Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    29d80d247dfb4bd92b1bcfd7a7695d36.bin

  • Size

    1.5MB

  • Sample

    240601-bv3yrsch6s

  • MD5

    33ea986f601bf6615e63f934abde707b

  • SHA1

    32d3441dfcc9c9f78c670203f533754e7b7b6fb9

  • SHA256

    422c7c22a4e94de28a9d706cb882432bc1d250a9bde13754b994b252bca37aed

  • SHA512

    9b4ee46668408bc1b4b21bfc8669cc1ee9491afd48fc83e820393793ce77d36a496a1d0297fb1bd739fe1e985a2184e1b6761cd6860849bc6198f7665df16954

  • SSDEEP

    49152:2CK2bGcHSO9vVEFXJ3+dhaDZoyUvmBeozsX7L02fDbHCC3o:9blb7ED3+z6owkozs7L0WbiCY

Malware Config

Targets

    • Target

      19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963.exe

    • Size

      1.9MB

    • MD5

      29d80d247dfb4bd92b1bcfd7a7695d36

    • SHA1

      0284cb27c754537c0440d9341a6fd07b0be1fa42

    • SHA256

      19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963

    • SHA512

      5b25f67c590204cb293e46e0eb10f47e0b02a3c3db1e6537c8a6414b598d4811c68c96a39b18391f750cf72fab4621eaec51fe4e4cc6b11c220823717e37c1e0

    • SSDEEP

      24576:5cIqg3pZ9Lbp1x5mMnbJ4ANfUAlkDd/2uUpET57RLGKETv/cyUM6MniOlsxvZBSg:XrhDbJ4dAlkpuuUpY57cKEr0a7iOyKc

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks