Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/02/2025, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
FacebookHacked/FacebookHackv2.2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FacebookHacked/FacebookHackv2.2.exe
Resource
win10v2004-20250129-en
General
-
Target
FacebookHacked/FacebookHackv2.2.exe
-
Size
4.1MB
-
MD5
4bca334a69c17d69c2aeb7d9cc633b7b
-
SHA1
cf6dfeed77cfef2cee73f32aa6f67a36182ee61c
-
SHA256
21b0d20a1d399102e301d31d8eee3ff7c3c21eb2e650358be715c40fbe595cd6
-
SHA512
ae03461bbccd013f6d71befbe83fea3206f66d0d5bb0877a484fdd810604791dc70040a8678efd28f22fd525128f26fd409f05f50667414bcdc975107563b29f
-
SSDEEP
24576:pvRq+x3lWY20zFni/Kep61glV93e0JeL+bxDaYZu9db43Iqs8pw2woGDsY7PB+2G:H1/FSp61+/esa4o9vi835KH
Malware Config
Extracted
darkcomet
Virus
administrator.redirectme.net:1604
DC_MUTEX-MTS8GLL
-
gencode
Ke3DAwXqc98j
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 23 IoCs
resource yara_rule behavioral1/memory/2236-13-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-16-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-17-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-14-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/files/0x0007000000012101-20.dat family_blackshades behavioral1/memory/2236-42-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-41-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-43-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-44-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-45-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-46-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-48-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-49-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-50-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-52-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-53-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-54-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-55-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-57-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-58-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-60-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-61-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades behavioral1/memory/2236-62-0x0000000000400000-0x00000000006A0000-memory.dmp family_blackshades -
Darkcomet family
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\7CVPP5QO9A.exe = "C:\\Users\\Admin\\AppData\\Roaming\\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 2 IoCs
pid Process 788 7CVPP5QO9A.EXE 2784 FACEBOOKHACKV2.EXE -
Loads dropped DLL 3 IoCs
pid Process 2236 vbc.exe 2236 vbc.exe 2236 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2204 set thread context of 2236 2204 FacebookHackv2.2.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FacebookHackv2.2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7CVPP5QO9A.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FACEBOOKHACKV2.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2912 reg.exe 2736 reg.exe 2740 reg.exe 2300 reg.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2236 vbc.exe Token: SeSecurityPrivilege 2236 vbc.exe Token: SeTakeOwnershipPrivilege 2236 vbc.exe Token: SeLoadDriverPrivilege 2236 vbc.exe Token: SeSystemProfilePrivilege 2236 vbc.exe Token: SeSystemtimePrivilege 2236 vbc.exe Token: SeProfSingleProcessPrivilege 2236 vbc.exe Token: SeIncBasePriorityPrivilege 2236 vbc.exe Token: SeCreatePagefilePrivilege 2236 vbc.exe Token: SeBackupPrivilege 2236 vbc.exe Token: SeRestorePrivilege 2236 vbc.exe Token: SeShutdownPrivilege 2236 vbc.exe Token: SeDebugPrivilege 2236 vbc.exe Token: SeSystemEnvironmentPrivilege 2236 vbc.exe Token: SeChangeNotifyPrivilege 2236 vbc.exe Token: SeRemoteShutdownPrivilege 2236 vbc.exe Token: SeUndockPrivilege 2236 vbc.exe Token: SeManageVolumePrivilege 2236 vbc.exe Token: SeImpersonatePrivilege 2236 vbc.exe Token: SeCreateGlobalPrivilege 2236 vbc.exe Token: 33 2236 vbc.exe Token: 34 2236 vbc.exe Token: 35 2236 vbc.exe Token: 1 788 7CVPP5QO9A.EXE Token: SeCreateTokenPrivilege 788 7CVPP5QO9A.EXE Token: SeAssignPrimaryTokenPrivilege 788 7CVPP5QO9A.EXE Token: SeLockMemoryPrivilege 788 7CVPP5QO9A.EXE Token: SeIncreaseQuotaPrivilege 788 7CVPP5QO9A.EXE Token: SeMachineAccountPrivilege 788 7CVPP5QO9A.EXE Token: SeTcbPrivilege 788 7CVPP5QO9A.EXE Token: SeSecurityPrivilege 788 7CVPP5QO9A.EXE Token: SeTakeOwnershipPrivilege 788 7CVPP5QO9A.EXE Token: SeLoadDriverPrivilege 788 7CVPP5QO9A.EXE Token: SeSystemProfilePrivilege 788 7CVPP5QO9A.EXE Token: SeSystemtimePrivilege 788 7CVPP5QO9A.EXE Token: SeProfSingleProcessPrivilege 788 7CVPP5QO9A.EXE Token: SeIncBasePriorityPrivilege 788 7CVPP5QO9A.EXE Token: SeCreatePagefilePrivilege 788 7CVPP5QO9A.EXE Token: SeCreatePermanentPrivilege 788 7CVPP5QO9A.EXE Token: SeBackupPrivilege 788 7CVPP5QO9A.EXE Token: SeRestorePrivilege 788 7CVPP5QO9A.EXE Token: SeShutdownPrivilege 788 7CVPP5QO9A.EXE Token: SeDebugPrivilege 788 7CVPP5QO9A.EXE Token: SeAuditPrivilege 788 7CVPP5QO9A.EXE Token: SeSystemEnvironmentPrivilege 788 7CVPP5QO9A.EXE Token: SeChangeNotifyPrivilege 788 7CVPP5QO9A.EXE Token: SeRemoteShutdownPrivilege 788 7CVPP5QO9A.EXE Token: SeUndockPrivilege 788 7CVPP5QO9A.EXE Token: SeSyncAgentPrivilege 788 7CVPP5QO9A.EXE Token: SeEnableDelegationPrivilege 788 7CVPP5QO9A.EXE Token: SeManageVolumePrivilege 788 7CVPP5QO9A.EXE Token: SeImpersonatePrivilege 788 7CVPP5QO9A.EXE Token: SeCreateGlobalPrivilege 788 7CVPP5QO9A.EXE Token: 31 788 7CVPP5QO9A.EXE Token: 32 788 7CVPP5QO9A.EXE Token: 33 788 7CVPP5QO9A.EXE Token: 34 788 7CVPP5QO9A.EXE Token: 35 788 7CVPP5QO9A.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 788 7CVPP5QO9A.EXE 788 7CVPP5QO9A.EXE 788 7CVPP5QO9A.EXE 788 7CVPP5QO9A.EXE 2236 vbc.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2204 wrote to memory of 2236 2204 FacebookHackv2.2.exe 31 PID 2236 wrote to memory of 788 2236 vbc.exe 32 PID 2236 wrote to memory of 788 2236 vbc.exe 32 PID 2236 wrote to memory of 788 2236 vbc.exe 32 PID 2236 wrote to memory of 788 2236 vbc.exe 32 PID 2236 wrote to memory of 2784 2236 vbc.exe 33 PID 2236 wrote to memory of 2784 2236 vbc.exe 33 PID 2236 wrote to memory of 2784 2236 vbc.exe 33 PID 2236 wrote to memory of 2784 2236 vbc.exe 33 PID 788 wrote to memory of 2672 788 7CVPP5QO9A.EXE 34 PID 788 wrote to memory of 2672 788 7CVPP5QO9A.EXE 34 PID 788 wrote to memory of 2672 788 7CVPP5QO9A.EXE 34 PID 788 wrote to memory of 2672 788 7CVPP5QO9A.EXE 34 PID 788 wrote to memory of 2724 788 7CVPP5QO9A.EXE 35 PID 788 wrote to memory of 2724 788 7CVPP5QO9A.EXE 35 PID 788 wrote to memory of 2724 788 7CVPP5QO9A.EXE 35 PID 788 wrote to memory of 2724 788 7CVPP5QO9A.EXE 35 PID 788 wrote to memory of 2692 788 7CVPP5QO9A.EXE 36 PID 788 wrote to memory of 2692 788 7CVPP5QO9A.EXE 36 PID 788 wrote to memory of 2692 788 7CVPP5QO9A.EXE 36 PID 788 wrote to memory of 2692 788 7CVPP5QO9A.EXE 36 PID 788 wrote to memory of 2824 788 7CVPP5QO9A.EXE 38 PID 788 wrote to memory of 2824 788 7CVPP5QO9A.EXE 38 PID 788 wrote to memory of 2824 788 7CVPP5QO9A.EXE 38 PID 788 wrote to memory of 2824 788 7CVPP5QO9A.EXE 38 PID 2724 wrote to memory of 2912 2724 cmd.exe 42 PID 2724 wrote to memory of 2912 2724 cmd.exe 42 PID 2724 wrote to memory of 2912 2724 cmd.exe 42 PID 2724 wrote to memory of 2912 2724 cmd.exe 42 PID 2692 wrote to memory of 2300 2692 cmd.exe 43 PID 2692 wrote to memory of 2300 2692 cmd.exe 43 PID 2692 wrote to memory of 2300 2692 cmd.exe 43 PID 2692 wrote to memory of 2300 2692 cmd.exe 43 PID 2824 wrote to memory of 2740 2824 cmd.exe 44 PID 2824 wrote to memory of 2740 2824 cmd.exe 44 PID 2824 wrote to memory of 2740 2824 cmd.exe 44 PID 2824 wrote to memory of 2740 2824 cmd.exe 44 PID 2672 wrote to memory of 2736 2672 cmd.exe 45 PID 2672 wrote to memory of 2736 2672 cmd.exe 45 PID 2672 wrote to memory of 2736 2672 cmd.exe 45 PID 2672 wrote to memory of 2736 2672 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\FacebookHacked\FacebookHackv2.2.exe"C:\Users\Admin\AppData\Local\Temp\FacebookHacked\FacebookHackv2.2.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.EXE"C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2300
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\7CVPP5QO9A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\7CVPP5QO9A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2740
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FACEBOOKHACKV2.EXE"C:\Users\Admin\AppData\Local\Temp\FACEBOOKHACKV2.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD5a3024f35423851dd369ca51c7f299fff
SHA112c8399316c3663a23d33b3031a45c646598e03e
SHA25665b6381e8a4be0ed252d6e4ac37a691d43e225b7db777cde92d59de054a8682f
SHA5122ce463ee05f83cffe2389ff57c8129aac5783640a46cd580f37c91ff9be9321a41c5b469ec569a4751657f17d7c1b4b07f088203ba47959e0ef0d488b5897f5e
-
Filesize
1.5MB
MD520f87e338177f18e6a47c8be1934069c
SHA15116ef19273b49bcb3a9c67cb83128391cf2b9e4
SHA25670bc57942080488abe4a4cb1d2310e49a0ba6b52cd28ec7782375fe3dcad2753
SHA512e42a8d3d487b1b6bfaa00aee90b407c6bf8caef75288efd8079b7cc6bc6305eb56ff52252720829b1f74e04d3c143ae6501ce497150179a72d0bfb3df3bef60f