Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

c7d5c20a8f...93.exe

windows7-x64

10

c7d5c20a8f...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/06/2024, 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7d5c20a8f8704cd72855276ade10f22dc95cbce0d89aedcaab2ad64a8753693.exe

  • Size

    2.3MB

  • MD5

    499f14a1e407d82bac24d6ac62b1f7ee

  • SHA1

    f6c0cbae4795f6c0590fa6db2da41a70f840cec6

  • SHA256

    c7d5c20a8f8704cd72855276ade10f22dc95cbce0d89aedcaab2ad64a8753693

  • SHA512

    72701089d14891d69ba46c44fbf38e98011313271971c4ba4b2044ae375bcf8474098b1d17a7823ee4afc4c495e27b76a38741fe6ad33252232671a2e094b07b

  • SSDEEP

    24576:NY5J0GMnewFiryL/VSXXn++KN5BGbLPv0LfQceR9EqbIlHgzVEPRA8ElB/p3FIrx:NYj0obkY1XifQ7RHbJK+8qrIrufZTpI

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7d5c20a8f8704cd72855276ade10f22dc95cbce0d89aedcaab2ad64a8753693.exe
    "C:\Users\Admin\AppData\Local\Temp\c7d5c20a8f8704cd72855276ade10f22dc95cbce0d89aedcaab2ad64a8753693.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\32C0d90ThP.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1672
        • C:\Program Files\VideoLAN\VLC\plugins\d3d11\spoolsv.exe
          "C:\Program Files\VideoLAN\VLC\plugins\d3d11\spoolsv.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1760
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\explorer.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2456
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2940
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\addins\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\winlogon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Desktop\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PLA\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1056
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2052
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:608
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d11\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d11\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\d3d11\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:408
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1356

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Reference Assemblies\csrss.exe
      Filesize

      2.3MB

      MD5

      499f14a1e407d82bac24d6ac62b1f7ee

      SHA1

      f6c0cbae4795f6c0590fa6db2da41a70f840cec6

      SHA256

      c7d5c20a8f8704cd72855276ade10f22dc95cbce0d89aedcaab2ad64a8753693

      SHA512

      72701089d14891d69ba46c44fbf38e98011313271971c4ba4b2044ae375bcf8474098b1d17a7823ee4afc4c495e27b76a38741fe6ad33252232671a2e094b07b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\32C0d90ThP.bat
      Filesize

      220B

      MD5

      eafc24c0ba1d6393bf62e40f2093b2fa

      SHA1

      5f606782cd3ff40bbb74803737d5d9672278e57b

      SHA256

      b87144148c9bd905393c359723a35381c96383def30071c1d3c15456fe0c8546

      SHA512

      c62a012efbf739a15437f783e9c94bce1cdec68d26a1ad4783a5b031a0b1b2299eeb748c3d18334377141a037a4332a95530f8cd1b914167c2a4901f40b89799

      Download Submit

    • memory/1760-48-0x0000000000C30000-0x0000000000E82000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1952-6-0x00000000001C0000-0x00000000001D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1952-5-0x00000000005F0000-0x0000000000646000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1952-4-0x0000000000480000-0x0000000000496000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1952-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1952-7-0x0000000000440000-0x000000000044E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1952-9-0x00000000004D0000-0x00000000004D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1952-8-0x00000000004C0000-0x00000000004C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1952-3-0x0000000000460000-0x000000000047C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1952-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1952-45-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1952-1-0x0000000000A40000-0x0000000000C92000-memory.dmp

      Filesize

      2.3MB

      Download