Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

74a9f7ac76...92.exe

windows7-x64

10

74a9f7ac76...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2024, 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74a9f7ac76250c6eb9d0c674a4249c92.exe

  • Size

    426KB

  • MD5

    74a9f7ac76250c6eb9d0c674a4249c92

  • SHA1

    8c544f4df935bbb9c13e8c88359497f134e47abd

  • SHA256

    45f13c2ef9560816343176cce689c89e8a1fcd48e021b71093b56d19cb3c947b

  • SHA512

    e4476f5c1792f9361ee5f53968b3f1abbd8b012c3f0cc47580565a54b5b41d12edb29aa0cd4fbe5e08e7d20a1175b891c37e58fa908aa5737c84cbb8bbdb2d25

  • SSDEEP

    12288:6Tij6aV7gcz/cWCrR46sYjtyW3Ydi7N0+u21j6c769k:66lNcWCtpsYjtyOwgF1OK6W

Score
10/10
darkcometguest16persistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

basel1234.no-ip.biz:81

Mutex

DC_MUTEX-F54S21D

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    LSspVhv0MBT2

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74a9f7ac76250c6eb9d0c674a4249c92.exe
    "C:\Users\Admin\AppData\Local\Temp\74a9f7ac76250c6eb9d0c674a4249c92.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Users\Admin\AppData\Local\Temp\74a9f7ac76250c6eb9d0c674a4249c92.exe
      C:\Users\Admin\AppData\Local\Temp\74a9f7ac76250c6eb9d0c674a4249c92.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    322KB

    MD5

    e3f9a509e634ca19dca10f9fca557487

    SHA1

    c0eb5a11164b46dfb22cd9ff40e8450dcc598e07

    SHA256

    608c82bb91e08ce281318c5d8c37d639a175f7b2e1005e3e5fa88e76bf397d4c

    SHA512

    fc37c3660cf739d06df2f7b3aabaf450c0ca267c74d1cdfac18d59ca4bdb638db310a94ea20827891cacd87c3a5c013331a53c921827399bf9849046297f63ec

    Download Submit

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    373KB

    MD5

    638edd96eee2b0329395478356a06e07

    SHA1

    071f675638ae5b4e90e7b00a6713b35ef6d96b2c

    SHA256

    ecd204067450c4f59f1daa9ef660e679cade9074474222f48c50f78b7c48d4b0

    SHA512

    bfd84a00f47ed6f3216216665c1d627a7f335e0ae59c3697a66ce917704f3ce20498df8d0c36242403bbe401431e17de98f7d189e59f0f2011ceac60b267cbd1

    Download Submit

  • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    Filesize

    426KB

    MD5

    74a9f7ac76250c6eb9d0c674a4249c92

    SHA1

    8c544f4df935bbb9c13e8c88359497f134e47abd

    SHA256

    45f13c2ef9560816343176cce689c89e8a1fcd48e021b71093b56d19cb3c947b

    SHA512

    e4476f5c1792f9361ee5f53968b3f1abbd8b012c3f0cc47580565a54b5b41d12edb29aa0cd4fbe5e08e7d20a1175b891c37e58fa908aa5737c84cbb8bbdb2d25

    Download Submit

  • memory/1376-3-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/1376-2-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/1376-4-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/1376-7-0x00000000022D0000-0x00000000022D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1376-6-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/1376-19-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/1572-27-0x0000000000400000-0x00000000006BE000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4492-29-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-36-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-30-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-31-0x00000000006E0000-0x00000000006E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4492-46-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-32-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-33-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-34-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-35-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-28-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-37-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-38-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-39-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-40-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-41-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-42-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-43-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-44-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4492-45-0x0000000000400000-0x00000000004B4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/5044-5-0x0000000000400000-0x00000000006BE000-memory.dmp

    Filesize

    2.7MB

    Download