Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/12/2024, 02:38
Static task
static1
Behavioral task
behavioral1
Sample
b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe
Resource
win10v2004-20241007-en
General
-
Target
b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe
-
Size
4.6MB
-
MD5
8576f95a0e018025e8b46367ae311e83
-
SHA1
0d1c5e913dcc60910e454416e3c149c9d05f02f5
-
SHA256
b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8
-
SHA512
ef30324c2f5afdfe3639e7322e8e1845e661d55cd4ffff6f7bf65c85e8ac23d5d7c5b92f39d1807c9524a5fb29b21b45249a617f63f0e35ecd3803edd6dc7f30
-
SSDEEP
98304:d++ALvAvoV3JDBQSBK5f7a6uBt9iofavIah:TmvvV5DpQ7a6ugoCvIw
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Executes dropped EXE 5 IoCs
pid Process 3028 Bootstrapper.exe 2064 DCRatBuild.exe 1208 Process not Found 2864 Mscrt.exe 2184 Mscrt.exe -
Loads dropped DLL 10 IoCs
pid Process 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 2328 Process not Found 2988 cmd.exe 2988 cmd.exe 2356 WerFault.exe 2356 WerFault.exe 2356 WerFault.exe 2356 WerFault.exe 2356 WerFault.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Uninstall Information\conhost.exe Mscrt.exe File created C:\Program Files\Uninstall Information\088424020bedd6 Mscrt.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Resources\Themes\Aero\088424020bedd6 Mscrt.exe File created C:\Windows\Resources\Themes\Aero\conhost.exe Mscrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DCRatBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 828 PING.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2748 ipconfig.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 828 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe 2864 Mscrt.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2864 Mscrt.exe Token: SeIncreaseQuotaPrivilege 1536 WMIC.exe Token: SeSecurityPrivilege 1536 WMIC.exe Token: SeTakeOwnershipPrivilege 1536 WMIC.exe Token: SeLoadDriverPrivilege 1536 WMIC.exe Token: SeSystemProfilePrivilege 1536 WMIC.exe Token: SeSystemtimePrivilege 1536 WMIC.exe Token: SeProfSingleProcessPrivilege 1536 WMIC.exe Token: SeIncBasePriorityPrivilege 1536 WMIC.exe Token: SeCreatePagefilePrivilege 1536 WMIC.exe Token: SeBackupPrivilege 1536 WMIC.exe Token: SeRestorePrivilege 1536 WMIC.exe Token: SeShutdownPrivilege 1536 WMIC.exe Token: SeDebugPrivilege 1536 WMIC.exe Token: SeSystemEnvironmentPrivilege 1536 WMIC.exe Token: SeRemoteShutdownPrivilege 1536 WMIC.exe Token: SeUndockPrivilege 1536 WMIC.exe Token: SeManageVolumePrivilege 1536 WMIC.exe Token: 33 1536 WMIC.exe Token: 34 1536 WMIC.exe Token: 35 1536 WMIC.exe Token: SeIncreaseQuotaPrivilege 1536 WMIC.exe Token: SeSecurityPrivilege 1536 WMIC.exe Token: SeTakeOwnershipPrivilege 1536 WMIC.exe Token: SeLoadDriverPrivilege 1536 WMIC.exe Token: SeSystemProfilePrivilege 1536 WMIC.exe Token: SeSystemtimePrivilege 1536 WMIC.exe Token: SeProfSingleProcessPrivilege 1536 WMIC.exe Token: SeIncBasePriorityPrivilege 1536 WMIC.exe Token: SeCreatePagefilePrivilege 1536 WMIC.exe Token: SeBackupPrivilege 1536 WMIC.exe Token: SeRestorePrivilege 1536 WMIC.exe Token: SeShutdownPrivilege 1536 WMIC.exe Token: SeDebugPrivilege 1536 WMIC.exe Token: SeSystemEnvironmentPrivilege 1536 WMIC.exe Token: SeRemoteShutdownPrivilege 1536 WMIC.exe Token: SeUndockPrivilege 1536 WMIC.exe Token: SeManageVolumePrivilege 1536 WMIC.exe Token: 33 1536 WMIC.exe Token: 34 1536 WMIC.exe Token: 35 1536 WMIC.exe Token: SeDebugPrivilege 3028 Bootstrapper.exe Token: SeDebugPrivilege 2184 Mscrt.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2368 wrote to memory of 3028 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 30 PID 2368 wrote to memory of 3028 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 30 PID 2368 wrote to memory of 3028 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 30 PID 2368 wrote to memory of 3028 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 30 PID 2368 wrote to memory of 2064 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 32 PID 2368 wrote to memory of 2064 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 32 PID 2368 wrote to memory of 2064 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 32 PID 2368 wrote to memory of 2064 2368 b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe 32 PID 2064 wrote to memory of 1744 2064 DCRatBuild.exe 33 PID 2064 wrote to memory of 1744 2064 DCRatBuild.exe 33 PID 2064 wrote to memory of 1744 2064 DCRatBuild.exe 33 PID 2064 wrote to memory of 1744 2064 DCRatBuild.exe 33 PID 3028 wrote to memory of 2268 3028 Bootstrapper.exe 34 PID 3028 wrote to memory of 2268 3028 Bootstrapper.exe 34 PID 3028 wrote to memory of 2268 3028 Bootstrapper.exe 34 PID 2268 wrote to memory of 2748 2268 cmd.exe 36 PID 2268 wrote to memory of 2748 2268 cmd.exe 36 PID 2268 wrote to memory of 2748 2268 cmd.exe 36 PID 1744 wrote to memory of 2988 1744 WScript.exe 37 PID 1744 wrote to memory of 2988 1744 WScript.exe 37 PID 1744 wrote to memory of 2988 1744 WScript.exe 37 PID 1744 wrote to memory of 2988 1744 WScript.exe 37 PID 2988 wrote to memory of 2864 2988 cmd.exe 39 PID 2988 wrote to memory of 2864 2988 cmd.exe 39 PID 2988 wrote to memory of 2864 2988 cmd.exe 39 PID 2988 wrote to memory of 2864 2988 cmd.exe 39 PID 2864 wrote to memory of 1880 2864 Mscrt.exe 41 PID 2864 wrote to memory of 1880 2864 Mscrt.exe 41 PID 2864 wrote to memory of 1880 2864 Mscrt.exe 41 PID 1880 wrote to memory of 1908 1880 cmd.exe 43 PID 1880 wrote to memory of 1908 1880 cmd.exe 43 PID 1880 wrote to memory of 1908 1880 cmd.exe 43 PID 1880 wrote to memory of 828 1880 cmd.exe 44 PID 1880 wrote to memory of 828 1880 cmd.exe 44 PID 1880 wrote to memory of 828 1880 cmd.exe 44 PID 3028 wrote to memory of 1952 3028 Bootstrapper.exe 45 PID 3028 wrote to memory of 1952 3028 Bootstrapper.exe 45 PID 3028 wrote to memory of 1952 3028 Bootstrapper.exe 45 PID 1952 wrote to memory of 1536 1952 cmd.exe 47 PID 1952 wrote to memory of 1536 1952 cmd.exe 47 PID 1952 wrote to memory of 1536 1952 cmd.exe 47 PID 3028 wrote to memory of 2356 3028 Bootstrapper.exe 49 PID 3028 wrote to memory of 2356 3028 Bootstrapper.exe 49 PID 3028 wrote to memory of 2356 3028 Bootstrapper.exe 49 PID 1880 wrote to memory of 2184 1880 cmd.exe 50 PID 1880 wrote to memory of 2184 1880 cmd.exe 50 PID 1880 wrote to memory of 2184 1880 cmd.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe"C:\Users\Admin\AppData\Local\Temp\b8c9a273058d6214aeccc822fb5f304edc734bd57a4ac43450feeacef70fafb8.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:2748
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3028 -s 11283⤵
- Loads dropped DLL
PID:2356
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComponentReviewperfmonitor\Uq2tX7p25HNYhIggX0PpAZXDUcRcexvQlwrHhzLqWtjOjit.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComponentReviewperfmonitor\QUMJYJlT6Ngt.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\ComponentReviewperfmonitor\Mscrt.exe"C:\ComponentReviewperfmonitor/Mscrt.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NzfEtFrhjY.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:828
-
-
C:\ComponentReviewperfmonitor\Mscrt.exe"C:\ComponentReviewperfmonitor\Mscrt.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83B
MD5514f93d92ae221458937c720626b46b3
SHA1608eabeab6fd1b15449452c146dca0e08421b3e5
SHA256630c846609cc08488485cd976ca51355f8c43666d59186df6936747ce06d383f
SHA51283ec92c38be82ffb0e817ac97e545ef8c83c19e891474ca78fe469fe99da63a5e00c38449d04a7de31be543c64a99adb5732d2e7d966eaccc23998666e7aae28
-
Filesize
216B
MD527f28b26b1a641e515a8c84280fc4638
SHA1103d1e3b99c8900e4fde8cf88e91e9a30132e614
SHA2567610dec18100d028feb67fd231ced9f363ffcf79a8788d8b37c909c5393bbd58
SHA512aa2025dd4ffa8dd73838d10b6b2bd9b1a197ded1d4aa04645a2e51d33b5ee3d970c8b8dbeebfe2f23d728ccea83d63ca40501822ba57dde477ede93340c398c2
-
Filesize
167B
MD50c44186d2378e48aab6889ac92c116c7
SHA1adcc371a321fea8e6fe4716d5888796e44ccb84b
SHA2566f5fd3170fbc91988313c978af9eb3ab56b964827e9e680f7d7a3072ff4b2b41
SHA512cbb9c801e706a5b22d74f95b7cf0982f43e3484749152f2da6a3331252bc8609745c42b5f7d8f0c6050ff7dd5335a9c0e9bdf1b90b7d8da61b8e0f4d7caa983c
-
Filesize
3.5MB
MD5e7870cd0c30a52066c454c15a5a5a2f5
SHA1fc64203e05c104a116e7e4c354c9ee77c99737d6
SHA256e4a958444e72eb1b3be02f3a8bf29044a81f328405a4969a4f66515ef219774e
SHA5123e0a40959eaba1fbf3cb7a11707bc658421f3066e4e1beea56088ac213c10524127d4d9e2500e549a1ee608887c113973892d54fb91fae6ea9db4eb9e818bebe
-
Filesize
800KB
MD502c70d9d6696950c198db93b7f6a835e
SHA130231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA2568f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
-
Filesize
3.8MB
MD54680b7118d5d69d9d9aca7265a07fa8b
SHA147036b3ed3f8ac995680bb6e9d12c91d30d840be
SHA25698b1a4b0f9d10a1310b30401147cbd7fbb328f03f00c4dd31b99ab6bedf651ff
SHA5126593078d884dd5eeefb528c388dfd05f528b03d35b93e47ed73ed27ff35769b6ef5991dd837cb398a44139a35407ab0917bda82b90a39ed1eecab2a99cd1f3d7