Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/12/2024, 22:03
Behavioral task
behavioral1
Sample
1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe
Resource
win10v2004-20241007-en
General
-
Target
1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe
-
Size
952KB
-
MD5
ea363f97b2eb4114d986a81633f21b20
-
SHA1
5358a564395c004068ed9907cc6a0809801b8581
-
SHA256
1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11
-
SHA512
b40d208dea8daa1ada700aa93e2559f3ee2d11e8f59b38a288ef8d402a8a11eef3636dd3460d21b72bf3bca78bd2c8ebfc9690bc95e40dd79e427e1122be1096
-
SSDEEP
24576:2+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:R8/KfRTK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\wininit.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\", \"C:\\Windows\\System32\\clusapi\\taskhost.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\", \"C:\\Windows\\System32\\clusapi\\taskhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\", \"C:\\Windows\\System32\\clusapi\\taskhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Windows\\System32\\audiodg\\dllhost.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PerfLogs\\Admin\\wininit.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\", \"C:\\Windows\\System32\\clusapi\\taskhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\", \"C:\\Windows\\System32\\audiodg\\dllhost.exe\", \"C:\\PerfLogs\\Admin\\explorer.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2736 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2736 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2736 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2736 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 2736 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2736 schtasks.exe 30 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe -
resource yara_rule behavioral1/memory/2112-1-0x0000000000A00000-0x0000000000AF4000-memory.dmp dcrat behavioral1/files/0x000500000001998a-20.dat dcrat behavioral1/files/0x0007000000019d54-37.dat dcrat behavioral1/memory/2140-98-0x0000000001080000-0x0000000001174000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2140 wininit.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\Admin\\explorer.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\clusapi\\taskhost.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\sppsvc.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\audiodg\\dllhost.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\PerfLogs\\Admin\\explorer.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\clusapi\\taskhost.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\audiodg\\dllhost.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\"" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\System32\clusapi\taskhost.exe 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe File opened for modification C:\Windows\System32\audiodg\RCX94F.tmp 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe File created C:\Windows\System32\clusapi\b75386f1303e64d8139363b71e44ac16341adf4e 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe File created C:\Windows\System32\audiodg\dllhost.exe 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe File created C:\Windows\System32\audiodg\5940a34987c99120d96dace90a3f93f329dcad63 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe File opened for modification C:\Windows\System32\clusapi\RCX544.tmp 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe File opened for modification C:\Windows\System32\clusapi\RCX545.tmp 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe File opened for modification C:\Windows\System32\clusapi\taskhost.exe 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe File opened for modification C:\Windows\System32\audiodg\RCX94E.tmp 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe File opened for modification C:\Windows\System32\audiodg\dllhost.exe 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3008 schtasks.exe 2724 schtasks.exe 2540 schtasks.exe 3020 schtasks.exe 2996 schtasks.exe 1716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2112 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2112 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Token: SeDebugPrivilege 2140 wininit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1928 2112 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe 37 PID 2112 wrote to memory of 1928 2112 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe 37 PID 2112 wrote to memory of 1928 2112 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe 37 PID 1928 wrote to memory of 772 1928 cmd.exe 39 PID 1928 wrote to memory of 772 1928 cmd.exe 39 PID 1928 wrote to memory of 772 1928 cmd.exe 39 PID 1928 wrote to memory of 2140 1928 cmd.exe 40 PID 1928 wrote to memory of 2140 1928 cmd.exe 40 PID 1928 wrote to memory of 2140 1928 cmd.exe 40 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe"C:\Users\Admin\AppData\Local\Temp\1bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11N.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TItgMK42dD.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:772
-
-
C:\PerfLogs\Admin\wininit.exe"C:\PerfLogs\Admin\wininit.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2140
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\PerfLogs\Admin\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\clusapi\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\audiodg\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\PerfLogs\Admin\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
952KB
MD5f639d536abe7225c06a2bd2a0b1578bb
SHA17949648271ff732aec8cb63944debe768b2d57d6
SHA256c4fe15dc29fdee48e4eca8d81cb670427689b6280e4eb3de96975781f824e40f
SHA51223c5bfe789a570df99f9647d3d4417690da4e0b8a553b02b4be788df7c35df2e6b56d57534d0c6e7a58c2f7e3876397fc3396f4f48ad94c332c825c8e6844061
-
Filesize
193B
MD5b11c3bbd9d437416f3eac02b9a491f00
SHA1721f5e0ed653de5a78d0ccaa62ed7fd0b7c9bacd
SHA25647757d8f29ca55d2c0bbbc9967e628a082b86a4d22140d4a3710fa15a20d425a
SHA512118c8749d623475b0f76bbabe2a0c7f2585b1c6ae5f0cab502ab68af4e0f95a59a625519af405610524a6c0405e1504d4a7d0767227665b196ffcf47164e14d8
-
Filesize
952KB
MD5ea363f97b2eb4114d986a81633f21b20
SHA15358a564395c004068ed9907cc6a0809801b8581
SHA2561bafdc2e89ed7d118b2695ec89ccd09f0114020308b94da96d8284022e04ad11
SHA512b40d208dea8daa1ada700aa93e2559f3ee2d11e8f59b38a288ef8d402a8a11eef3636dd3460d21b72bf3bca78bd2c8ebfc9690bc95e40dd79e427e1122be1096