Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
19/11/2023, 12:58
Static task
static1
Behavioral task
behavioral1
Sample
85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe
Resource
win10v2004-20231023-en
General
-
Target
85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe
-
Size
2.0MB
-
MD5
30187293127241c047ea7582cb3ba925
-
SHA1
70e9d100311fcfd66e344f8a71bc1e019c3de94e
-
SHA256
85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867
-
SHA512
54f3a665d89e760f012847756ffdae0727af0617e67ae3aad59f76ce6e1e7c67ce20f52203237453a7d21f5f175f9c98281075fb182b29af4a1538312e3abd04
-
SSDEEP
49152:nILNq8KKtRL4wk8UGHZF1ljvfvQAzjsKMvojOCIoBEScdD:nxKtRL47iPljJfsKDN7aScl
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral1/memory/2860-16-0x0000000000400000-0x00000000004B6000-memory.dmp dcrat behavioral1/memory/2860-17-0x0000000000400000-0x00000000004B6000-memory.dmp dcrat behavioral1/memory/2860-19-0x0000000000400000-0x00000000004B6000-memory.dmp dcrat behavioral1/memory/2860-21-0x0000000000400000-0x00000000004B6000-memory.dmp dcrat behavioral1/memory/2860-23-0x0000000000400000-0x00000000004B6000-memory.dmp dcrat behavioral1/memory/2860-47-0x0000000004BD0000-0x0000000004C10000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2924 Yammi_Loader.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2924 set thread context of 2860 2924 Yammi_Loader.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe 2860 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2860 AppLaunch.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2924 1980 85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe 28 PID 1980 wrote to memory of 2924 1980 85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe 28 PID 1980 wrote to memory of 2924 1980 85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe 28 PID 1980 wrote to memory of 2924 1980 85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe 28 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2924 wrote to memory of 2860 2924 Yammi_Loader.exe 32 PID 2860 wrote to memory of 1224 2860 AppLaunch.exe 34 PID 2860 wrote to memory of 1224 2860 AppLaunch.exe 34 PID 2860 wrote to memory of 1224 2860 AppLaunch.exe 34 PID 2860 wrote to memory of 1224 2860 AppLaunch.exe 34 PID 2860 wrote to memory of 1224 2860 AppLaunch.exe 34 PID 2860 wrote to memory of 1224 2860 AppLaunch.exe 34 PID 2860 wrote to memory of 1224 2860 AppLaunch.exe 34 PID 1224 wrote to memory of 764 1224 cmd.exe 36 PID 1224 wrote to memory of 764 1224 cmd.exe 36 PID 1224 wrote to memory of 764 1224 cmd.exe 36 PID 1224 wrote to memory of 764 1224 cmd.exe 36 PID 1224 wrote to memory of 764 1224 cmd.exe 36 PID 1224 wrote to memory of 764 1224 cmd.exe 36 PID 1224 wrote to memory of 764 1224 cmd.exe 36 PID 764 wrote to memory of 548 764 w32tm.exe 37 PID 764 wrote to memory of 548 764 w32tm.exe 37 PID 764 wrote to memory of 548 764 w32tm.exe 37 PID 764 wrote to memory of 548 764 w32tm.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe"C:\Users\Admin\AppData\Local\Temp\85e2f958f1c6843f13f7dfedf4b907168d91f33828ad4d220f9e6022c3945867.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Yammi_Loader.exe"C:\Yammi_Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\n34s4lmFbW.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:548
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD5c49a2e8de0f6d8a14ac8804c605bef75
SHA1c7b69325d296a310cab7d3e09e837a46f69dfd59
SHA256b874ed4c85d7f4743a92d3fca2472f1c800092002a80f4be4c58ad200f781d57
SHA5125b639cfa6440546ddfc4df556f5f0acec13ea2876ded99259386181b11046db0a3d00ca9c034845894eeede00de843ad96441c9f2004a01e67d34d036197b177
-
Filesize
228B
MD5c49a2e8de0f6d8a14ac8804c605bef75
SHA1c7b69325d296a310cab7d3e09e837a46f69dfd59
SHA256b874ed4c85d7f4743a92d3fca2472f1c800092002a80f4be4c58ad200f781d57
SHA5125b639cfa6440546ddfc4df556f5f0acec13ea2876ded99259386181b11046db0a3d00ca9c034845894eeede00de843ad96441c9f2004a01e67d34d036197b177
-
Filesize
1.7MB
MD5c91f1703dc916f794558bf40b5eab38a
SHA1c020666495cb42db82515abae7cf35ca419636e9
SHA2567bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6
SHA512e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699
-
Filesize
1.7MB
MD5c91f1703dc916f794558bf40b5eab38a
SHA1c020666495cb42db82515abae7cf35ca419636e9
SHA2567bb4158925b3b225dbc69d2befa9cd3f9afe5ef6cf71fb581879e9df5659c5b6
SHA512e345c1b4c4249cb8bc69d661564bfe9da8ee860f23e48d10d09256cd215483caf5b144040d490d43846d70e8e872b8b730dc134eda357a4e2a80991a435a6699