Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
07/01/2024, 19:11
General
-
Target
a31d59e190008f0a3a2abc334c6ce9f9.exe
-
Size
828KB
-
MD5
a31d59e190008f0a3a2abc334c6ce9f9
-
SHA1
37456e8559512dff814b09f9ca3710517148f8f2
-
SHA256
27e663cc439cf3ff7b2f66260a851c8cf0ea5292d259bd1c22171685017dbd4c
-
SHA512
47bdeb93ec8e8b659d3279c43524b4410bb91fc8b96e6f3a8044f189d91269b9e0d3fa236063f2fc05c12cf73777079f6e84f4b935e8122c095e85e525b49d75
-
SSDEEP
24576:Gqv5LEymyQvPvS8cZTouk1wRhZ2Bq8aChQ:GqBL1AXvA0B1lw8/hQ
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
-
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5d3af8f9df8885160cc6329de65e34224
SHA10f0b6c6ee924c5ed1714a947def2d2e60cccc667
SHA256141f875f332c20cc90386f9894be244e3c6903a7b1d60561043f21bdb6fb31a5
SHA51261ccc0d9e77b27214b3a200e1107adcd19c3cafb32839a2b36ef4915a142e785d773823a1b82135cd048cd5597495e8633d023cd7b3fc21f19c2c7631361036f
-
Filesize
30KB
MD5e378face4edd2c8ad88e3e691eea204c
SHA1aa85e35f7adb0386a4fb8fe69d53c955678c10fb
SHA256cafcc4279c814a25ff7b772b91bcde400cd82c695e1937b949b8a003dbe8681b
SHA5127523e5af64c2cc57e7b0ee2dbdd3fbfc24c44d3d21c2791a3c1e9f22046dfaf48a290869d472e8ae8655ca6c04d81fa745074181384d99eeb7166e8c7804bd9b
-
Filesize
59KB
MD5dec595c615b0d97dc849cf8c74984a5d
SHA1a6278f2805f925d742b6417baa69f86286a7ac01
SHA2560274d3be9d655b2c990cbdcdd9efb599cb295f00aad48c8300978df767bf07a6
SHA5123add55e923ca7e3b1c9efa8d70ec5ead2eec5a9cd74b10e79683d4f6c6b7e3759c1c0812160217521c4626b014993c3452f31ac7e752212fab6dc53a1a2779bd
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
4KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
692KB
-
Filesize
700KB
-
Filesize
4KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB
-
Filesize
700KB