Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 12:21

General

  • Target

    2768c63cfbffae59b6c2c5483e804d14.exe

  • Size

    1.1MB

  • MD5

    2768c63cfbffae59b6c2c5483e804d14

  • SHA1

    a577f6aa123f1b641a780ef4cf205b73c2b2bfc3

  • SHA256

    ff50267ebed21e418f8469347853e57ddf373c68db52b8ce2019377a731bd0a4

  • SHA512

    7ae59899ac9d77e98f5f52e2eeee350bade1aab284fc65bb64ba1ff605a8c7148ae535b8b69bb0fedfde6449becd87b5a0678ce241414d54b7b759c36dd0da04

  • SSDEEP

    24576:U2G/nvxW3Ww0tkAyVPwER/v6Yq9/zI2SV6/6ODpvdcKRWksjQ:UbA30kAyRwE332SV6XDzRLs0

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2768c63cfbffae59b6c2c5483e804d14.exe
    "C:\Users\Admin\AppData\Local\Temp\2768c63cfbffae59b6c2c5483e804d14.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portMonitor\7qmHZrFz6PlKEeySf7g6q7bPLdDi.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\portMonitor\1iRUSp.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\portMonitor\MsRuntimeperf.exe
          "C:\portMonitor\MsRuntimeperf.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\de-DE\services.exe
            "C:\Windows\de-DE\services.exe"
            5⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2664
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\portMonitor\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\portMonitor\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\portMonitor\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1792
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\db\bin\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1916
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2772
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\portMonitor\1iRUSp.bat

    Filesize

    34B

    MD5

    e7d861bf32c0cfdce43a988f7624094b

    SHA1

    ce94364c1662056c36487d1ad2a3910d60295567

    SHA256

    bf1a6596c9cb4f855e364b1b2f4e065d3c3db14814e4cb933a45dc1929604bab

    SHA512

    f4e9116284beb83c4b459f386fb1cb2573769c937082a3dd1efb5ebf73693e9ad03be4cb691476720d8a7841b29aea1bd8f57e7070e15baf293c0683dc553f04

  • C:\portMonitor\7qmHZrFz6PlKEeySf7g6q7bPLdDi.vbe

    Filesize

    194B

    MD5

    549bfbdf4b94348d8d90e99da8c2251e

    SHA1

    5a137b4eca702e1154f27729b4bd4de2e66e7562

    SHA256

    3d992a2df8f78acb01aacd43662b8ef67810149dd6c40b96f5d88ce9ba8e215e

    SHA512

    c3a5f93b0dde2d1a00133e22014d7b3b8d59c2780b426429d9fa98d3e32e66d6697de50af714b3375d82034f77feba7b90336b8d44767a2eaacd77129dc13793

  • \portMonitor\MsRuntimeperf.exe

    Filesize

    828KB

    MD5

    4168f956abf60ffe49acc17b2544866f

    SHA1

    92c00da15b67c3fbc23a74198b1220c55dc56fec

    SHA256

    19ad2d50f71214129742f9e3901ee595f760b36d5cac676911c3ee0ec7c6546d

    SHA512

    938a4e85094d517e0ca9ef96edd2dfef75accd5d7546da44a921be023dcd066fcab51688b1f7036f67f7dcd3d0e7aedafccc58abee2b22c15da1bb05ec002a0e

  • memory/2000-30-0x0000000000310000-0x00000000003E6000-memory.dmp

    Filesize

    856KB

  • memory/2744-13-0x0000000001310000-0x00000000013E6000-memory.dmp

    Filesize

    856KB