Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88

  • Size

    3.0MB

  • Sample

    240521-zaq1gahd77

  • MD5

    7930c72a0629b7d98cae323593175068

  • SHA1

    3b53d631f69d7c1315b66c6c5ea43fc2dfb5d947

  • SHA256

    2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88

  • SHA512

    4053cf95786a933209f4ace73d7ae693816b288c8aa04bff3e2458e29e57d745710aabab70a86ff32ebedff3fe8f1be10c2976a659784de4c896017f0a9e30e8

  • SSDEEP

    49152:AZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:07ZJ89LDSKrq3iGnnw+1YXw9OK

Malware Config

Targets

    • Target

      2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88

    • Size

      3.0MB

    • MD5

      7930c72a0629b7d98cae323593175068

    • SHA1

      3b53d631f69d7c1315b66c6c5ea43fc2dfb5d947

    • SHA256

      2f54943c28167a40a16a068310a8f2ced6c5dad6a3437611e7e969e3a1cd7a88

    • SHA512

      4053cf95786a933209f4ace73d7ae693816b288c8aa04bff3e2458e29e57d745710aabab70a86ff32ebedff3fe8f1be10c2976a659784de4c896017f0a9e30e8

    • SSDEEP

      49152:AZ2fRPDpkR3/hESpjo4uLDI3KoSPq3cXtFvOUcx3twYvr0G56/FBwzpTZoKh:07ZJ89LDSKrq3iGnnw+1YXw9OK

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Detects executables containing bas64 encoded gzip files

    • Detects executables packed with SmartAssembly

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks