Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

235d34c77d...b1.exe

windows7-x64

10

235d34c77d...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    01/08/2024, 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    235d34c77d2170ce99f718267547a1b1.exe

  • Size

    2.8MB

  • MD5

    235d34c77d2170ce99f718267547a1b1

  • SHA1

    d8802d67af489d34023046f84a8c6eeae7c9afd8

  • SHA256

    0f2c744c9325bd8c8874af73a82add70c6206e047afef3be951fb6ebfe8c5576

  • SHA512

    7c292e38783e56f63999cfe88a43758353de33622a6ff937af5e6252639530ee21ad036b0795e02ddb817e8d29c7fb2c8514f76627ea168fc274df9a21e8178e

  • SSDEEP

    49152:ubA3jvN1HwTxELJKORSmFPANX0M2EQX2YnbcqT9KD2EB7F1QetkmL6Hs44F+I6:ubaN1HwdEwmxGDDaYqTYDZ7ntkBHs44o

Score
10/10
dcratdiscoveryinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 25 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Process spawned unexpected child process 24 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\235d34c77d2170ce99f718267547a1b1.exe
    "C:\Users\Admin\AppData\Local\Temp\235d34c77d2170ce99f718267547a1b1.exe"
    1⤵
    • DcRat
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\surrogatewinhostsvc\nu5MrHdU8wRPsPg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\surrogatewinhostsvc\wBJ3JMG47SmseQ.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\surrogatewinhostsvc\blockportserver.exe
          "C:\surrogatewinhostsvc\blockportserver.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Program Files\Windows NT\Accessories\en-US\csrss.exe
            "C:\Program Files\Windows NT\Accessories\en-US\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\surrogatewinhostsvc\csrss.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2812
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\surrogatewinhostsvc\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\surrogatewinhostsvc\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:688
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\cmd.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\audiodg.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2452
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1452
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1356
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Public\lsm.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2172
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\surrogatewinhostsvc\blockportserver.exe
    Filesize

    2.5MB

    MD5

    20cb8781e072c5c355b82dbb35fe7d53

    SHA1

    0bcc2e15d5ad8b869aae6f3fbe4caec027da245a

    SHA256

    847c3eec06cef11c67133a2bf6263a5051691745f23c58731712d8ec58800028

    SHA512

    72011df2b391c8ea7edaf5b52d25c5a7df10f9c7bba38143c4ac6e55d6b10b84b4fa1d82b10ceb9bd3428253e6965567d4943f548dbe7229dba2bd72c758c027

    Download Submit

  • C:\surrogatewinhostsvc\nu5MrHdU8wRPsPg.vbe
    Filesize

    210B

    MD5

    a79158e3b1d9ed9598b1ca48083d2c14

    SHA1

    cbe5a2189f5438be85e08e66bf920b0a09710549

    SHA256

    0cb22cafd03369625e2a4d2a984ee44b40da9552c605a93b228ee92123655f03

    SHA512

    29795d38d5bfae787e763f3797718c8a025ffd94d992d9ec161007a2d26ad333b311b0e832457982e53db7f4a5e52854e4899dac3ad0f91370837bd044dd1984

    Download Submit

  • C:\surrogatewinhostsvc\wBJ3JMG47SmseQ.bat
    Filesize

    44B

    MD5

    cb20cf3cd0b69520d6609862850432fd

    SHA1

    0067ca01f3768a78667d6ad08246ff3bf6c3d276

    SHA256

    0f2839791a1a576337466fd847893e1cbe8f0376a54f4291e4d57afdaf2cd252

    SHA512

    64034329bf6af43e56df14f8bc02e8dd5ef495d5bb8e41d5d12bff9088143f3acda89a549d3e4a20ba3ecd5ba643539c1a02974e6cb3771b6375626c6fa2b9ae

    Download Submit

  • memory/2144-46-0x0000000000E80000-0x0000000001100000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3036-17-0x0000000000250000-0x0000000000260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3036-15-0x00000000003E0000-0x00000000003FC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3036-14-0x0000000000240000-0x000000000024E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3036-16-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3036-18-0x0000000000790000-0x00000000007E6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3036-19-0x0000000000420000-0x000000000042C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3036-21-0x00000000004C0000-0x00000000004CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3036-20-0x00000000004B0000-0x00000000004B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3036-22-0x00000000004D0000-0x00000000004DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3036-23-0x0000000000660000-0x000000000066A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3036-13-0x0000000000800000-0x0000000000A80000-memory.dmp

    Filesize

    2.5MB

    Download