Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
30314ff92c2...07.exe
windows7-x64
100314ff92c2...07.exe
windows10-2004-x64
100314ff92c2...07.exe
android-10-x64
0314ff92c2...07.exe
android-13-x64
0314ff92c2...07.exe
macos-10.15-amd64
0314ff92c2...07.exe
ubuntu-18.04-amd64
0314ff92c2...07.exe
debian-9-armhf
0314ff92c2...07.exe
debian-9-mips
0314ff92c2...07.exe
debian-9-mipsel
Resubmissions
05/02/2025, 07:30
250205-jb9afaxrdl 1005/02/2025, 07:08
250205-hx7s3axlak 1001/10/2022, 23:07
221001-235ensceam 10Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05/02/2025, 07:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
14 signatures
120 seconds
Behavioral task
behavioral3
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
android-x64-20240624-en
android-10-x64
0 signatures
120 seconds
Behavioral task
behavioral4
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
android-33-x64-arm64-20240624-en
android-13-x64
0 signatures
120 seconds
Behavioral task
behavioral5
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
macos-20241106-en
macos-10.15-amd64
0 signatures
120 seconds
Behavioral task
behavioral6
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
0 signatures
120 seconds
Behavioral task
behavioral7
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
debian9-armhf-20240729-en
debian-9-armhf
0 signatures
120 seconds
Behavioral task
behavioral8
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
debian9-mipsbe-20240611-en
debian-9-mips
0 signatures
120 seconds
Behavioral task
behavioral9
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
0 signatures
120 seconds
General
-
Target
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
-
Size
582KB
-
MD5
6ee8965f23ab498defe80b79ab2ca52c
-
SHA1
0d74605007a81bf44052dcf43385b236d9401c66
-
SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
-
SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
SSDEEP
12288:3w3BadD1/+wudvYWgktZiE0SJObe2HhcduQ6H6fI:GadVpupYWgktZigsS2Haub6
Malware Config
Extracted
Family
darkcomet
Botnet
DataProtector13.05.2013
C2
vierus330.no-ip.org:9751
Mutex
DCMIN_MUTEX-P9NPCV7
Attributes
-
gencode
Ch5FEfuRL0mp
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\cmiadapter.exe" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 2700 cmiadapter.exe 2444 PrintConfig.exe 736 cmiadapter.exe -
Loads dropped DLL 3 IoCs
pid Process 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2700 cmiadapter.exe 2444 PrintConfig.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3044 set thread context of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2444 set thread context of 2336 2444 PrintConfig.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmiadapter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmiadapter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrintConfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe 2700 cmiadapter.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe Token: SeDebugPrivilege 2700 cmiadapter.exe Token: SeIncreaseQuotaPrivilege 3032 svchost.exe Token: SeSecurityPrivilege 3032 svchost.exe Token: SeTakeOwnershipPrivilege 3032 svchost.exe Token: SeLoadDriverPrivilege 3032 svchost.exe Token: SeSystemProfilePrivilege 3032 svchost.exe Token: SeSystemtimePrivilege 3032 svchost.exe Token: SeProfSingleProcessPrivilege 3032 svchost.exe Token: SeIncBasePriorityPrivilege 3032 svchost.exe Token: SeCreatePagefilePrivilege 3032 svchost.exe Token: SeBackupPrivilege 3032 svchost.exe Token: SeRestorePrivilege 3032 svchost.exe Token: SeShutdownPrivilege 3032 svchost.exe Token: SeDebugPrivilege 3032 svchost.exe Token: SeSystemEnvironmentPrivilege 3032 svchost.exe Token: SeChangeNotifyPrivilege 3032 svchost.exe Token: SeRemoteShutdownPrivilege 3032 svchost.exe Token: SeUndockPrivilege 3032 svchost.exe Token: SeManageVolumePrivilege 3032 svchost.exe Token: SeImpersonatePrivilege 3032 svchost.exe Token: SeCreateGlobalPrivilege 3032 svchost.exe Token: 33 3032 svchost.exe Token: 34 3032 svchost.exe Token: 35 3032 svchost.exe Token: SeDebugPrivilege 2444 PrintConfig.exe Token: SeIncreaseQuotaPrivilege 2336 svchost.exe Token: SeSecurityPrivilege 2336 svchost.exe Token: SeTakeOwnershipPrivilege 2336 svchost.exe Token: SeLoadDriverPrivilege 2336 svchost.exe Token: SeSystemProfilePrivilege 2336 svchost.exe Token: SeSystemtimePrivilege 2336 svchost.exe Token: SeProfSingleProcessPrivilege 2336 svchost.exe Token: SeIncBasePriorityPrivilege 2336 svchost.exe Token: SeCreatePagefilePrivilege 2336 svchost.exe Token: SeBackupPrivilege 2336 svchost.exe Token: SeRestorePrivilege 2336 svchost.exe Token: SeShutdownPrivilege 2336 svchost.exe Token: SeDebugPrivilege 2336 svchost.exe Token: SeSystemEnvironmentPrivilege 2336 svchost.exe Token: SeChangeNotifyPrivilege 2336 svchost.exe Token: SeRemoteShutdownPrivilege 2336 svchost.exe Token: SeUndockPrivilege 2336 svchost.exe Token: SeManageVolumePrivilege 2336 svchost.exe Token: SeImpersonatePrivilege 2336 svchost.exe Token: SeCreateGlobalPrivilege 2336 svchost.exe Token: 33 2336 svchost.exe Token: 34 2336 svchost.exe Token: 35 2336 svchost.exe Token: SeDebugPrivilege 736 cmiadapter.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3032 svchost.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 3032 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 3044 wrote to memory of 2700 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 31 PID 3044 wrote to memory of 2700 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 31 PID 3044 wrote to memory of 2700 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 31 PID 3044 wrote to memory of 2700 3044 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 31 PID 2700 wrote to memory of 2480 2700 cmiadapter.exe 32 PID 2700 wrote to memory of 2480 2700 cmiadapter.exe 32 PID 2700 wrote to memory of 2480 2700 cmiadapter.exe 32 PID 2700 wrote to memory of 2480 2700 cmiadapter.exe 32 PID 2700 wrote to memory of 2444 2700 cmiadapter.exe 34 PID 2700 wrote to memory of 2444 2700 cmiadapter.exe 34 PID 2700 wrote to memory of 2444 2700 cmiadapter.exe 34 PID 2700 wrote to memory of 2444 2700 cmiadapter.exe 34 PID 2480 wrote to memory of 1108 2480 cmd.exe 35 PID 2480 wrote to memory of 1108 2480 cmd.exe 35 PID 2480 wrote to memory of 1108 2480 cmd.exe 35 PID 2480 wrote to memory of 1108 2480 cmd.exe 35 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 2336 2444 PrintConfig.exe 36 PID 2444 wrote to memory of 736 2444 PrintConfig.exe 37 PID 2444 wrote to memory of 736 2444 PrintConfig.exe 37 PID 2444 wrote to memory of 736 2444 PrintConfig.exe 37 PID 2444 wrote to memory of 736 2444 PrintConfig.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exeC:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe dsrm -subtree -noprompt -c user"http://+:443"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f4⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:1108
-
-
-
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
582KB
MD56ee8965f23ab498defe80b79ab2ca52c
SHA10d74605007a81bf44052dcf43385b236d9401c66
SHA2560314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA5129a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0