Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    24s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2024, 13:30

General

  • Target

    NeverLose Loader.exe

  • Size

    2.8MB

  • MD5

    a35bacaf176f367bd51ed22782dc5519

  • SHA1

    99fdd147469d0392fc2a8fcc714206a70c3961db

  • SHA256

    9fc8c881c65e76927632323529b5186fb552d22fa4b52b6ac82165728aa02f9f

  • SHA512

    b33b4452cccd762eead94b90244e2aaefa9f5fcca45dba761d5e28a28a2bbc3ef201b2e1f187df6e66949fb501f1edb31f7d9634dfa7dd17bb7050142a31b51a

  • SSDEEP

    49152:tBUnRxbHAr0MmN6vm2H0MvnoxhRb4q3WO/PVdxfgz6:n2RxbHyfH0MvnonRbZ5Vd5o6

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NeverLose Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\NeverLose Loader.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\agentsavesSessioncrt\wvAy3g2cwUA0WlAR67rDwx6ilqeJ3huGsrpLtUKpTSpXZqeLmD5jcZq.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\agentsavesSessioncrt\fqPjTa5dmPVCKdRywzd7JYZCOwyT6TkVbtC1AmfVOodlKWVPvDa.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\agentsavesSessioncrt\hyperBlockServerSavesSession.exe
          "C:\agentsavesSessioncrt/hyperBlockServerSavesSession.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zklvxjjd\zklvxjjd.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:380
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE733.tmp" "c:\Windows\System32\CSC64A9DA5E912B45C380D89BBEBED6B8C9.TMP"
              6⤵
                PID:1228
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\agentsavesSessioncrt\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\agentsavesSessioncrt\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\agentsavesSessioncrt\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3980

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESE733.tmp

        Filesize

        1KB

        MD5

        616b1ca7043b460eb8509579739269dc

        SHA1

        d373c0154cb2d5811fdc465951b5531c937c9fa2

        SHA256

        c8658d76547b54703bac347d7248674bd16d1c6e9aa3bedceadec9b68f40a9a2

        SHA512

        d71422a2ae3ebdd77190dd26ce2e1d1f31acae87327827cb3e8f9d328bbc900475768ae51e351f7f798f72a6c2d00564b0fc9da8cc70d0290cb0fc9e843c0b95

      • C:\agentsavesSessioncrt\fqPjTa5dmPVCKdRywzd7JYZCOwyT6TkVbtC1AmfVOodlKWVPvDa.bat

        Filesize

        103B

        MD5

        ebe4c21126c470353bc85eac1cef774a

        SHA1

        ee65d9ffab4a9d4781feb71d087a946bd64476cb

        SHA256

        27dc735359b7b713506b5a2dbacbbdb43d296f0cc4f11f374b59d605ec4f64e0

        SHA512

        67b2b033fb58cd3df39a1b7741d14729ef092d21c142c0a06611eed6479000ca29595496624b8d2acf43041ef8332e4cb66923d10b9b6a29dc29e9e007885f13

      • C:\agentsavesSessioncrt\hyperBlockServerSavesSession.exe

        Filesize

        2.3MB

        MD5

        22a0f7e0137b38061bcea6990ea2b3d8

        SHA1

        65b9d717a7a53df2bd8c58351510033e771cfd02

        SHA256

        ad7b5a48b29168ac72ab4d887e21021c3c63d4320de8b0b88ae8d295c98a051e

        SHA512

        192acb8169f883ece3af2c83eacef49bc6fa465bbe943b3716af785e8bb4bc959fe7e6457b14bb5474adba6fd5f18fc9e30bf2a1a63b5147d0dca5e52681ae25

      • C:\agentsavesSessioncrt\wvAy3g2cwUA0WlAR67rDwx6ilqeJ3huGsrpLtUKpTSpXZqeLmD5jcZq.vbe

        Filesize

        250B

        MD5

        a0513e519e74038b3105c6da2ab0d334

        SHA1

        6c5f7f413c19c0f7c2584e706a60d08c27823e36

        SHA256

        3ed9c9074b5448cb4fdc13904739407317f5e083eda10b4ab6145888ffa12033

        SHA512

        222c2107dcfc29a0e0a05a5378ac38a564c175868d9a9428de4610cff53b35c16dee575e4d63eb427ad23bcaec7a8649167b4918aaf18e78bf7329a6c2e3b877

      • \??\c:\Users\Admin\AppData\Local\Temp\zklvxjjd\zklvxjjd.0.cs

        Filesize

        373B

        MD5

        88fac8c11bfa1d3d9760f01a8102a18b

        SHA1

        082b3403249570f33844ebd4ee1836c3b649be1d

        SHA256

        35314d50c7c404da406f186f75740a4c96ce3f2c5ac03ec739dcab8e420151e3

        SHA512

        ea0dcdb390c48d2c7a2e4557ad46e2fae4212c4e46a4d0a7ac4da49ab41209e2ba9906d3f417d269a22bc31dfc2f27ffa9043bb9e664b0303d2afb153b8b212a

      • \??\c:\Users\Admin\AppData\Local\Temp\zklvxjjd\zklvxjjd.cmdline

        Filesize

        235B

        MD5

        25b8e1f70d5c054f5a5450049f0052ad

        SHA1

        998aac474fa791c5a2234fc482309a52028e95ff

        SHA256

        1cf05f8d483aae7d09b83e9eaa6098719ec9b8d9a03311ffe6e4c8fb6124a3eb

        SHA512

        5fdc0e86ebb15c6bd36055a93e3de896c0c21a3e14bcb8a5075a5cf8c2f597d33ff5728d1576eff70eba587313fced6ec462b4dd744f04ea84ff856d5deaad45

      • \??\c:\Windows\System32\CSC64A9DA5E912B45C380D89BBEBED6B8C9.TMP

        Filesize

        1KB

        MD5

        75e32610d8ef6143201c7c28465fcda9

        SHA1

        b2bae99fade2dda07aecbe1659d184be0fc4e7a6

        SHA256

        97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

        SHA512

        b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

      • memory/2748-17-0x000000001BE10000-0x000000001BE60000-memory.dmp

        Filesize

        320KB

      • memory/2748-21-0x000000001BEC0000-0x000000001BF1A000-memory.dmp

        Filesize

        360KB

      • memory/2748-23-0x0000000001660000-0x0000000001670000-memory.dmp

        Filesize

        64KB

      • memory/2748-25-0x0000000002F30000-0x0000000002F3C000-memory.dmp

        Filesize

        48KB

      • memory/2748-19-0x00000000030D0000-0x00000000030E8000-memory.dmp

        Filesize

        96KB

      • memory/2748-16-0x00000000030B0000-0x00000000030CC000-memory.dmp

        Filesize

        112KB

      • memory/2748-14-0x0000000001650000-0x000000000165E000-memory.dmp

        Filesize

        56KB

      • memory/2748-12-0x0000000000C00000-0x0000000000E48000-memory.dmp

        Filesize

        2.3MB