Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    256s
  • max time network
    337s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 08:04

General

  • Target

    b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe

  • Size

    514KB

  • MD5

    db3160e357420f805f554a593171eaf1

  • SHA1

    f7b3bca65953e9f9965634e778c95af250d585c3

  • SHA256

    b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874

  • SHA512

    a3e80b118129f9cd8a2e0eadb186455ce44cf1eeb4f3c292d692922af762702cda0077862e8b1a5c7fcac43d60e2b8a71a2713927870c3c35e34957737528170

  • SSDEEP

    12288:/YQpuKMf6NF5s/GA34LzKtDzNZbNlZlb5uplce:LuKMf6D54F34LevbNl75uT

Malware Config

Extracted

Family

darkcomet

Botnet

malay

C2

myzaki.zapto.org:80

myzaki.zapto.org:81

myzaki.zapto.org:82

myzaki.zapto.org:83

myzaki.zapto.org:84

myzaki.zapto.org:85

myzaki.zapto.org:5050

Mutex

DC_MUTEX-LF08XVX

Attributes
  • InstallPath

    skype\skype.exe

  • gencode

    krp31zzMQMFc

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    Skype

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe
    "C:\Users\Admin\AppData\Local\Temp\b0e16530a02eb2bd0b90e5eea863494c26731980ac3a16bd6727e991e7a48874.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Modifies WinLogon for persistence
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:1816
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
          4⤵
          • Sets file to hidden
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:432
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:1672
        • C:\Windows\SysWOW64\skype\skype.exe
          "C:\Windows\system32\skype\skype.exe"
          3⤵
          • Executes dropped EXE
          PID:1568

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\skype\skype.exe

      Filesize

      1.1MB

      MD5

      34aa912defa18c2c129f1e09d75c1d7e

      SHA1

      9c3046324657505a30ecd9b1fdb46c05bde7d470

      SHA256

      6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

      SHA512

      d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    • C:\Windows\SysWOW64\skype\skype.exe

      Filesize

      1.1MB

      MD5

      34aa912defa18c2c129f1e09d75c1d7e

      SHA1

      9c3046324657505a30ecd9b1fdb46c05bde7d470

      SHA256

      6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

      SHA512

      d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    • \Windows\SysWOW64\skype\skype.exe

      Filesize

      1.1MB

      MD5

      34aa912defa18c2c129f1e09d75c1d7e

      SHA1

      9c3046324657505a30ecd9b1fdb46c05bde7d470

      SHA256

      6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

      SHA512

      d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

    • memory/540-54-0x0000000075551000-0x0000000075553000-memory.dmp

      Filesize

      8KB

    • memory/540-55-0x0000000074420000-0x00000000749CB000-memory.dmp

      Filesize

      5.7MB

    • memory/540-75-0x0000000074420000-0x00000000749CB000-memory.dmp

      Filesize

      5.7MB

    • memory/564-72-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-82-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-68-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-70-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-65-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-74-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-63-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-56-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-57-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-61-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-59-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB

    • memory/564-66-0x0000000000400000-0x00000000004B2000-memory.dmp

      Filesize

      712KB