Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
173s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 07:20
Behavioral task
behavioral1
Sample
11fb758dd3cdc09650445e5527b88e66.exe
Resource
win7-20231129-en
General
-
Target
11fb758dd3cdc09650445e5527b88e66.exe
-
Size
1.1MB
-
MD5
11fb758dd3cdc09650445e5527b88e66
-
SHA1
35a122d148139c21185496adf1abb0c63ceba357
-
SHA256
41a682da16b22581581ef2353fe9e900be9162609dc89c956addd256b4f9d546
-
SHA512
cd7f9e76dd23e5f76a6bb45e9d0d6da182a62018697817f892e06a0f0b7d61e5c150947273bdf07f8e71e3e4e3c12343bc3ae5ce48e3be3dd0c531f5aa9fcf4d
-
SSDEEP
24576:RVmqz0QRWoJEfg0oChGdJQbjPbNW5tYeP+GF/9YvWmztzWFq:RBAQRV2o3MPY5Aw9YvjzAq
Malware Config
Extracted
darkcomet
Trojan_
rubino.zapto.org:1604
DC_MUTEX-9E0FYS9
-
InstallPath
Java.exe
-
gencode
KHoKmB1jKaxU
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Java
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" TROJAN.EXE -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Java.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Java.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" Java.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Java.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Java.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Java.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 11fb758dd3cdc09650445e5527b88e66.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation TROJAN.EXE -
Executes dropped EXE 3 IoCs
pid Process 3684 IDOSER V4.EXE 2512 TROJAN.EXE 4856 Java.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" Java.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" TROJAN.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2512 TROJAN.EXE Token: SeSecurityPrivilege 2512 TROJAN.EXE Token: SeTakeOwnershipPrivilege 2512 TROJAN.EXE Token: SeLoadDriverPrivilege 2512 TROJAN.EXE Token: SeSystemProfilePrivilege 2512 TROJAN.EXE Token: SeSystemtimePrivilege 2512 TROJAN.EXE Token: SeProfSingleProcessPrivilege 2512 TROJAN.EXE Token: SeIncBasePriorityPrivilege 2512 TROJAN.EXE Token: SeCreatePagefilePrivilege 2512 TROJAN.EXE Token: SeBackupPrivilege 2512 TROJAN.EXE Token: SeRestorePrivilege 2512 TROJAN.EXE Token: SeShutdownPrivilege 2512 TROJAN.EXE Token: SeDebugPrivilege 2512 TROJAN.EXE Token: SeSystemEnvironmentPrivilege 2512 TROJAN.EXE Token: SeChangeNotifyPrivilege 2512 TROJAN.EXE Token: SeRemoteShutdownPrivilege 2512 TROJAN.EXE Token: SeUndockPrivilege 2512 TROJAN.EXE Token: SeManageVolumePrivilege 2512 TROJAN.EXE Token: SeImpersonatePrivilege 2512 TROJAN.EXE Token: SeCreateGlobalPrivilege 2512 TROJAN.EXE Token: 33 2512 TROJAN.EXE Token: 34 2512 TROJAN.EXE Token: 35 2512 TROJAN.EXE Token: 36 2512 TROJAN.EXE Token: SeIncreaseQuotaPrivilege 4856 Java.exe Token: SeSecurityPrivilege 4856 Java.exe Token: SeTakeOwnershipPrivilege 4856 Java.exe Token: SeLoadDriverPrivilege 4856 Java.exe Token: SeSystemProfilePrivilege 4856 Java.exe Token: SeSystemtimePrivilege 4856 Java.exe Token: SeProfSingleProcessPrivilege 4856 Java.exe Token: SeIncBasePriorityPrivilege 4856 Java.exe Token: SeCreatePagefilePrivilege 4856 Java.exe Token: SeBackupPrivilege 4856 Java.exe Token: SeRestorePrivilege 4856 Java.exe Token: SeShutdownPrivilege 4856 Java.exe Token: SeDebugPrivilege 4856 Java.exe Token: SeSystemEnvironmentPrivilege 4856 Java.exe Token: SeChangeNotifyPrivilege 4856 Java.exe Token: SeRemoteShutdownPrivilege 4856 Java.exe Token: SeUndockPrivilege 4856 Java.exe Token: SeManageVolumePrivilege 4856 Java.exe Token: SeImpersonatePrivilege 4856 Java.exe Token: SeCreateGlobalPrivilege 4856 Java.exe Token: 33 4856 Java.exe Token: 34 4856 Java.exe Token: 35 4856 Java.exe Token: 36 4856 Java.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4856 Java.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4744 wrote to memory of 3684 4744 11fb758dd3cdc09650445e5527b88e66.exe 94 PID 4744 wrote to memory of 3684 4744 11fb758dd3cdc09650445e5527b88e66.exe 94 PID 4744 wrote to memory of 2512 4744 11fb758dd3cdc09650445e5527b88e66.exe 95 PID 4744 wrote to memory of 2512 4744 11fb758dd3cdc09650445e5527b88e66.exe 95 PID 4744 wrote to memory of 2512 4744 11fb758dd3cdc09650445e5527b88e66.exe 95 PID 2512 wrote to memory of 4856 2512 TROJAN.EXE 96 PID 2512 wrote to memory of 4856 2512 TROJAN.EXE 96 PID 2512 wrote to memory of 4856 2512 TROJAN.EXE 96 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Java.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Java.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11fb758dd3cdc09650445e5527b88e66.exe"C:\Users\Admin\AppData\Local\Temp\11fb758dd3cdc09650445e5527b88e66.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE"C:\Users\Admin\AppData\Local\Temp\IDOSER V4.EXE"2⤵
- Executes dropped EXE
PID:3684
-
-
C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE"C:\Users\Admin\AppData\Local\Temp\TROJAN.EXE"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Roaming\Java.exe"C:\Users\Admin\AppData\Roaming\Java.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4856
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157KB
MD5cf7dc664d5f00183b920f9001b3cf6a4
SHA1248facb4586b68768954c2b6e6947c651b17ea54
SHA2563cc66a22f26f6517f52f6efe17f510510e89312a4ff893c71e689abfda26eb4a
SHA512b47387fa31ddde23154ecb0ad25589cd468b5701320aa3b8f473315eea310c1d4fa351a9dbb7cb658f3707cf092cbb1a95137f6ee902943ddfb32856e9741027
-
Filesize
846KB
MD5c1f94d8462f922748cdbdca166744f3d
SHA1fa051be7431a989577cea812e93f2a501435c941
SHA2564a238fb5aff8e80948017e4e3f4268c2bf6155007192c65c009adb52450ad494
SHA5126472a4d983fb779019deb6aa5f444128eda4e17e5600f2a8a1cffedb6a71cfd7cccb61c0f532d1ecb536f8fa2b836633f21e54e214ad0b84a56000acd94cb7a9