Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
MW3 Prestige Hack 2012.exe
Resource
win7-20240708-en
General
-
Target
MW3 Prestige Hack 2012.exe
-
Size
1.3MB
-
MD5
a30160656f3d8b9db8eb21310b2e5009
-
SHA1
ac74646751f8dbc7bcccac8860e759471e2212c7
-
SHA256
78cd2433efcd65d483ea4f7fc78557998832ff2048eaee73ed7e9f4744ae9510
-
SHA512
80c81d2048371396629891fb4795f977e6122622b66dbe44f0120e298a1b8a8bf47899a8d35384d8fd21355cc9750751100db8b73c934eb0fc1a98d3f344b24c
-
SSDEEP
24576:HhqGVu34oC7sgH2O2Vi5mF3jByDk9n3U6nClYtV7qMcJvv66z35vz17Dh4MA9d:HhqkpWBgk9Dn0YfqMcJH66L5BPhy
Malware Config
Extracted
darkcomet
DarkComet
armedpickler1235.no-ip.biz:200
DC_MUTEX-4D3WYFP
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
m7kUMvwZgV2P
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1320 attrib.exe 5088 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 996 msdcsc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4068 set thread context of 4164 4068 MW3 Prestige Hack 2012.exe 82 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MW3 Prestige Hack 2012.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4164 vbc.exe Token: SeSecurityPrivilege 4164 vbc.exe Token: SeTakeOwnershipPrivilege 4164 vbc.exe Token: SeLoadDriverPrivilege 4164 vbc.exe Token: SeSystemProfilePrivilege 4164 vbc.exe Token: SeSystemtimePrivilege 4164 vbc.exe Token: SeProfSingleProcessPrivilege 4164 vbc.exe Token: SeIncBasePriorityPrivilege 4164 vbc.exe Token: SeCreatePagefilePrivilege 4164 vbc.exe Token: SeBackupPrivilege 4164 vbc.exe Token: SeRestorePrivilege 4164 vbc.exe Token: SeRestorePrivilege 452 dw20.exe Token: SeBackupPrivilege 452 dw20.exe Token: SeShutdownPrivilege 4164 vbc.exe Token: SeDebugPrivilege 4164 vbc.exe Token: SeSystemEnvironmentPrivilege 4164 vbc.exe Token: SeChangeNotifyPrivilege 4164 vbc.exe Token: SeRemoteShutdownPrivilege 4164 vbc.exe Token: SeUndockPrivilege 4164 vbc.exe Token: SeManageVolumePrivilege 4164 vbc.exe Token: SeImpersonatePrivilege 4164 vbc.exe Token: SeCreateGlobalPrivilege 4164 vbc.exe Token: 33 4164 vbc.exe Token: 34 4164 vbc.exe Token: 35 4164 vbc.exe Token: 36 4164 vbc.exe Token: SeBackupPrivilege 452 dw20.exe Token: SeBackupPrivilege 452 dw20.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 4164 4068 MW3 Prestige Hack 2012.exe 82 PID 4068 wrote to memory of 452 4068 MW3 Prestige Hack 2012.exe 83 PID 4068 wrote to memory of 452 4068 MW3 Prestige Hack 2012.exe 83 PID 4068 wrote to memory of 452 4068 MW3 Prestige Hack 2012.exe 83 PID 4164 wrote to memory of 5072 4164 vbc.exe 84 PID 4164 wrote to memory of 5072 4164 vbc.exe 84 PID 4164 wrote to memory of 5072 4164 vbc.exe 84 PID 4164 wrote to memory of 3148 4164 vbc.exe 87 PID 4164 wrote to memory of 3148 4164 vbc.exe 87 PID 4164 wrote to memory of 3148 4164 vbc.exe 87 PID 5072 wrote to memory of 1320 5072 cmd.exe 89 PID 5072 wrote to memory of 1320 5072 cmd.exe 89 PID 5072 wrote to memory of 1320 5072 cmd.exe 89 PID 3148 wrote to memory of 5088 3148 cmd.exe 90 PID 3148 wrote to memory of 5088 3148 cmd.exe 90 PID 3148 wrote to memory of 5088 3148 cmd.exe 90 PID 4164 wrote to memory of 996 4164 vbc.exe 91 PID 4164 wrote to memory of 996 4164 vbc.exe 91 PID 4164 wrote to memory of 996 4164 vbc.exe 91 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1320 attrib.exe 5088 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MW3 Prestige Hack 2012.exe"C:\Users\Admin\AppData\Local\Temp\MW3 Prestige Hack 2012.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1320
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5088
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:996
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 11402⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:452
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34