Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 18:43 UTC

General

  • Target

    0ebda2027f478ceb915771aa4536b965e53ae6034160b5649269f62f26897c22.exe

  • Size

    3.9MB

  • MD5

    9e9fd81095efb49820ceb84b69e310ab

  • SHA1

    29dd91a7553c39c0926be884de2d9fde0cefb3a4

  • SHA256

    0ebda2027f478ceb915771aa4536b965e53ae6034160b5649269f62f26897c22

  • SHA512

    1957143abd85d7f0bc04c148f3236ce5317c504d829e68818914e5ec3c710945c065569c2359433f9fb088d147db2cdc25fb126c1786f1baa3845160d9933e5f

  • SSDEEP

    98304:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBAlB6D4tyX6kuT4IkQApCgvms0Cv05J5C+:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmB+

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ebda2027f478ceb915771aa4536b965e53ae6034160b5649269f62f26897c22.exe
    "C:\Users\Admin\AppData\Local\Temp\0ebda2027f478ceb915771aa4536b965e53ae6034160b5649269f62f26897c22.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:368
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GBAxh.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:224
    • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
      "C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3240
      • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1572

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    ygo.no-ip.info
    Soundcrd.exe
    Remote address:
    8.8.8.8:53
    Request
    ygo.no-ip.info
    IN A
    Response
    ygo.no-ip.info
    IN A
    94.73.33.36
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    ygo.no-ip.info
    Soundcrd.exe
    Remote address:
    8.8.8.8:53
    Request
    ygo.no-ip.info
    IN A
    Response
    ygo.no-ip.info
    IN A
    94.73.33.36
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ygo.no-ip.info
    Soundcrd.exe
    Remote address:
    8.8.8.8:53
    Request
    ygo.no-ip.info
    IN A
    Response
    ygo.no-ip.info
    IN A
    94.73.33.36
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    ygo.no-ip.info
    dns
    Soundcrd.exe
    60 B
    76 B
    1
    1

    DNS Request

    ygo.no-ip.info

    DNS Response

    94.73.33.36

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    ygo.no-ip.info
    dns
    Soundcrd.exe
    60 B
    76 B
    1
    1

    DNS Request

    ygo.no-ip.info

    DNS Response

    94.73.33.36

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    ygo.no-ip.info
    dns
    Soundcrd.exe
    60 B
    76 B
    1
    1

    DNS Request

    ygo.no-ip.info

    DNS Response

    94.73.33.36

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GBAxh.txt

    Filesize

    139B

    MD5

    173bcce4810d4901872d0ef4f0bfea4e

    SHA1

    561b03fdfe68b6419fddf57f32e1aab9a6126a2f

    SHA256

    10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

    SHA512

    2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

  • C:\Users\Admin\AppData\Roaming\Soundcrd.txt

    Filesize

    3.9MB

    MD5

    1c7b8dcde06ff5fc7f470de42f25e96c

    SHA1

    f90c796dabb9d4be12966f57352515b32937869d

    SHA256

    0978dc3b3a488e497295a5e06e7a436326923bf2a752278d478cfccddf14ace0

    SHA512

    ad87068eb6dee9a4ea9573e91380e3f21abf85274a0bb56e3d31182b1e1e145385855dc16a6878f9dadd00bdfb45cbd9ba4c192347ea4a0029dfb762481e6d50

  • memory/368-0-0x0000000000400000-0x00000000007E8000-memory.dmp

    Filesize

    3.9MB

  • memory/1572-50-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1572-41-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1572-36-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1572-39-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/3240-46-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-49-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-42-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-47-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-48-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-43-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-35-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-34-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-31-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-55-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-59-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-63-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-67-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-71-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/3240-75-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.