Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

667774c9b0...70.exe

windows7-x64

10

667774c9b0...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2023, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe

  • Size

    1.2MB

  • MD5

    30fb1e6f54d2d81cd464b46419bf35ef

  • SHA1

    9934996cb195555caef91b39255167f9064601b3

  • SHA256

    667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70

  • SHA512

    5ab7e6db122be392b1352d22a0a78a8a52677f9f51d5d3c792a55b02eafe3c8190f401c7b0cfd32f45cfb98fd000e84b48ed1043789ab6e4743c2a1e4e30a36a

  • SSDEEP

    24576:vDlrXK5PNnTnjuOqfrOB9lKB2go1CAA0aN09OTFjQt+kPcT:7cbn+O/8B2vCAuN09OTGt

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe
    "C:\Users\Admin\AppData\Local\Temp\667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rrmz8zjfkA.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3792
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4356
        • C:\Windows\ServiceProfiles\LocalService\Music\fontdrvhost.exe
          "C:\Windows\ServiceProfiles\LocalService\Music\fontdrvhost.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Music\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5080
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1836
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Rrmz8zjfkA.bat
      Filesize

      226B

      MD5

      195b5dd1383eca1f7b3eba8c7ac6727f

      SHA1

      f603ed75c3426bc824622b709500d6e1c766f8ba

      SHA256

      76fd6ed3c328a8baa47ff30b83b3a2135565b95dec398744f5160f72d8e9ce46

      SHA512

      21f09802a0580a9365627d5a2eb06cdd7b43804f921716e50fdca95af5b602dd843f24a12d1775823f508e8c6d114d6dd6c824ffa37d8dd5fb27f5d259e90997

      Download Submit

    • C:\Windows\ServiceProfiles\LocalService\Music\fontdrvhost.exe
      Filesize

      1.2MB

      MD5

      30fb1e6f54d2d81cd464b46419bf35ef

      SHA1

      9934996cb195555caef91b39255167f9064601b3

      SHA256

      667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70

      SHA512

      5ab7e6db122be392b1352d22a0a78a8a52677f9f51d5d3c792a55b02eafe3c8190f401c7b0cfd32f45cfb98fd000e84b48ed1043789ab6e4743c2a1e4e30a36a

      Download Submit

    • C:\Windows\ServiceProfiles\LocalService\Music\fontdrvhost.exe
      Filesize

      1.2MB

      MD5

      30fb1e6f54d2d81cd464b46419bf35ef

      SHA1

      9934996cb195555caef91b39255167f9064601b3

      SHA256

      667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70

      SHA512

      5ab7e6db122be392b1352d22a0a78a8a52677f9f51d5d3c792a55b02eafe3c8190f401c7b0cfd32f45cfb98fd000e84b48ed1043789ab6e4743c2a1e4e30a36a

      Download Submit

    • C:\Windows\ServiceProfiles\LocalService\Music\fontdrvhost.exe
      Filesize

      1.2MB

      MD5

      30fb1e6f54d2d81cd464b46419bf35ef

      SHA1

      9934996cb195555caef91b39255167f9064601b3

      SHA256

      667774c9b0aa4bfeb3932e3702636520e50dbf291252614a30bd9d2be0dd0b70

      SHA512

      5ab7e6db122be392b1352d22a0a78a8a52677f9f51d5d3c792a55b02eafe3c8190f401c7b0cfd32f45cfb98fd000e84b48ed1043789ab6e4743c2a1e4e30a36a

      Download Submit

    • memory/4132-155-0x00007FFEEA3D0000-0x00007FFEEAE91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4132-156-0x000000001B900000-0x000000001B910000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4132-157-0x00007FFEEA3D0000-0x00007FFEEAE91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4132-159-0x00007FFEEA3D0000-0x00007FFEEAE91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4876-150-0x00007FFEEAE00000-0x00007FFEEB8C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4876-136-0x000000001C120000-0x000000001C170000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4876-135-0x0000000003040000-0x0000000003050000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-134-0x00007FFEEAE00000-0x00007FFEEB8C1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4876-133-0x0000000000D30000-0x0000000000E68000-memory.dmp

      Filesize

      1.2MB

      Download