Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/12/2023, 21:15
Behavioral task
behavioral1
Sample
0431fcc335792f97fe4660c5ba857fa7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0431fcc335792f97fe4660c5ba857fa7.exe
Resource
win10v2004-20231215-en
General
-
Target
0431fcc335792f97fe4660c5ba857fa7.exe
-
Size
659KB
-
MD5
0431fcc335792f97fe4660c5ba857fa7
-
SHA1
cc1a5bec1653f1661b3e4185a488d81fb6c97939
-
SHA256
9637eb28918049462e11ed2cd4120331ef2f69fbd0b2fa0161a3677302f3581a
-
SHA512
a1118c79ec6a73fb95c07f097c633c6321c10dcac6f480585818eb030bb91a702b2e316573a704ec2dbb2082a87ef3598d7d5d76d8b94ca89a31bb00609c8d29
-
SSDEEP
12288:EX2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/Q0X:Css2Sm39NNv9wY7tHwbzfIoK6Mof
Malware Config
Extracted
darkcomet
Guest16_min
127.0.0.1:1604
DCMIN_MUTEX-4P9QREJ
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
aapwobi7GLgZ
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 0431fcc335792f97fe4660c5ba857fa7.exe -
Executes dropped EXE 1 IoCs
pid Process 2524 IMDCSC.exe -
Loads dropped DLL 2 IoCs
pid Process 2928 0431fcc335792f97fe4660c5ba857fa7.exe 2928 0431fcc335792f97fe4660c5ba857fa7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" 0431fcc335792f97fe4660c5ba857fa7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeSecurityPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeTakeOwnershipPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeLoadDriverPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeSystemProfilePrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeSystemtimePrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeProfSingleProcessPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeIncBasePriorityPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeCreatePagefilePrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeBackupPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeRestorePrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeShutdownPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeDebugPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeSystemEnvironmentPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeChangeNotifyPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeRemoteShutdownPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeUndockPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeManageVolumePrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeImpersonatePrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeCreateGlobalPrivilege 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: 33 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: 34 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: 35 2928 0431fcc335792f97fe4660c5ba857fa7.exe Token: SeIncreaseQuotaPrivilege 2524 IMDCSC.exe Token: SeSecurityPrivilege 2524 IMDCSC.exe Token: SeTakeOwnershipPrivilege 2524 IMDCSC.exe Token: SeLoadDriverPrivilege 2524 IMDCSC.exe Token: SeSystemProfilePrivilege 2524 IMDCSC.exe Token: SeSystemtimePrivilege 2524 IMDCSC.exe Token: SeProfSingleProcessPrivilege 2524 IMDCSC.exe Token: SeIncBasePriorityPrivilege 2524 IMDCSC.exe Token: SeCreatePagefilePrivilege 2524 IMDCSC.exe Token: SeBackupPrivilege 2524 IMDCSC.exe Token: SeRestorePrivilege 2524 IMDCSC.exe Token: SeShutdownPrivilege 2524 IMDCSC.exe Token: SeDebugPrivilege 2524 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 2524 IMDCSC.exe Token: SeChangeNotifyPrivilege 2524 IMDCSC.exe Token: SeRemoteShutdownPrivilege 2524 IMDCSC.exe Token: SeUndockPrivilege 2524 IMDCSC.exe Token: SeManageVolumePrivilege 2524 IMDCSC.exe Token: SeImpersonatePrivilege 2524 IMDCSC.exe Token: SeCreateGlobalPrivilege 2524 IMDCSC.exe Token: 33 2524 IMDCSC.exe Token: 34 2524 IMDCSC.exe Token: 35 2524 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2524 IMDCSC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2524 2928 0431fcc335792f97fe4660c5ba857fa7.exe 28 PID 2928 wrote to memory of 2524 2928 0431fcc335792f97fe4660c5ba857fa7.exe 28 PID 2928 wrote to memory of 2524 2928 0431fcc335792f97fe4660c5ba857fa7.exe 28 PID 2928 wrote to memory of 2524 2928 0431fcc335792f97fe4660c5ba857fa7.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0431fcc335792f97fe4660c5ba857fa7.exe"C:\Users\Admin\AppData\Local\Temp\0431fcc335792f97fe4660c5ba857fa7.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
659KB
MD50431fcc335792f97fe4660c5ba857fa7
SHA1cc1a5bec1653f1661b3e4185a488d81fb6c97939
SHA2569637eb28918049462e11ed2cd4120331ef2f69fbd0b2fa0161a3677302f3581a
SHA512a1118c79ec6a73fb95c07f097c633c6321c10dcac6f480585818eb030bb91a702b2e316573a704ec2dbb2082a87ef3598d7d5d76d8b94ca89a31bb00609c8d29