Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

HEUR-Troja...7d.exe

windows7-x64

10

HEUR-Troja...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2023, 11:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe

  • Size

    768KB

  • MD5

    ca77b734327afb186e37d78d948034e8

  • SHA1

    73d0f64044802166bf6c3ca982a3f5ba5405c81e

  • SHA256

    b12fbaf6b6ba8add5b7d2f86c8dc9020e087a164b7a022c0058dd397754352f4

  • SHA512

    d03b22bca2262f4acd8054c419dac9af28f33b90950104bed89cf2e35419f373f0d306e8a08532eab2c99e2d11bec0093c38fd1040a78e063225948b4add7050

  • SSDEEP

    12288:kr9okJ1XGTNrrxqFcT7K2p+CMWOvE+LKxPSRwqTqHjgL2NdLwQmhJSGwHDkP:C9rqJS2AxZWp5Hj8oOFQD8

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe
    "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Generic-b12fbaf6b6ba8add5b7d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe
      "C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\FUJZXaGbfikh3OCtrxlc1i.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\HrklzIU7CdwrqnHUZC.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Users\Admin\AppData\Roaming\Adobe\security.exe
            "C:\Users\Admin\AppData\Roaming\Adobe\security.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1816
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\services.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:1748
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\catsrvut\smss.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:524
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\write\explorer.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:1084
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\C_10000\conhost.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:1860
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:1684
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:552
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kAVfEdbB67.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:328
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:892
                • C:\Windows\system32\PING.EXE
                  ping -n 5 localhost
                  7⤵
                  • Runs ping.exe
                  PID:1888
                • C:\Windows\System32\C_10000\conhost.exe
                  "C:\Windows\System32\C_10000\conhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1604

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe
      Filesize

      1.4MB

      MD5

      153febc7dc9b8e2841a3a4c0c3ac3205

      SHA1

      38528c2c7e19b1246f4f9a420f05d8be3477876e

      SHA256

      cba167b92f87576189504d235e3681496e01fe2a1f090e071a932fda99cb6a5c

      SHA512

      022a6e7c0adeccace5b87ca7d87ba9b695903c5e9a754b9f493991a6c23de1e284c14137fbf266b2a8a50a667025b10b2c4288d6a4d43a064ff006d6984cfbc3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Adobe_Premiere_Pro_2020.exe
      Filesize

      1.4MB

      MD5

      153febc7dc9b8e2841a3a4c0c3ac3205

      SHA1

      38528c2c7e19b1246f4f9a420f05d8be3477876e

      SHA256

      cba167b92f87576189504d235e3681496e01fe2a1f090e071a932fda99cb6a5c

      SHA512

      022a6e7c0adeccace5b87ca7d87ba9b695903c5e9a754b9f493991a6c23de1e284c14137fbf266b2a8a50a667025b10b2c4288d6a4d43a064ff006d6984cfbc3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kAVfEdbB67.bat
      Filesize

      205B

      MD5

      9389edf1e97cbb671bc399dc7e2a2b18

      SHA1

      f74e44ea2714db0f739771b0c61739da2176d9e8

      SHA256

      effb87d56804a1039a19cd44a0c3939393050c667ac7b4927ce87b33a566daa7

      SHA512

      0f031d2b005bc8ee75398ade5115c84b97d11536cd5b575b4d147d81d947b6b6c5dd971bbfd68026dc810a97f3c36ee66ba863dfb25cb9c13e91beddc26aac8f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adobe\FUJZXaGbfikh3OCtrxlc1i.vbe
      Filesize

      207B

      MD5

      a2902a89edcfaefd1cf9464f23264397

      SHA1

      4e452cd28c8b743d0b927f6d8103fed171a549d5

      SHA256

      abd9ed2ebc502da8269778d3b45dd29d2c4ef78fcc5e3e8dd232905cb9625c68

      SHA512

      0db2e9d21164cdb4e824686f39cb4850fdbc8f72dcfd3f3bf73353074e4694a70c04356ce9ffea21e37381388c07943cd489c49a23738ae9a32e4473884dcd55

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adobe\HrklzIU7CdwrqnHUZC.bat
      Filesize

      30B

      MD5

      987b91a43f4d58b9931af8a8d2d60532

      SHA1

      290b57275dc95a8244d3aab2e76ef5944e64c5d6

      SHA256

      2dafbed48a9bd344ee01d84d4ed7c5e9bc6e271f616e6b16aa0e858ef551472c

      SHA512

      a217b91040d8f1eb67c3092292a6db5da21214b04b8e2d2d5bd13677f84d5552b4fc42710a40915f71db54983b33d83d74e4e1144c6a60cf56d08391c351ceb1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adobe\security.exe
      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adobe\security.exe
      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

      Download Submit

    • C:\Windows\System32\C_10000\conhost.exe
      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

      Download Submit

    • C:\Windows\System32\C_10000\conhost.exe
      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

      Download Submit

    • \Users\Admin\AppData\Roaming\Adobe\security.exe
      Filesize

      1.1MB

      MD5

      1fe77d2dfb4e5fa383357b76151e6863

      SHA1

      f4d111e26144d496f75ed22139a65513112b125c

      SHA256

      7bb8413b750f8fdd1a58122e11c3fda79b71593f6081f59209981f120180f0b2

      SHA512

      a3829d3683ed5afa341777531e8c24e73d8e506af1eee0904c44404d5d6bb7008b5b1d595af93ab7d9d75e8360fa46eff000621c43c6259364c5653b6f70b4ac

      Download Submit

    • memory/1340-58-0x0000000075611000-0x0000000075613000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1576-55-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1576-54-0x0000000000B80000-0x0000000000C46000-memory.dmp

      Filesize

      792KB

      Download

    • memory/1604-83-0x0000000000030000-0x0000000000150000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1816-69-0x0000000000F00000-0x0000000001020000-memory.dmp

      Filesize

      1.1MB

      Download