Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

e183e9fadc...82.exe

windows7-x64

10

e183e9fadc...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    212s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e183e9fadca4fb94ecca6406d94af72c20293eb3ede73ed1b9266403bef2e482.exe

  • Size

    916KB

  • MD5

    02a93c181aa787c5b4dd74ac314938f6

  • SHA1

    03d9ce339c557636a74ceda3b9a30ceb36a119df

  • SHA256

    e183e9fadca4fb94ecca6406d94af72c20293eb3ede73ed1b9266403bef2e482

  • SHA512

    0aa5522749923910babf2125748ab1932c5528b9a61ec8182f396727b8a29f330f36683ee0ff3b2c87f9756dc4642d6eab9a43f2d9e0f672373f3dc2e6363f19

  • SSDEEP

    12288:Coro7edR+tBKnB9aji1Wnbl5FA9JUDgGfL29X5XK5czlcYY9t:Coro7edwtwnBgjiGxbk3G1t

Score
10/10
darkcometguest16evasionrattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

85.114.21.112:1604

Mutex

DC_MUTEX-GKQEPVA

Attributes
  • gencode

    8jMC0K0T3d3j

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e183e9fadca4fb94ecca6406d94af72c20293eb3ede73ed1b9266403bef2e482.exe
    "C:\Users\Admin\AppData\Local\Temp\e183e9fadca4fb94ecca6406d94af72c20293eb3ede73ed1b9266403bef2e482.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\841801.exe
      C:\Users\Admin\AppData\Local\Temp\841801.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\841801.exe" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:988
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp\841801.exe" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Windows\SysWOW64\attrib.exe
          attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:108
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
          PID:284

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\841801.exe
      Filesize

      349KB

      MD5

      c94801fbe7f3f345b9478118b6b5e4d9

      SHA1

      865de5246382ec56cd9d320a10f74668ad000690

      SHA256

      9809fcdd5ae0f053dca3807ae77f8221da571273930725ab079e32d2673f8c69

      SHA512

      127c34072ec97ab6aed1464f79448ed22da592083eb282233c4c40f2aa948f55b1966a9d85802819357d501e43392f596b0f9f0b1de8965a6e82f34dc1f7108a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\841801.exe
      Filesize

      349KB

      MD5

      c94801fbe7f3f345b9478118b6b5e4d9

      SHA1

      865de5246382ec56cd9d320a10f74668ad000690

      SHA256

      9809fcdd5ae0f053dca3807ae77f8221da571273930725ab079e32d2673f8c69

      SHA512

      127c34072ec97ab6aed1464f79448ed22da592083eb282233c4c40f2aa948f55b1966a9d85802819357d501e43392f596b0f9f0b1de8965a6e82f34dc1f7108a

      Download Submit

    • memory/564-64-0x0000000000400000-0x00000000004E8000-memory.dmp

      Filesize

      928KB

      Download

    • memory/564-59-0x0000000000400000-0x00000000004E8000-memory.dmp

      Filesize

      928KB

      Download

    • memory/564-60-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1188-62-0x0000000000986000-0x00000000009A5000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1188-63-0x0000000000986000-0x00000000009A5000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1188-54-0x000007FEF3F40000-0x000007FEF4963000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1188-56-0x0000000000986000-0x00000000009A5000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1188-55-0x000007FEF2C60000-0x000007FEF3CF6000-memory.dmp

      Filesize

      16.6MB

      Download