Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

bad45d0978...28.exe

windows7-x64

10

bad45d0978...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/05/2024, 01:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28.exe

  • Size

    1.4MB

  • MD5

    89d86264b05d675db5fcc733a279abcd

  • SHA1

    661d7cc4d3f431af464d783a1b8f8e5b0914169f

  • SHA256

    bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28

  • SHA512

    f88e69a4d61065c8721f68dc27d75baba80d4350769060bafde0f1ebc06e148ee68405d5feee256603e8db657c7bbca47e2da0ced30b024729ba64d55bfe5049

  • SSDEEP

    24576:fnIJJ+4fNiVf796C5evM2ShdH+t0+lDC8KlxcfOFGNMzxv8x:EJXEft72Set7AIXMzB8

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28.exe
    "C:\Users\Admin\AppData\Local\Temp\bad45d09789c95015bbf8d9a3733e8b7e40cc215ab97258851808ee8f966ae28.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2192

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De89v3L0E5XR_1eLs7wBIRLFjVUCUxeqcQAMz_2hEhb-IR84-eMtctFxyoQkHp1HjEICpGK721qa_YiQDfuiLy94pKcJCjpEJ_1lgI47v9UKsR5g4koOV0l5zJXIHyicbRRTUt6G_b0CCxzh56oXnGPEXYmNMwctCnsp6_qB0OYMy2y4pQ2%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D83ffe8f5548a1d1427c88ece36fdc2b6&TIME=20240508T113200Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De89v3L0E5XR_1eLs7wBIRLFjVUCUxeqcQAMz_2hEhb-IR84-eMtctFxyoQkHp1HjEICpGK721qa_YiQDfuiLy94pKcJCjpEJ_1lgI47v9UKsR5g4koOV0l5zJXIHyicbRRTUt6G_b0CCxzh56oXnGPEXYmNMwctCnsp6_qB0OYMy2y4pQ2%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D83ffe8f5548a1d1427c88ece36fdc2b6&TIME=20240508T113200Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=055B8A51F86B611F369A9E2EF9D0607D; domain=.bing.com; expires=Sun, 08-Jun-2025 02:17:36 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D235960AAFAB4FF799D7B8E75FF19444 Ref B: LON04EDGE0811 Ref C: 2024-05-14T02:17:36Z
    date: Tue, 14 May 2024 02:17:36 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De89v3L0E5XR_1eLs7wBIRLFjVUCUxeqcQAMz_2hEhb-IR84-eMtctFxyoQkHp1HjEICpGK721qa_YiQDfuiLy94pKcJCjpEJ_1lgI47v9UKsR5g4koOV0l5zJXIHyicbRRTUt6G_b0CCxzh56oXnGPEXYmNMwctCnsp6_qB0OYMy2y4pQ2%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D83ffe8f5548a1d1427c88ece36fdc2b6&TIME=20240508T113200Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De89v3L0E5XR_1eLs7wBIRLFjVUCUxeqcQAMz_2hEhb-IR84-eMtctFxyoQkHp1HjEICpGK721qa_YiQDfuiLy94pKcJCjpEJ_1lgI47v9UKsR5g4koOV0l5zJXIHyicbRRTUt6G_b0CCxzh56oXnGPEXYmNMwctCnsp6_qB0OYMy2y4pQ2%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D83ffe8f5548a1d1427c88ece36fdc2b6&TIME=20240508T113200Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=055B8A51F86B611F369A9E2EF9D0607D; _EDGE_S=SID=2566004333036847161D143C32C369F1
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=htUBJlagsWR54bFU0Hb03liKySbKVUoxlC3i6SLf9zw; domain=.bing.com; expires=Sun, 08-Jun-2025 02:17:37 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: CA81C4FFFB5E494789A842D2C3D79409 Ref B: LON04EDGE0811 Ref C: 2024-05-14T02:17:37Z
    date: Tue, 14 May 2024 02:17:36 GMT
  • flag-nl
    GET
    https://www.bing.com/aes/c.gif?RG=654297668eb542a693da1787375781f7&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113200Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
    Remote address:
    23.62.61.97:443
    Request
    GET /aes/c.gif?RG=654297668eb542a693da1787375781f7&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113200Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
    host: www.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=055B8A51F86B611F369A9E2EF9D0607D
    Response
    HTTP/2.0 200
    cache-control: private,no-store
    pragma: no-cache
    vary: Origin
    p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C9FBAB25BCF944D499A9F522AE7E16AE Ref B: DUS30EDGE0318 Ref C: 2024-05-14T02:17:36Z
    content-length: 0
    date: Tue, 14 May 2024 02:17:37 GMT
    set-cookie: _EDGE_S=SID=2566004333036847161D143C32C369F1; path=/; httponly; domain=bing.com
    set-cookie: MUIDB=055B8A51F86B611F369A9E2EF9D0607D; path=/; httponly; expires=Sun, 08-Jun-2025 02:17:37 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.5d3d3e17.1715653056.14478c4
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.61.62.23.in-addr.arpa
    IN PTR
    Response
    97.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-97deploystaticakamaitechnologiescom
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.97:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    cookie: MUID=055B8A51F86B611F369A9E2EF9D0607D; _EDGE_S=SID=2566004333036847161D143C32C369F1; MSPTC=htUBJlagsWR54bFU0Hb03liKySbKVUoxlC3i6SLf9zw; MUIDB=055B8A51F86B611F369A9E2EF9D0607D
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Tue, 14 May 2024 02:17:38 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.5d3d3e17.1715653058.1447ae9
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    34.56.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    34.56.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.204.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.204.248.87.in-addr.arpa
    IN PTR
    Response
    0.204.248.87.in-addr.arpa
    IN PTR
    https-87-248-204-0lhrllnwnet
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De89v3L0E5XR_1eLs7wBIRLFjVUCUxeqcQAMz_2hEhb-IR84-eMtctFxyoQkHp1HjEICpGK721qa_YiQDfuiLy94pKcJCjpEJ_1lgI47v9UKsR5g4koOV0l5zJXIHyicbRRTUt6G_b0CCxzh56oXnGPEXYmNMwctCnsp6_qB0OYMy2y4pQ2%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D83ffe8f5548a1d1427c88ece36fdc2b6&TIME=20240508T113200Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB
    tls, http2
    2.5kB
     9.0kB
     19
    17

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De89v3L0E5XR_1eLs7wBIRLFjVUCUxeqcQAMz_2hEhb-IR84-eMtctFxyoQkHp1HjEICpGK721qa_YiQDfuiLy94pKcJCjpEJ_1lgI47v9UKsR5g4koOV0l5zJXIHyicbRRTUt6G_b0CCxzh56oXnGPEXYmNMwctCnsp6_qB0OYMy2y4pQ2%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D83ffe8f5548a1d1427c88ece36fdc2b6&TIME=20240508T113200Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De89v3L0E5XR_1eLs7wBIRLFjVUCUxeqcQAMz_2hEhb-IR84-eMtctFxyoQkHp1HjEICpGK721qa_YiQDfuiLy94pKcJCjpEJ_1lgI47v9UKsR5g4koOV0l5zJXIHyicbRRTUt6G_b0CCxzh56oXnGPEXYmNMwctCnsp6_qB0OYMy2y4pQ2%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D83ffe8f5548a1d1427c88ece36fdc2b6&TIME=20240508T113200Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

    HTTP Response

    204
  • 23.62.61.97:443
    https://www.bing.com/aes/c.gif?RG=654297668eb542a693da1787375781f7&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113200Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981
    tls, http2
    1.5kB
     5.4kB
     17
    11

    HTTP Request

    GET https://www.bing.com/aes/c.gif?RG=654297668eb542a693da1787375781f7&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T113200Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

    HTTP Response

    200
  • 23.62.61.97:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.6kB
     6.4kB
     16
    12

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    97.61.62.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    97.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    34.56.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    34.56.20.217.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    0.204.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.204.248.87.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2192-0-0x00007FFC9BA73000-0x00007FFC9BA75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2192-1-0x0000000000580000-0x00000000006F6000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2192-2-0x00007FFC9BA70000-0x00007FFC9C531000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2192-3-0x0000000001120000-0x000000000112E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2192-5-0x00007FFC9BA70000-0x00007FFC9C531000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.