 1820 cmd.exe 34 PID 1820 wrote to memory of 432 1820 cmd.exe 34 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1672 564 vbc.exe 32 PID 564 wrote to memory of 1568 564 vbc.exe 36 PID 564 wrote to memory of 1568 564 vbc.exe 36 PID 564 wrote to memory of 1568 564 vbc.exe 36 PID 564 wrote to memory of 1568 564 vbc.exe 36 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 432 attrib.exe 1816 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe"C:\Users\Admin\AppData\Local\Temp\b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:432
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1672
-
-
C:\Windows\SysWOW64\skype\skype.exe"C:\Windows\system32\skype\skype.exe"3⤵
- Executes dropped EXE
PID:1568
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98