Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 00:01
Behavioral task
behavioral1
Sample
xcgb.exe
Resource
win7-20241010-en
General
-
Target
xcgb.exe
-
Size
745KB
-
MD5
c0e4f49d4ea30fe8e04fdba223b44f24
-
SHA1
42d85163e18f35fd435b5f96a0bce10b8336b440
-
SHA256
230351e5b4ee08a6583797d942967b059aec63c32eb26427f45d4ff64701b3fe
-
SHA512
127923ce8310070ef1083b66f92ad5b7faeabb29f2540554fd833e6132d85478f55415344127760f04fe44a7ef8a0acd243d1dec5279510567a4a64777911abc
-
SSDEEP
12288:w8UaT9XY2siA0bMG09xD7I3Gg8ecgVvfBoCDBOQQYbVXpuy1f/gORixB:pUKoN0bUxgGa/pfBHDb+y1HgZ
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\darkcomet.exe" xcgb.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2916 attrib.exe 2708 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 3048 darkcomet.exe -
Loads dropped DLL 2 IoCs
pid Process 1600 xcgb.exe 1600 xcgb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometInstall = "C:\\Users\\Admin\\Documents\\MSDCSC\\darkcomet.exe" xcgb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometInstall = "C:\\Users\\Admin\\Documents\\MSDCSC\\darkcomet.exe" darkcomet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkCometInstall = "C:\\Users\\Admin\\Documents\\MSDCSC\\darkcomet.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3048 set thread context of 2976 3048 darkcomet.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language darkcomet.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2976 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1600 xcgb.exe Token: SeSecurityPrivilege 1600 xcgb.exe Token: SeTakeOwnershipPrivilege 1600 xcgb.exe Token: SeLoadDriverPrivilege 1600 xcgb.exe Token: SeSystemProfilePrivilege 1600 xcgb.exe Token: SeSystemtimePrivilege 1600 xcgb.exe Token: SeProfSingleProcessPrivilege 1600 xcgb.exe Token: SeIncBasePriorityPrivilege 1600 xcgb.exe Token: SeCreatePagefilePrivilege 1600 xcgb.exe Token: SeBackupPrivilege 1600 xcgb.exe Token: SeRestorePrivilege 1600 xcgb.exe Token: SeShutdownPrivilege 1600 xcgb.exe Token: SeDebugPrivilege 1600 xcgb.exe Token: SeSystemEnvironmentPrivilege 1600 xcgb.exe Token: SeChangeNotifyPrivilege 1600 xcgb.exe Token: SeRemoteShutdownPrivilege 1600 xcgb.exe Token: SeUndockPrivilege 1600 xcgb.exe Token: SeManageVolumePrivilege 1600 xcgb.exe Token: SeImpersonatePrivilege 1600 xcgb.exe Token: SeCreateGlobalPrivilege 1600 xcgb.exe Token: 33 1600 xcgb.exe Token: 34 1600 xcgb.exe Token: 35 1600 xcgb.exe Token: SeIncreaseQuotaPrivilege 3048 darkcomet.exe Token: SeSecurityPrivilege 3048 darkcomet.exe Token: SeTakeOwnershipPrivilege 3048 darkcomet.exe Token: SeLoadDriverPrivilege 3048 darkcomet.exe Token: SeSystemProfilePrivilege 3048 darkcomet.exe Token: SeSystemtimePrivilege 3048 darkcomet.exe Token: SeProfSingleProcessPrivilege 3048 darkcomet.exe Token: SeIncBasePriorityPrivilege 3048 darkcomet.exe Token: SeCreatePagefilePrivilege 3048 darkcomet.exe Token: SeBackupPrivilege 3048 darkcomet.exe Token: SeRestorePrivilege 3048 darkcomet.exe Token: SeShutdownPrivilege 3048 darkcomet.exe Token: SeDebugPrivilege 3048 darkcomet.exe Token: SeSystemEnvironmentPrivilege 3048 darkcomet.exe Token: SeChangeNotifyPrivilege 3048 darkcomet.exe Token: SeRemoteShutdownPrivilege 3048 darkcomet.exe Token: SeUndockPrivilege 3048 darkcomet.exe Token: SeManageVolumePrivilege 3048 darkcomet.exe Token: SeImpersonatePrivilege 3048 darkcomet.exe Token: SeCreateGlobalPrivilege 3048 darkcomet.exe Token: 33 3048 darkcomet.exe Token: 34 3048 darkcomet.exe Token: 35 3048 darkcomet.exe Token: SeIncreaseQuotaPrivilege 2976 iexplore.exe Token: SeSecurityPrivilege 2976 iexplore.exe Token: SeTakeOwnershipPrivilege 2976 iexplore.exe Token: SeLoadDriverPrivilege 2976 iexplore.exe Token: SeSystemProfilePrivilege 2976 iexplore.exe Token: SeSystemtimePrivilege 2976 iexplore.exe Token: SeProfSingleProcessPrivilege 2976 iexplore.exe Token: SeIncBasePriorityPrivilege 2976 iexplore.exe Token: SeCreatePagefilePrivilege 2976 iexplore.exe Token: SeBackupPrivilege 2976 iexplore.exe Token: SeRestorePrivilege 2976 iexplore.exe Token: SeShutdownPrivilege 2976 iexplore.exe Token: SeDebugPrivilege 2976 iexplore.exe Token: SeSystemEnvironmentPrivilege 2976 iexplore.exe Token: SeChangeNotifyPrivilege 2976 iexplore.exe Token: SeRemoteShutdownPrivilege 2976 iexplore.exe Token: SeUndockPrivilege 2976 iexplore.exe Token: SeManageVolumePrivilege 2976 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2976 iexplore.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2888 1600 xcgb.exe 30 PID 1600 wrote to memory of 2888 1600 xcgb.exe 30 PID 1600 wrote to memory of 2888 1600 xcgb.exe 30 PID 1600 wrote to memory of 2888 1600 xcgb.exe 30 PID 1600 wrote to memory of 2892 1600 xcgb.exe 31 PID 1600 wrote to memory of 2892 1600 xcgb.exe 31 PID 1600 wrote to memory of 2892 1600 xcgb.exe 31 PID 1600 wrote to memory of 2892 1600 xcgb.exe 31 PID 1600 wrote to memory of 3048 1600 xcgb.exe 34 PID 1600 wrote to memory of 3048 1600 xcgb.exe 34 PID 1600 wrote to memory of 3048 1600 xcgb.exe 34 PID 1600 wrote to memory of 3048 1600 xcgb.exe 34 PID 2892 wrote to memory of 2916 2892 cmd.exe 35 PID 2892 wrote to memory of 2916 2892 cmd.exe 35 PID 2892 wrote to memory of 2916 2892 cmd.exe 35 PID 2892 wrote to memory of 2916 2892 cmd.exe 35 PID 2888 wrote to memory of 2708 2888 cmd.exe 36 PID 2888 wrote to memory of 2708 2888 cmd.exe 36 PID 2888 wrote to memory of 2708 2888 cmd.exe 36 PID 2888 wrote to memory of 2708 2888 cmd.exe 36 PID 3048 wrote to memory of 2976 3048 darkcomet.exe 37 PID 3048 wrote to memory of 2976 3048 darkcomet.exe 37 PID 3048 wrote to memory of 2976 3048 darkcomet.exe 37 PID 3048 wrote to memory of 2976 3048 darkcomet.exe 37 PID 3048 wrote to memory of 2976 3048 darkcomet.exe 37 PID 3048 wrote to memory of 2976 3048 darkcomet.exe 37 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2916 attrib.exe 2708 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xcgb.exe"C:\Users\Admin\AppData\Local\Temp\xcgb.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\xcgb.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\xcgb.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2916
-
-
-
C:\Users\Admin\Documents\MSDCSC\darkcomet.exe"C:\Users\Admin\Documents\MSDCSC\darkcomet.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
745KB
MD5c0e4f49d4ea30fe8e04fdba223b44f24
SHA142d85163e18f35fd435b5f96a0bce10b8336b440
SHA256230351e5b4ee08a6583797d942967b059aec63c32eb26427f45d4ff64701b3fe
SHA512127923ce8310070ef1083b66f92ad5b7faeabb29f2540554fd833e6132d85478f55415344127760f04fe44a7ef8a0acd243d1dec5279510567a4a64777911abc