Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2025, 01:42

General

  • Target

    FacebookHacked/FacebookHackv2.2.exe

  • Size

    4.1MB

  • MD5

    4bca334a69c17d69c2aeb7d9cc633b7b

  • SHA1

    cf6dfeed77cfef2cee73f32aa6f67a36182ee61c

  • SHA256

    21b0d20a1d399102e301d31d8eee3ff7c3c21eb2e650358be715c40fbe595cd6

  • SHA512

    ae03461bbccd013f6d71befbe83fea3206f66d0d5bb0877a484fdd810604791dc70040a8678efd28f22fd525128f26fd409f05f50667414bcdc975107563b29f

  • SSDEEP

    24576:pvRq+x3lWY20zFni/Kep61glV93e0JeL+bxDaYZu9db43Iqs8pw2woGDsY7PB+2G:H1/FSp61+/esa4o9vi835KH

Malware Config

Extracted

Family

darkcomet

Botnet

Virus

C2

administrator.redirectme.net:1604

Mutex

DC_MUTEX-MTS8GLL

Attributes
  • gencode

    Ke3DAwXqc98j

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 23 IoCs
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FacebookHacked\FacebookHackv2.2.exe
    "C:\Users\Admin\AppData\Local\Temp\FacebookHacked\FacebookHackv2.2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.EXE
        "C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:788
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2736
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2912
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2300
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\7CVPP5QO9A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2824
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\7CVPP5QO9A.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\7CVPP5QO9A.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2740
      • C:\Users\Admin\AppData\Local\Temp\FACEBOOKHACKV2.EXE
        "C:\Users\Admin\AppData\Local\Temp\FACEBOOKHACKV2.EXE"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\7CVPP5QO9A.EXE

    Filesize

    448KB

    MD5

    a3024f35423851dd369ca51c7f299fff

    SHA1

    12c8399316c3663a23d33b3031a45c646598e03e

    SHA256

    65b6381e8a4be0ed252d6e4ac37a691d43e225b7db777cde92d59de054a8682f

    SHA512

    2ce463ee05f83cffe2389ff57c8129aac5783640a46cd580f37c91ff9be9321a41c5b469ec569a4751657f17d7c1b4b07f088203ba47959e0ef0d488b5897f5e

  • \Users\Admin\AppData\Local\Temp\FACEBOOKHACKV2.EXE

    Filesize

    1.5MB

    MD5

    20f87e338177f18e6a47c8be1934069c

    SHA1

    5116ef19273b49bcb3a9c67cb83128391cf2b9e4

    SHA256

    70bc57942080488abe4a4cb1d2310e49a0ba6b52cd28ec7782375fe3dcad2753

    SHA512

    e42a8d3d487b1b6bfaa00aee90b407c6bf8caef75288efd8079b7cc6bc6305eb56ff52252720829b1f74e04d3c143ae6501ce497150179a72d0bfb3df3bef60f

  • memory/2204-0-0x00000000748F1000-0x00000000748F2000-memory.dmp

    Filesize

    4KB

  • memory/2204-1-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2204-2-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2204-15-0x00000000748F0000-0x0000000074E9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2236-17-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-41-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-16-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-13-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-10-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-9-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-14-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-7-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-6-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-4-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-3-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-8-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-5-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-62-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-42-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2236-43-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-44-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-45-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-46-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-48-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-49-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-50-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-52-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-53-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-54-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-55-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-57-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-58-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-60-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2236-61-0x0000000000400000-0x00000000006A0000-memory.dmp

    Filesize

    2.6MB

  • memory/2784-40-0x0000000000F50000-0x00000000010D2000-memory.dmp

    Filesize

    1.5MB