Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

HORNETrat_...er.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    02/12/2024, 20:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HORNETrat_launcher.exe

  • Size

    2.9MB

  • MD5

    f07b8eea2d8c8ee368b680254ad0fee5

  • SHA1

    1c75b5bcabedf0e31c76df0ff6ee23ab389bae3b

  • SHA256

    34947ad997759cb6aaf571df44c0996dae57e04cf4510ef4136b8b7ca16eea4e

  • SHA512

    9c01412cb8aa51419f74f8b614f88383f41ce2e2698b373b7d59519d23b875e0660b6fe4a947afa0b79878223afacb8cb8b8a3164b0a44d20f8f58521ff9d21e

  • SSDEEP

    49152:BB3kRVwF/UHWZU5qfD330oa5EL0h81IC4XA4QKa1lWpdh:L0ReSS05G281ICX4QKa1lWpdh

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\HORNETrat_launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\HORNETrat_launcher.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\mshyperblock\7CVEgcv.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\mshyperblock\S9mCKi92BftZwElqhr8FGhYT1zV90zFd1F.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3448
        • C:\mshyperblock\hyperInto.exe
          "C:\mshyperblock/hyperInto.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXpwF8CBIE.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3116
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2040
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2548
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2748
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5092
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2816
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4400
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2492

    Network

    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.204.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.204.248.87.in-addr.arpa
      IN PTR
      Response
      0.204.248.87.in-addr.arpa
      IN PTR
      https-87-248-204-0lhrllnwnet
    • flag-us
      DNS
      73.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      checkappexec.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      checkappexec.microsoft.com
      IN A
      Response
      checkappexec.microsoft.com
      IN CNAME
      prod-atm-wds-apprep.trafficmanager.net
      prod-atm-wds-apprep.trafficmanager.net
      IN CNAME
      prod-agic-us-1.uksouth.cloudapp.azure.com
      prod-agic-us-1.uksouth.cloudapp.azure.com
      IN A
      13.87.96.169
    • flag-gb
      POST
      https://checkappexec.microsoft.com/windows/shell/actions
      Remote address:
      13.87.96.169:443
      Request
      POST /windows/shell/actions HTTP/2.0
      host: checkappexec.microsoft.com
      accept-encoding: gzip, deflate
      user-agent: SmartScreen/2814751014982010
      authorization: SmartScreenHash eyJhdXRoSWQiOiJhZGZmZjVhZC1lZjllLTQzYTYtYjFhMy0yYWQ0MjY3YWVlZDUiLCJoYXNoIjoiWVVtSzFjaEJOZ2s9Iiwia2V5IjoiL2krUkZIeTg3eTRiTHNuSEZNOEw0Zz09In0=
      content-length: 1162
      content-type: application/json; charset=utf-8
      cache-control: no-cache
      Response
      HTTP/2.0 200
      date: Mon, 02 Dec 2024 20:49:33 GMT
      content-type: application/json; charset=utf-8
      content-length: 183
      server: Kestrel
      cache-control: max-age=0, private
      request-context: appId=cid-v1:7f05e9f0-1fe6-401c-8ae7-2478e40e2f1e
    • flag-us
      DNS
      169.96.87.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      169.96.87.13.in-addr.arpa
      IN PTR
      Response
    • 13.87.96.169:443
      https://checkappexec.microsoft.com/windows/shell/actions
      tls, http2
      2.9kB
       9.5kB
       21
      15

      HTTP Request

      POST https://checkappexec.microsoft.com/windows/shell/actions

      HTTP Response

      200
    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      0.204.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      0.204.248.87.in-addr.arpa

    • 8.8.8.8:53
      73.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      73.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      checkappexec.microsoft.com
      dns
      72 B
       192 B
       1
      1

      DNS Request

      checkappexec.microsoft.com

      DNS Response

      13.87.96.169

    • 8.8.8.8:53
      169.96.87.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      169.96.87.13.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AXpwF8CBIE.bat
      Filesize

      167B

      MD5

      f6b569551c7fc3e1c325f7caa5c92832

      SHA1

      12a19cfac93aea0a8d213447175efada43760a9c

      SHA256

      c5730822e6c848c8a3a8a4f17e006e3c1314a14df251c6d360e9a958f9169702

      SHA512

      8faf13156b07c738054ba5fcc8f4c3051f80dedf90dd410f329d4e37c04a5b3b8f689ec9c1e9a0ea77341c4d3ae04430506b41d150ec149cd2975423c2eccbe1

      Download Submit

    • C:\mshyperblock\7CVEgcv.vbe
      Filesize

      225B

      MD5

      b7a9d7bc751980e5d28b50643805b2b0

      SHA1

      dd4e0de7003f4dfc9a4cc52bfbf542e335a700f3

      SHA256

      417517292e016853942d2072a55cb914a1e9c552af7d4fce9e9497d32d42ae2f

      SHA512

      965e0ecc6c2535d46c7cc27ca7917f5ff20e07b881bf4ab15f26fd25807ad756fed4eca03f8315b68d1e72db1b97f9344ce111955b4c7368f40c5d2f8afec8a0

      Download Submit

    • C:\mshyperblock\S9mCKi92BftZwElqhr8FGhYT1zV90zFd1F.bat
      Filesize

      71B

      MD5

      769d41729d7dc06c2302102db2bf90bf

      SHA1

      156cdeacce22a5969515bc4d61f47a908da78f1e

      SHA256

      38f5e3ea511d8cfe28b6d163d844a8cd7c1428ba2f0017793fba1fbae559d54e

      SHA512

      f33d0e2ca822168915a2ac6f8ab8bc4774d8733f92d8937b96c9b3e39ece245f003183c53d55c6a51b6c9b1241d252bd303af7381516ae1cd23641fda45de5c7

      Download Submit

    • C:\mshyperblock\hyperInto.exe
      Filesize

      2.6MB

      MD5

      5bdfa3d66339a5624d36ee2038584cfc

      SHA1

      a55b70c8e118a0aa3d3d06281ce5809db2933a7a

      SHA256

      a1cdf05403d641c6717c540e76ee1cff8b3d3723df3574413dbdd7e18d1393fa

      SHA512

      de156c9044d48657056d087252f46ed3c36f1ce676b1e0a2b3946dc29fa6e5347685bff1b4ad83ecb5b194bd3eb2e3976cbd7028d34390590393bbb5373b84c2

      Download Submit

    • memory/1344-44-0x000000001B9D0000-0x000000001B9E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1344-47-0x0000000002D80000-0x0000000002D8C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1344-55-0x0000000002DC0000-0x0000000002DCC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1344-53-0x000000001BA10000-0x000000001BA28000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1344-51-0x0000000002DB0000-0x0000000002DBE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1344-49-0x000000001C560000-0x000000001C5BA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1344-45-0x000000001CA90000-0x000000001CFB8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/1344-42-0x000000001B9B0000-0x000000001B9C6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1344-40-0x0000000002D70000-0x0000000002D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1344-28-0x0000000000A90000-0x0000000000D26000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/1344-30-0x0000000002CE0000-0x0000000002CEE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1344-32-0x0000000002CF0000-0x0000000002D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1344-34-0x0000000002D00000-0x0000000002D0E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1344-36-0x0000000002D90000-0x0000000002DA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1344-38-0x0000000002D10000-0x0000000002D1C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2572-12-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-18-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-13-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-17-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-21-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-19-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-20-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-22-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-23-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-11-0x0000021275110000-0x0000021275111000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.