Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/01/2025, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
passwtxt.scr
Resource
win7-20240903-en
General
-
Target
passwtxt.scr
-
Size
1.2MB
-
MD5
77ca989ad6e7b03b45fae82a76033687
-
SHA1
0d12fc51c81dc320799daa675ebdf351d46a5573
-
SHA256
6ac3f0bd420b687c360daf61df09899b570d088479d4ba0eb1b934affbed3530
-
SHA512
6280ba36dc01aef0769209669086adb249b0b3db421c7859edef7028bbd65830cbe24aa21f7d36964983dfb9f117fe144556312a27f293e4973d150bb9733c04
-
SSDEEP
24576:iXxU5ks52tv1lETA6FEtDQk7rfunI7gB+M:rYF1lETA6FED7B7gB+M
Malware Config
Extracted
darkcomet
Guest16
marins.zapto.org:200
DC_MUTEX-4P3XX1N
-
gencode
aGYevwKbDrua
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1704 set thread context of 2724 1704 passwtxt.scr 36 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language passwtxt.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1704 passwtxt.scr Token: SeIncreaseQuotaPrivilege 2724 vbc.exe Token: SeSecurityPrivilege 2724 vbc.exe Token: SeTakeOwnershipPrivilege 2724 vbc.exe Token: SeLoadDriverPrivilege 2724 vbc.exe Token: SeSystemProfilePrivilege 2724 vbc.exe Token: SeSystemtimePrivilege 2724 vbc.exe Token: SeProfSingleProcessPrivilege 2724 vbc.exe Token: SeIncBasePriorityPrivilege 2724 vbc.exe Token: SeCreatePagefilePrivilege 2724 vbc.exe Token: SeBackupPrivilege 2724 vbc.exe Token: SeRestorePrivilege 2724 vbc.exe Token: SeShutdownPrivilege 2724 vbc.exe Token: SeDebugPrivilege 2724 vbc.exe Token: SeSystemEnvironmentPrivilege 2724 vbc.exe Token: SeChangeNotifyPrivilege 2724 vbc.exe Token: SeRemoteShutdownPrivilege 2724 vbc.exe Token: SeUndockPrivilege 2724 vbc.exe Token: SeManageVolumePrivilege 2724 vbc.exe Token: SeImpersonatePrivilege 2724 vbc.exe Token: SeCreateGlobalPrivilege 2724 vbc.exe Token: 33 2724 vbc.exe Token: 34 2724 vbc.exe Token: 35 2724 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2724 vbc.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1704 wrote to memory of 1672 1704 passwtxt.scr 30 PID 1704 wrote to memory of 1672 1704 passwtxt.scr 30 PID 1704 wrote to memory of 1672 1704 passwtxt.scr 30 PID 1704 wrote to memory of 1672 1704 passwtxt.scr 30 PID 1672 wrote to memory of 1336 1672 vbc.exe 32 PID 1672 wrote to memory of 1336 1672 vbc.exe 32 PID 1672 wrote to memory of 1336 1672 vbc.exe 32 PID 1672 wrote to memory of 1336 1672 vbc.exe 32 PID 1704 wrote to memory of 2396 1704 passwtxt.scr 33 PID 1704 wrote to memory of 2396 1704 passwtxt.scr 33 PID 1704 wrote to memory of 2396 1704 passwtxt.scr 33 PID 1704 wrote to memory of 2396 1704 passwtxt.scr 33 PID 2396 wrote to memory of 1244 2396 vbc.exe 35 PID 2396 wrote to memory of 1244 2396 vbc.exe 35 PID 2396 wrote to memory of 1244 2396 vbc.exe 35 PID 2396 wrote to memory of 1244 2396 vbc.exe 35 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36 PID 1704 wrote to memory of 2724 1704 passwtxt.scr 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\passwtxt.scr"C:\Users\Admin\AppData\Local\Temp\passwtxt.scr" /S1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fgpye3fc.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBB92.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1336
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vgtwsgnu.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC1F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC1E.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1244
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50a08ec07b23f1007fcba65ac38b47a11
SHA103ff56201799c4db372b1bf53c45a310003334dd
SHA256a6505068278b26580205b9e301b1ebd8ec8351d81228f324937bac2c18b9bf3c
SHA512fa1f8f0f377e2ab80cade7388345d58db230b4299052f82f10f02aef3e7e5cf64f084fabee8d82c0b972cdac2ecdf2f63545ae119e4fd29880fe8cbe66b6af01
-
Filesize
1KB
MD5e2c4d5b38ffa83082ee250e6b2e203f5
SHA134e79988674294cd70c8970fd4d95a239b445050
SHA25679a197beed26c5803d96fd94d3624c7d3c6d37ab6016a28854c1e5a081c8bee3
SHA512f3ecbb29dd77c91eb045e05976c2ecef70445755b24e4f66e0e07c010c0bdac227ef255a2f9a4f95de012e47bd0550f7dea0e7e77aeb03008c126deefe756ad8
-
Filesize
254B
MD536757aabf0e4f39dfa4e7d0e2c0506fd
SHA13bebb1de5f217019420de8336b66b8768502cb41
SHA25697b2b1e8c82404ea0cce8951b9a9dc503d3057c53d1734a18a5140061a5087df
SHA51267abe6724460d9b9bf55f88230ca05f692cce346266486b73504bd1369aa814b0e1424a0572bdd0d48621bcb01a652ea757beb2ae5544ba9db2c790fed6d35b8
-
Filesize
317B
MD5000b72759b7d881cec385ae55bac22e3
SHA19f665ca20d6a225b2579ccd62c5a3862bef6fbd1
SHA25632865a3bf3958ae14e21ec6a2587851297e3cbe5fe9d749b14ae811f8532d877
SHA512764f186dd65963fb614b1174da0f20c997938a6034fd2eab177750249309aa62fa1ab8a24c0936b6dce24ef2eb6594ef9d29d89bee6d7b6b69e46a61d5296d87
-
Filesize
6KB
MD502456d5a1d1e3d7a0090c9020e7e0fbe
SHA1057b084fff32a4d622f96425cb16a7c18d0a1e37
SHA25663d8878b79930df9f44f33ab4fb051f430993e44ac5d123aa3300eb4f8e59a80
SHA512023ddacc0a9ca2e51e838ec02dca6eb3fc1a0fced677c6a0507ac7588e6136de892f7449e0f8d5b2dcd0767b8fb58383104aea703a72a6bd5d9e20f9f4b064a6
-
Filesize
652B
MD50dec48a2c728c6a33a97a17669cc3e79
SHA1ba301ad2f9b25336fb83050a9feebe3562d58e4a
SHA256ddd78c3e7aae795ce83b83a067f95dfeb1090a994a8159c06041a1df2e02e8ba
SHA5123a01d497b87aed4a178fcbd116754f66218f351748f38fac1a3aa7f3e1317bf56dc08131ad3fac660e1db2f6509c8c0a07aa5b506dcdf416839ccfe94abe4a6b
-
Filesize
652B
MD5d08bce3671d12135f5dee3b9f530df44
SHA1960082e5985518167c96a6b8c5b7506380742826
SHA2563b8a48ab4d9de55d1cefec249132839f3c12f2f73f8b9040a0c2b4adbfaf7224
SHA5127707a8199e1be16074e2730b5bf395f826cd7b1a99ce656f1cc7c9048a581533ddcceb4fae3d1b4a806a482d931f775bffbb5b938e36e911b03a796323ef7204
-
Filesize
317B
MD5fb2d4891e0d6965dd1911cc06db5f236
SHA1ecabd18b0d1b310ced895e4a0373ca3d03b552fa
SHA2562dfc77958e43fd59d8e444208c9945d3bcd58b8dc14c8155e06704bb0ecb75dc
SHA512947142b446023ee18c770afde69432cddc154854c6a37a6a6b893c050f2993812fe482b9ef0206977b426776b572e4ef03a3ac3db8c3579501b74b2708002af7
-
Filesize
6KB
MD51170b6f56cd31ade93f0970b36ff0f9f
SHA1af4ab8df2e76f31b9d98a1a505c8592468fe2166
SHA2563ff52547bda09f0508250636194bc909042ad6d6c4cefd731cab2c8b257f37d7
SHA512a287240e9a58150006b62a7ceb5dfed2919ab3b987c7fe7eb85e40c5a0274aa499f10d4353b79542a73513a44090640d4f972f6c6c8221876439c570de470efe