Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 14:53
Behavioral task
behavioral1
Sample
0257dd258ba3c33ffa2b3c4beba993fd.exe
Resource
win7-20231215-en
10 signatures
150 seconds
General
-
Target
0257dd258ba3c33ffa2b3c4beba993fd.exe
-
Size
650KB
-
MD5
0257dd258ba3c33ffa2b3c4beba993fd
-
SHA1
bfb300534eb88a08e6eca1f89c21a62cb907b01f
-
SHA256
04c0c92253e08d5ce6617d8f29a317cf7353412a0fc15a4f804d562e036958d8
-
SHA512
ae582cd45713f0691f5bc7e3b58ea12224a87427ebe7a1bdc2eabb573a9010dcf7ab63912490bc9001b22bfb494099df49ec0829fcbb9b7492211ba20ee84fb9
-
SSDEEP
12288:7k0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+Bu:w0QRWoJEfg0oChGdJQbjPbNW5tYeP+GR
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
89.230.228.93:100
Mutex
DC_MUTEX-F54S21D
Attributes
-
gencode
jmU3DkRL4vi9
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 0257dd258ba3c33ffa2b3c4beba993fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0257dd258ba3c33ffa2b3c4beba993fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 0257dd258ba3c33ffa2b3c4beba993fd.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" 0257dd258ba3c33ffa2b3c4beba993fd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0257dd258ba3c33ffa2b3c4beba993fd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0257dd258ba3c33ffa2b3c4beba993fd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0257dd258ba3c33ffa2b3c4beba993fd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0257dd258ba3c33ffa2b3c4beba993fd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1700 set thread context of 1696 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe 28 -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeSecurityPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeTakeOwnershipPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeLoadDriverPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeSystemProfilePrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeSystemtimePrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeProfSingleProcessPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeIncBasePriorityPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeCreatePagefilePrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeBackupPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeRestorePrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeShutdownPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeDebugPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeSystemEnvironmentPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeChangeNotifyPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeRemoteShutdownPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeUndockPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeManageVolumePrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeImpersonatePrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeCreateGlobalPrivilege 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: 33 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: 34 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: 35 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe Token: SeIncreaseQuotaPrivilege 1696 iexplore.exe Token: SeSecurityPrivilege 1696 iexplore.exe Token: SeTakeOwnershipPrivilege 1696 iexplore.exe Token: SeLoadDriverPrivilege 1696 iexplore.exe Token: SeSystemProfilePrivilege 1696 iexplore.exe Token: SeSystemtimePrivilege 1696 iexplore.exe Token: SeProfSingleProcessPrivilege 1696 iexplore.exe Token: SeIncBasePriorityPrivilege 1696 iexplore.exe Token: SeCreatePagefilePrivilege 1696 iexplore.exe Token: SeBackupPrivilege 1696 iexplore.exe Token: SeRestorePrivilege 1696 iexplore.exe Token: SeShutdownPrivilege 1696 iexplore.exe Token: SeDebugPrivilege 1696 iexplore.exe Token: SeSystemEnvironmentPrivilege 1696 iexplore.exe Token: SeChangeNotifyPrivilege 1696 iexplore.exe Token: SeRemoteShutdownPrivilege 1696 iexplore.exe Token: SeUndockPrivilege 1696 iexplore.exe Token: SeManageVolumePrivilege 1696 iexplore.exe Token: SeImpersonatePrivilege 1696 iexplore.exe Token: SeCreateGlobalPrivilege 1696 iexplore.exe Token: 33 1696 iexplore.exe Token: 34 1696 iexplore.exe Token: 35 1696 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1696 iexplore.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1696 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe 28 PID 1700 wrote to memory of 1696 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe 28 PID 1700 wrote to memory of 1696 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe 28 PID 1700 wrote to memory of 1696 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe 28 PID 1700 wrote to memory of 1696 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe 28 PID 1700 wrote to memory of 1696 1700 0257dd258ba3c33ffa2b3c4beba993fd.exe 28 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion 0257dd258ba3c33ffa2b3c4beba993fd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern 0257dd258ba3c33ffa2b3c4beba993fd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" 0257dd258ba3c33ffa2b3c4beba993fd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0257dd258ba3c33ffa2b3c4beba993fd.exe"C:\Users\Admin\AppData\Local\Temp\0257dd258ba3c33ffa2b3c4beba993fd.exe"1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1700 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696
-