Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    230s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 01:56

General

  • Target

    238df395c33b4b139cdfcd48a871b759.exe

  • Size

    911KB

  • MD5

    238df395c33b4b139cdfcd48a871b759

  • SHA1

    b83cb7d627cdcf46a6ed89f68644ef5f2d9ed20f

  • SHA256

    97e81fe572b0b43a79a678e04d1ec5f1c11243087e73708d0a1486eb3cc657ff

  • SHA512

    be3654267d03d6f822497b52e34f3e77bd508d797d7184541528ae893f6784ffa754f040b1cfb46db79a1a9c43e097ca2228d6c180d189886aecc9aede65a8b4

  • SSDEEP

    12288:d8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1r/f:uUKoN0bUxgGa/pfBHDb+y1L

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\238df395c33b4b139cdfcd48a871b759.exe
    "C:\Users\Admin\AppData\Local\Temp\238df395c33b4b139cdfcd48a871b759.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:660
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:1136
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
            PID:2172

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

        Filesize

        911KB

        MD5

        238df395c33b4b139cdfcd48a871b759

        SHA1

        b83cb7d627cdcf46a6ed89f68644ef5f2d9ed20f

        SHA256

        97e81fe572b0b43a79a678e04d1ec5f1c11243087e73708d0a1486eb3cc657ff

        SHA512

        be3654267d03d6f822497b52e34f3e77bd508d797d7184541528ae893f6784ffa754f040b1cfb46db79a1a9c43e097ca2228d6c180d189886aecc9aede65a8b4

      • memory/660-13-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

      • memory/660-16-0x0000000000680000-0x0000000000681000-memory.dmp

        Filesize

        4KB

      • memory/660-18-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

      • memory/2544-0-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

      • memory/2544-1-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

      • memory/2544-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

        Filesize

        4KB

      • memory/2544-14-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB