Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2f949ec92b...aa.exe

windows7-x64

10

2f949ec92b...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27/05/2024, 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe

  • Size

    1.4MB

  • MD5

    0dd0c6f698a708a404a557cbb55b281c

  • SHA1

    974be3c05755714a185b183be657a3c4123767d2

  • SHA256

    2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa

  • SHA512

    b235c5e74eae9d493f625ebd489d99f58dc484c37559d3e5aa65135ceefba3e9950d98429295ff72db7d82a238da4af669740ae0fd1159150c908e3ceef58cdb

  • SSDEEP

    24576:U2G/nvxW3Ww0txuMyTPo5JOeM/ibuPp7GWrGCmxhejeKjn:UbA30xuMy6JOx/GCmmj7D

Score
10/10
dcratinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe
    "C:\Users\Admin\AppData\Local\Temp\2f949ec92bdeb2498382e19b8588048fc6ff21aee5a29ade4433f1d6ea3d43aa.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\dllnetcommon\nksvCU.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\dllnetcommon\CZ0AxGh8iI0xX.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\dllnetcommon\Hypercomponent.exe
          "C:\dllnetcommon\Hypercomponent.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEoJzS9HfJ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:820
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2700
              • C:\Program Files\Common Files\Microsoft Shared\VSTO\smss.exe
                "C:\Program Files\Common Files\Microsoft Shared\VSTO\smss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2132
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2248
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\VSTO\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\dllnetcommon\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\dllnetcommon\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\dllnetcommon\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TEoJzS9HfJ.bat
      Filesize

      225B

      MD5

      374abb2553c6c6da099caa81ba2342fe

      SHA1

      096c9c04cf6266a1f1604363b916e06ca92a36a8

      SHA256

      1a24ca653209477a4140bef7d02acaa6e702c8075ae39f965e62e8584a676d41

      SHA512

      af1a51e07d3276215dfb9d4a8a049bc75e579ae5ffd8a32d2ab35339b17e97892861f2ea43d24a091b841d605bab98fb1aa75523e61c0c6c5bfe171d8e1689d1

      Download Submit

    • C:\dllnetcommon\CZ0AxGh8iI0xX.bat
      Filesize

      36B

      MD5

      a7ccb379ea9088b989b98f4b276a6dae

      SHA1

      8e779da19dc4079fb7756ee39ccb09323ad1c698

      SHA256

      b6e2d4c42b7e0005c705b98df4fae50ffea17f18bcfa989929bd04cd8acc8dd9

      SHA512

      3b3f24c5631357e6bbc3e61466d613f761ad1311d6be8b516f9917512c99c89e8d734c4651756fef05b52b39d09ef89bce9afbb1fa2aecb5af8af9bda4c68f47

      Download Submit

    • C:\dllnetcommon\nksvCU.vbe
      Filesize

      202B

      MD5

      db1cd14e32e7c320993c766da747dd0a

      SHA1

      61772de5539a68e9efcd8a8e4fb838bfc5a41dc8

      SHA256

      3f81eb984aae8c8a80bd55857f05c9d83b3983968c82c5548dee13cbd9c93a0e

      SHA512

      85a9aed69fc747f19971f603b48e64706aa1740f7648ec1798c2ff534a102551b00a921fde27684fb0c63c7c795c6b3c76fc8ddd969a61faf4efee9185a47c29

      Download Submit

    • \dllnetcommon\Hypercomponent.exe
      Filesize

      1.1MB

      MD5

      18d11f5deb5b177a7025dea61ac9699f

      SHA1

      c2b707419d5edc966ed57f5cd517214c01eccc17

      SHA256

      f388054504d405891e096ac309e2f2cd79b31e57d26bd35b656355087d848fcb

      SHA512

      b97a7d1b5f64aad524de9f1cb71065b9faacaf97063a1c8e9beb3f0a2c3c3a5967b528e90484acd5d0a58e248ea70ba259256474df1318f1b37d7855e6490a87

      Download Submit

    • memory/2600-13-0x0000000000A80000-0x0000000000BA6000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2600-14-0x0000000000570000-0x000000000058C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2600-15-0x0000000000A40000-0x0000000000A56000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2704-35-0x0000000000EA0000-0x0000000000FC6000-memory.dmp

      Filesize

      1.1MB

      Download