Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

667774c9b0...70.exe

windows7-x64

10

667774c9b0...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    22/08/2023, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe

  • Size

    1.2MB

  • MD5

    30fb1e6f54d2d81cd464b46419bf35ef

  • SHA1

    9934996cb195555caef91b39255167f9064601b3

  • SHA256

    667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70

  • SHA512

    5ab7e6db122be392b1352d22a0a78a8a52677f9f51d5d3c792a55b02eafe3c8190f401c7b0cfd32f45cfb98fd000e84b48ed1043789ab6e4743c2a1e4e30a36a

  • SSDEEP

    24576:vDlrXK5PNnTnjuOqfrOB9lKB2go1CAA0aN09OTFjQt+kPcT:7cbn+O/8B2vCAuN09OTGt

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe
    "C:\Users\Admin\AppData\Local\Temp\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe
      "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1388
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2416
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\audiodg.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2892
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2356
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\de-DE\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\de-DE\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2380
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ShellNew\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b706" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b706" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1960
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2592
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1288
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1336
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\a60d4a02-20f1-11ee-b5a9-e92b09c817f3\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe
    Filesize

    1.2MB

    MD5

    30fb1e6f54d2d81cd464b46419bf35ef

    SHA1

    9934996cb195555caef91b39255167f9064601b3

    SHA256

    667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70

    SHA512

    5ab7e6db122be392b1352d22a0a78a8a52677f9f51d5d3c792a55b02eafe3c8190f401c7b0cfd32f45cfb98fd000e84b48ed1043789ab6e4743c2a1e4e30a36a

    Download Submit

  • C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe
    Filesize

    1.2MB

    MD5

    30fb1e6f54d2d81cd464b46419bf35ef

    SHA1

    9934996cb195555caef91b39255167f9064601b3

    SHA256

    667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70

    SHA512

    5ab7e6db122be392b1352d22a0a78a8a52677f9f51d5d3c792a55b02eafe3c8190f401c7b0cfd32f45cfb98fd000e84b48ed1043789ab6e4743c2a1e4e30a36a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab10B5.tmp
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar10F7.tmp
    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    Download Submit

  • C:\Windows\assembly\System.exe
    Filesize

    1.2MB

    MD5

    30fb1e6f54d2d81cd464b46419bf35ef

    SHA1

    9934996cb195555caef91b39255167f9064601b3

    SHA256

    667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70

    SHA512

    5ab7e6db122be392b1352d22a0a78a8a52677f9f51d5d3c792a55b02eafe3c8190f401c7b0cfd32f45cfb98fd000e84b48ed1043789ab6e4743c2a1e4e30a36a

    Download Submit

  • memory/1732-58-0x00000000002F0000-0x0000000000306000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1732-57-0x00000000002D0000-0x00000000002EC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1732-60-0x0000000000310000-0x0000000000318000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1732-54-0x00000000012C0000-0x00000000013F8000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1732-59-0x0000000000240000-0x000000000024E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1732-93-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1732-55-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1732-56-0x000000001AEF0000-0x000000001AF70000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1804-91-0x00000000011F0000-0x0000000001328000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1804-95-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1804-92-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1804-94-0x000000001B1B0000-0x000000001B230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1804-148-0x000000001B1B0000-0x000000001B230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1804-203-0x000007FEF5190000-0x000007FEF5B7C000-memory.dmp

    Filesize

    9.9MB

    Download