Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

52e0c29496...3e.exe

windows7-x64

10

52e0c29496...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2024, 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52e0c294963f6cd10e3104901c936a3e.exe

  • Size

    2.0MB

  • MD5

    52e0c294963f6cd10e3104901c936a3e

  • SHA1

    fa78c9a910b904cfc412cef1b422934243f6f0ff

  • SHA256

    77d8062a27308c826de456d4e430ebcfb9315f87ae792bb23d8f21365c8b4fe7

  • SHA512

    972bb0dbd66f984c41b64c09ff84fef138714929b13db0f03ca2e5257d92664dcf4fcf6d7e6fc99894b664bb9acbbbe5598787a2d10bf4e8d074dfd0487c5f3b

  • SSDEEP

    49152:n0Le0UIxHI38h4kbJA9GOErel2MaHBKljpsREsSSUOmLY5sVQQ:ChJsIJAIMnaHBKcRoOusQ

Score
10/10
dcratevasioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\52e0c294963f6cd10e3104901c936a3e.exe
    "C:\Users\Admin\AppData\Local\Temp\52e0c294963f6cd10e3104901c936a3e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\52e0c294963f6cd10e3104901c936a3e.exe
      "C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\52e0c294963f6cd10e3104901c936a3e.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\msvcp140_codecvt_ids\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2836
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "52e0c294963f6cd10e3104901c936a3e" /sc ONLOGON /tr "'C:\Windows\CSC\52e0c294963f6cd10e3104901c936a3e.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "52e0c294963f6cd10e3104901c936a3e" /sc ONLOGON /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\52e0c294963f6cd10e3104901c936a3e.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\winrs\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2484
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Documents and Settings\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "52e0c294963f6cd10e3104901c936a3e" /sc ONLOGON /tr "'C:\ProgramData\Templates\52e0c294963f6cd10e3104901c936a3e.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3024
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1644
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\52e0c294963f6cd10e3104901c936a3e.exe
    Filesize

    251KB

    MD5

    039c0b09a18b2a673474d94c33c07f8f

    SHA1

    5fce11a083396c33e4865b626bc3faf1264ce138

    SHA256

    47b4506510d4d7537cbfce050a6e6df797cca00a01730a49d823e9337dcdf31e

    SHA512

    ae0dcc78cc20f873a6fe0cfe02ad01b0e8fa81534fa87468473147f235630ef786cc58b37cc554ab71363d4fd2fb31d47193542289a2283a6f7f8a19ad26e88c

    Download Submit

  • C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\52e0c294963f6cd10e3104901c936a3e.exe
    Filesize

    45KB

    MD5

    b55264ced55df93a668adfd4f23ff6d1

    SHA1

    11c24874e21b7080d265e2d1571588e88f49a6c5

    SHA256

    c3ed713d90c68fdda20a521f64e0263a74b327072d2b802c7146221d8bf98021

    SHA512

    6933fd9e4203be71a761cb87136fca76d012f34a8bbce85e143f650ab6725a30ec05bc20f0f9e09f7d6a9f7cc1837d5ed38ad99ba40b06c34a309e856a81f067

    Download Submit

  • C:\Users\audiodg.exe
    Filesize

    1.4MB

    MD5

    8d8a4a83184fe72c917f411c43599bac

    SHA1

    57b4038efc7fea813781601e0eec23d98fdcb1b4

    SHA256

    345af5aa8670dbe09720214694ee66bcb20c74666bc25b3133a9a5952235f8ce

    SHA512

    ab6385d8defc3f6ec9ec6472e24b425bae8b79e417abbab73cda7becef45b491d0a7d275dc9dc9cf05bc9e7367f1c4164a2d5cc9406c18e70fd5e2cf2a2bc142

    Download Submit

  • \Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\52e0c294963f6cd10e3104901c936a3e.exe
    Filesize

    296KB

    MD5

    9e11470d492063a353d3d5733eee1422

    SHA1

    97490cd66ba5a46f90ffffafa469d987f707a195

    SHA256

    0cb822f308eebc408078fde406e03886716737ba47b82317ad04d7d969cfb885

    SHA512

    b5ad69ae3c6923089f63061e63d49b905dd00a71b796be849971ddf941db49dc79a9f03aa92486e1d514d05e639e9b6e9d9c2cccaa7bf9dc549052c5e249152e

    Download Submit

  • \Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\52e0c294963f6cd10e3104901c936a3e.exe
    Filesize

    314KB

    MD5

    efa37baf697451ed3b7d949a7acd2fcb

    SHA1

    56e4b9905799a1f5dc8883691a6afcc7987fdcdf

    SHA256

    afc4835eeb5186800e1971346e1f1087608996621ed326bc2c5bf239c3a6aa4c

    SHA512

    2e5bbfb9575e41743cac01d60fe5573f821d8843603db90f69edccf391de936b02f70e20c2f4dc2eafc6fa307458e86e4bc3ea81b719efda853efac04d099eee

    Download Submit

  • memory/2040-61-0x0000000074BD0000-0x0000000074BE7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2040-66-0x0000000074A90000-0x0000000074A9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2040-8-0x0000000074C20000-0x0000000074CA0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2040-7-0x0000000075250000-0x000000007531C000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2040-9-0x0000000077080000-0x0000000077170000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2040-10-0x0000000074BD0000-0x0000000074BE7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2040-11-0x0000000004AE0000-0x0000000004B20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2040-12-0x0000000074BC0000-0x0000000074BCB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2040-15-0x0000000075120000-0x00000000751A3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2040-16-0x0000000074A90000-0x0000000074A9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2040-17-0x0000000000390000-0x00000000007E2000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2040-21-0x0000000074E30000-0x0000000074E7A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2040-20-0x0000000073C80000-0x0000000073C8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2040-19-0x0000000073C40000-0x0000000073C4F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2040-18-0x0000000073CF0000-0x0000000073D07000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2040-4-0x0000000000390000-0x00000000007E2000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2040-44-0x00000000060B0000-0x0000000006502000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2040-5-0x0000000074380000-0x0000000074A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2040-45-0x00000000060B0000-0x0000000006502000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2040-48-0x0000000073C80000-0x0000000073C8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2040-3-0x0000000074DA0000-0x0000000074DA9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2040-2-0x0000000074E30000-0x0000000074E7A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2040-49-0x0000000074DA0000-0x0000000074DA9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2040-50-0x0000000074E30000-0x0000000074E7A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2040-1-0x0000000077580000-0x0000000077582000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2040-54-0x0000000074380000-0x0000000074A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2040-53-0x0000000075250000-0x000000007531C000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2040-51-0x0000000077080000-0x0000000077170000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2040-55-0x0000000074C20000-0x0000000074CA0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2040-59-0x0000000074380000-0x0000000074A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2040-6-0x0000000000390000-0x00000000007E2000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2040-63-0x0000000074BC0000-0x0000000074BCB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2040-0-0x0000000000390000-0x00000000007E2000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2040-64-0x0000000073CF0000-0x0000000073D07000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2040-68-0x0000000075120000-0x00000000751A3000-memory.dmp

    Filesize

    524KB

    Download

  • memory/2040-70-0x0000000073C40000-0x0000000073C4F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2040-72-0x0000000000390000-0x00000000007E2000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2908-89-0x0000000000A50000-0x0000000000EA2000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2908-83-0x0000000074BD0000-0x0000000074BE7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2908-69-0x0000000075250000-0x000000007531C000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2908-77-0x0000000073D00000-0x0000000073D58000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2908-60-0x0000000000A50000-0x0000000000EA2000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2908-67-0x0000000074C20000-0x0000000074CA0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2908-62-0x0000000074380000-0x0000000074A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2908-58-0x0000000074DA0000-0x0000000074DA9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2908-57-0x0000000000A50000-0x0000000000EA2000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2908-56-0x0000000074E30000-0x0000000074E7A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2908-46-0x0000000000A50000-0x0000000000EA2000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2908-79-0x0000000073C30000-0x0000000073C3E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2908-73-0x0000000000920000-0x0000000000960000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2908-74-0x0000000074BC0000-0x0000000074BCB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2908-71-0x0000000074BD0000-0x0000000074BE7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/2908-78-0x0000000075AC0000-0x0000000075AE7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2908-76-0x0000000074A90000-0x0000000074A9D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2908-87-0x0000000073C30000-0x0000000073C3E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2908-88-0x0000000077080000-0x0000000077170000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2908-86-0x0000000075250000-0x000000007531C000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2908-85-0x0000000074C20000-0x0000000074CA0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2908-90-0x0000000073DE0000-0x0000000073E32000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2908-75-0x0000000073DE0000-0x0000000073E32000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2908-84-0x0000000074BC0000-0x0000000074BCB000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2908-65-0x0000000077080000-0x0000000077170000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2908-82-0x0000000074DA0000-0x0000000074DA9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2908-81-0x0000000074E30000-0x0000000074E7A000-memory.dmp

    Filesize

    296KB

    Download