Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b87f0f6538...0N.exe

windows7-x64

10

b87f0f6538...0N.exe

windows10-2004-x64

10

Resubmissions

19/12/2024, 23:24 UTC

241219-3d5vkssqhy 10

19/12/2024, 23:22 UTC

241219-3cmydasqfs 10

Analysis

  • max time kernel
    8s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/12/2024, 23:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b87f0f653890bf6ee2ea43b37bb4d17fe8cbf123db499f85bc1af7cf0f8d3320N.exe

  • Size

    1.1MB

  • MD5

    fc9c22daddb0faf4efba32630d8ccd60

  • SHA1

    2fd72d3d820afb309894e152a5915e9cf404fe44

  • SHA256

    b87f0f653890bf6ee2ea43b37bb4d17fe8cbf123db499f85bc1af7cf0f8d3320

  • SHA512

    3a31183414a64e1d2b64884dc7274cd5d785d2fe689e02a909c1780abd5536bb2f5b129ca4009a5d4504b84ec13c8ef3af1f76345206b638e6a0faf507fddce3

  • SSDEEP

    24576:FL1XNJ7n8+Jbpb4D6F4FqzYaQWVV2QRC7YZ7LHgY:R5Iobpb4D6F4uR1VVxRC7Y7L

Score
10/10
darkcometdiscoverypersistencerattrojan

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b87f0f653890bf6ee2ea43b37bb4d17fe8cbf123db499f85bc1af7cf0f8d3320N.exe
    "C:\Users\Admin\AppData\Local\Temp\b87f0f653890bf6ee2ea43b37bb4d17fe8cbf123db499f85bc1af7cf0f8d3320N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\win43.exe
      C:\Users\Admin\AppData\Local\Temp\win43.exe
      2⤵
      • Modifies WinLogon for persistence
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\system32\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:2884
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.png
    Filesize

    3KB

    MD5

    efebc17099610f529bbbde15b8fabc53

    SHA1

    26df3fb41fbf8db24294e03ff0a97037b8091c8a

    SHA256

    1a8d4eae59854a70d4ada8c0e10d74cff8f798540b813ce7846a2b76a11906f9

    SHA512

    7efb5480e16b96a7b02b90e77ee87375780ab78f6d6b5db16411eee1b3cca5f8329d91760eb0bfb1b87165e7eb8246bc9063de36df877fbdb680d87c5355371b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\win43.exe
    Filesize

    7KB

    MD5

    d79efb472a22ad75d501317b21e66b5e

    SHA1

    24512f54884d3dda2d803457bbd3dcd513356196

    SHA256

    7255b1d1f001b9d9a5177e1f8063bcc824effe3570e6c19508babe12bb73c7d6

    SHA512

    7c5a2f516a727ddeb05f9a7c6565375debb05709ac9b95212fc748cba37a2ab81b7d727636141096e4511679ce140b07b37fdf36cfb47d8d1c8accdd24163ae5

    Download Submit

  • \Windows\SysWOW64\svchost.exe
    Filesize

    20KB

    MD5

    54a47f6b5e09a77e61649109c6a08866

    SHA1

    4af001b3c3816b860660cf2de2c0fd3c1dfb4878

    SHA256

    121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

    SHA512

    88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

    Download Submit

  • memory/2608-23-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-25-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-36-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-20-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-19-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-17-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-16-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-14-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-13-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-12-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-10-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-28-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2608-30-0x0000000000510000-0x0000000000511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2608-29-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2736-34-0x00000000001E0000-0x00000000001E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3056-3-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3056-33-0x0000000000A10000-0x0000000000A12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3056-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3056-39-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3056-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.