Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
30314ff92c2...07.exe
windows7-x64
100314ff92c2...07.exe
windows10-2004-x64
100314ff92c2...07.exe
android-13-x64
0314ff92c2...07.exe
android-13-x64
0314ff92c2...07.exe
macos-10.15-amd64
0314ff92c2...07.exe
ubuntu-18.04-amd64
0314ff92c2...07.exe
debian-9-armhf
0314ff92c2...07.exe
debian-9-mips
0314ff92c2...07.exe
debian-9-mipsel
Resubmissions
05/02/2025, 07:30
250205-jb9afaxrdl 1005/02/2025, 07:08
250205-hx7s3axlak 1001/10/2022, 23:07
221001-235ensceam 10Analysis
-
max time kernel
120s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/02/2025, 07:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
15 signatures
120 seconds
Behavioral task
behavioral3
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
android-33-x64-arm64-20240624-en
android-13-x64
0 signatures
120 seconds
Behavioral task
behavioral4
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
android-33-x64-arm64-20240624-en
android-13-x64
0 signatures
120 seconds
Behavioral task
behavioral5
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
macos-20241101-en
macos-10.15-amd64
0 signatures
120 seconds
Behavioral task
behavioral6
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
ubuntu1804-amd64-20240508-en
ubuntu-18.04-amd64
0 signatures
120 seconds
Behavioral task
behavioral7
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
debian9-armhf-20240729-en
debian-9-armhf
0 signatures
120 seconds
Behavioral task
behavioral8
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
debian9-mipsbe-20240611-en
debian-9-mips
0 signatures
120 seconds
Behavioral task
behavioral9
Sample
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
Resource
debian9-mipsel-20240418-en
debian-9-mipsel
0 signatures
120 seconds
General
-
Target
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe
-
Size
582KB
-
MD5
6ee8965f23ab498defe80b79ab2ca52c
-
SHA1
0d74605007a81bf44052dcf43385b236d9401c66
-
SHA256
0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
-
SHA512
9a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3
-
SSDEEP
12288:3w3BadD1/+wudvYWgktZiE0SJObe2HhcduQ6H6fI:GadVpupYWgktZigsS2Haub6
Malware Config
Extracted
Family
darkcomet
Botnet
DataProtector13.05.2013
C2
vierus330.no-ip.org:9751
Mutex
DCMIN_MUTEX-P9NPCV7
Attributes
-
gencode
Ch5FEfuRL0mp
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\cmiadapter.exe" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 3052 cmiadapter.exe 1636 PrintConfig.exe -
Loads dropped DLL 2 IoCs
pid Process 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3052 cmiadapter.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2736 set thread context of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 1636 set thread context of 2180 1636 PrintConfig.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmiadapter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrintConfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe 3052 cmiadapter.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe Token: SeIncreaseQuotaPrivilege 3024 svchost.exe Token: SeSecurityPrivilege 3024 svchost.exe Token: SeTakeOwnershipPrivilege 3024 svchost.exe Token: SeLoadDriverPrivilege 3024 svchost.exe Token: SeSystemProfilePrivilege 3024 svchost.exe Token: SeSystemtimePrivilege 3024 svchost.exe Token: SeProfSingleProcessPrivilege 3024 svchost.exe Token: SeIncBasePriorityPrivilege 3024 svchost.exe Token: SeCreatePagefilePrivilege 3024 svchost.exe Token: SeBackupPrivilege 3024 svchost.exe Token: SeRestorePrivilege 3024 svchost.exe Token: SeShutdownPrivilege 3024 svchost.exe Token: SeDebugPrivilege 3024 svchost.exe Token: SeSystemEnvironmentPrivilege 3024 svchost.exe Token: SeChangeNotifyPrivilege 3024 svchost.exe Token: SeRemoteShutdownPrivilege 3024 svchost.exe Token: SeUndockPrivilege 3024 svchost.exe Token: SeManageVolumePrivilege 3024 svchost.exe Token: SeImpersonatePrivilege 3024 svchost.exe Token: SeCreateGlobalPrivilege 3024 svchost.exe Token: 33 3024 svchost.exe Token: 34 3024 svchost.exe Token: 35 3024 svchost.exe Token: SeDebugPrivilege 3052 cmiadapter.exe Token: SeDebugPrivilege 1636 PrintConfig.exe Token: SeIncreaseQuotaPrivilege 2180 svchost.exe Token: SeSecurityPrivilege 2180 svchost.exe Token: SeTakeOwnershipPrivilege 2180 svchost.exe Token: SeLoadDriverPrivilege 2180 svchost.exe Token: SeSystemProfilePrivilege 2180 svchost.exe Token: SeSystemtimePrivilege 2180 svchost.exe Token: SeProfSingleProcessPrivilege 2180 svchost.exe Token: SeIncBasePriorityPrivilege 2180 svchost.exe Token: SeCreatePagefilePrivilege 2180 svchost.exe Token: SeBackupPrivilege 2180 svchost.exe Token: SeRestorePrivilege 2180 svchost.exe Token: SeShutdownPrivilege 2180 svchost.exe Token: SeDebugPrivilege 2180 svchost.exe Token: SeSystemEnvironmentPrivilege 2180 svchost.exe Token: SeChangeNotifyPrivilege 2180 svchost.exe Token: SeRemoteShutdownPrivilege 2180 svchost.exe Token: SeUndockPrivilege 2180 svchost.exe Token: SeManageVolumePrivilege 2180 svchost.exe Token: SeImpersonatePrivilege 2180 svchost.exe Token: SeCreateGlobalPrivilege 2180 svchost.exe Token: 33 2180 svchost.exe Token: 34 2180 svchost.exe Token: 35 2180 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3024 svchost.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3024 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 30 PID 2736 wrote to memory of 3052 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 31 PID 2736 wrote to memory of 3052 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 31 PID 2736 wrote to memory of 3052 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 31 PID 2736 wrote to memory of 3052 2736 0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe 31 PID 3052 wrote to memory of 1420 3052 cmiadapter.exe 32 PID 3052 wrote to memory of 1420 3052 cmiadapter.exe 32 PID 3052 wrote to memory of 1420 3052 cmiadapter.exe 32 PID 3052 wrote to memory of 1420 3052 cmiadapter.exe 32 PID 3052 wrote to memory of 1636 3052 cmiadapter.exe 34 PID 3052 wrote to memory of 1636 3052 cmiadapter.exe 34 PID 3052 wrote to memory of 1636 3052 cmiadapter.exe 34 PID 3052 wrote to memory of 1636 3052 cmiadapter.exe 34 PID 1420 wrote to memory of 1788 1420 cmd.exe 35 PID 1420 wrote to memory of 1788 1420 cmd.exe 35 PID 1420 wrote to memory of 1788 1420 cmd.exe 35 PID 1420 wrote to memory of 1788 1420 cmd.exe 35 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36 PID 1636 wrote to memory of 2180 1636 PrintConfig.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exeC:\Users\Admin\AppData\Local\Temp\0314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07.exe dsrm -subtree -noprompt -c user"http://+:443"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f4⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:1788
-
-
-
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5c6c51cca0adc05ece4e02e83476a50b9
SHA1dee0bc2c12ef7e5daec14939556b436d626eff25
SHA256af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2
SHA512389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0
-
Filesize
582KB
MD56ee8965f23ab498defe80b79ab2ca52c
SHA10d74605007a81bf44052dcf43385b236d9401c66
SHA2560314ff92c271ae0a6a2c0d8d166fa32e0bd0f5625a2013a8fe7c8e9247102b07
SHA5129a2461be0b72addcff49e91bdb030a12a2de3ce21125b0fc1061f906c3c4790ebf3ea9495c87d24aa5c4e6619b5f558738346fe102f8bc3278c4431557f969d3