Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    111s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 09:27 UTC

General

  • Target

    3cc196ba98e8ecc881558e08e34f5e8725e58c4bdf0eb2e6ae92c57d900b5673N.exe

  • Size

    574KB

  • MD5

    8d89b6eb98e23ff31ba5e5f72eb499c0

  • SHA1

    17ff0a7d17834418b9302d59971a64502b82baef

  • SHA256

    3cc196ba98e8ecc881558e08e34f5e8725e58c4bdf0eb2e6ae92c57d900b5673

  • SHA512

    5694f08429d1ac73af13e56581c294f71e097f7858ed1c86c8912ccc7eb1dc6b099ffc31fbe23ffca32a422805af289bcebb35a6144a6fc5055d08b4c44a59ca

  • SSDEEP

    12288:zCyEHAWAdljmJqkC3xMX85FSR2f9A08NIX+Vjwd4G/3z1ET4m3Hdsub6:zFhWAfn22m0eD1GPz8Hdxm

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cc196ba98e8ecc881558e08e34f5e8725e58c4bdf0eb2e6ae92c57d900b5673N.exe
    "C:\Users\Admin\AppData\Local\Temp\3cc196ba98e8ecc881558e08e34f5e8725e58c4bdf0eb2e6ae92c57d900b5673N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dBAxq.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:116
    • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
      "C:\Users\Admin\AppData\Roaming\Soundcrd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1776
      • C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        C:\Users\Admin\AppData\Roaming\Soundcrd.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2904

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ygo.no-ip.info
    Soundcrd.exe
    Remote address:
    8.8.8.8:53
    Request
    ygo.no-ip.info
    IN A
    Response
    ygo.no-ip.info
    IN A
    94.73.33.36
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    ygo.no-ip.info
    Soundcrd.exe
    Remote address:
    8.8.8.8:53
    Request
    ygo.no-ip.info
    IN A
    Response
    ygo.no-ip.info
    IN A
    94.73.33.36
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    260 B
    5
  • 94.73.33.36:1604
    ygo.no-ip.info
    Soundcrd.exe
    208 B
    4
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    ygo.no-ip.info
    dns
    Soundcrd.exe
    60 B
    76 B
    1
    1

    DNS Request

    ygo.no-ip.info

    DNS Response

    94.73.33.36

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    171.39.242.20.in-addr.arpa

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    138 B
    131 B
    2
    1

    DNS Request

    92.12.20.2.in-addr.arpa

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    ygo.no-ip.info
    dns
    Soundcrd.exe
    60 B
    76 B
    1
    1

    DNS Request

    ygo.no-ip.info

    DNS Response

    94.73.33.36

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dBAxq.txt

    Filesize

    139B

    MD5

    173bcce4810d4901872d0ef4f0bfea4e

    SHA1

    561b03fdfe68b6419fddf57f32e1aab9a6126a2f

    SHA256

    10ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d

    SHA512

    2401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e

  • C:\Users\Admin\AppData\Roaming\Soundcrd.txt

    Filesize

    574KB

    MD5

    3f3f78be818b18db8843317868dd513b

    SHA1

    1932eb8f5c1a1d0c9df46cf5f1a1ba94993a0448

    SHA256

    9d94eec82cc8a26c6b05506cf4954c0295e11d404b0ac45146315cf74977327a

    SHA512

    7e3b0077334185824b5c470663628449d7b3bf61b9a24c3fa0c7c1ff54460ca38fdc70734db9dd5f97563b495215f1687c5900c418603b6c4436ec8a11d6ab86

  • memory/1112-43-0x0000000000400000-0x00000000007EA000-memory.dmp

    Filesize

    3.9MB

  • memory/1776-36-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-51-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-73-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-35-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-69-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-65-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-61-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-57-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-45-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-48-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-50-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-49-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-47-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/1776-32-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/2904-52-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2904-37-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2904-40-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/2904-42-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/3408-29-0x0000000000400000-0x00000000007EA000-memory.dmp

    Filesize

    3.9MB

  • memory/3408-0-0x0000000000400000-0x00000000007EA000-memory.dmp

    Filesize

    3.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.