Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
24s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2024, 13:30
Static task
static1
Behavioral task
behavioral1
Sample
NeverLose Loader.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
NeverLose Loader.exe
Resource
win10v2004-20241007-en
General
-
Target
NeverLose Loader.exe
-
Size
2.8MB
-
MD5
a35bacaf176f367bd51ed22782dc5519
-
SHA1
99fdd147469d0392fc2a8fcc714206a70c3961db
-
SHA256
9fc8c881c65e76927632323529b5186fb552d22fa4b52b6ac82165728aa02f9f
-
SHA512
b33b4452cccd762eead94b90244e2aaefa9f5fcca45dba761d5e28a28a2bbc3ef201b2e1f187df6e66949fb501f1edb31f7d9634dfa7dd17bb7050142a31b51a
-
SSDEEP
49152:tBUnRxbHAr0MmN6vm2H0MvnoxhRb4q3WO/PVdxfgz6:n2RxbHyfH0MvnonRbZ5Vd5o6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\agentsavesSessioncrt\\TextInputHost.exe\"" hyperBlockServerSavesSession.exe -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 2988 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2988 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 2988 schtasks.exe 89 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation NeverLose Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 hyperBlockServerSavesSession.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\agentsavesSessioncrt\\TextInputHost.exe\"" hyperBlockServerSavesSession.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\agentsavesSessioncrt\\TextInputHost.exe\"" hyperBlockServerSavesSession.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC64A9DA5E912B45C380D89BBEBED6B8C9.TMP csc.exe File created \??\c:\Windows\System32\lhkpi-.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\fontdrvhost.exe hyperBlockServerSavesSession.exe File created C:\Program Files\Windows Portable Devices\5b884080fd4f94 hyperBlockServerSavesSession.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\csrss.exe hyperBlockServerSavesSession.exe File created C:\Windows\ServiceProfiles\886983d96e3d3e hyperBlockServerSavesSession.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NeverLose Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings NeverLose Loader.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4804 schtasks.exe 1648 schtasks.exe 3980 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe 2748 hyperBlockServerSavesSession.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2748 hyperBlockServerSavesSession.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2180 wrote to memory of 4720 2180 NeverLose Loader.exe 82 PID 2180 wrote to memory of 4720 2180 NeverLose Loader.exe 82 PID 2180 wrote to memory of 4720 2180 NeverLose Loader.exe 82 PID 4720 wrote to memory of 4892 4720 WScript.exe 94 PID 4720 wrote to memory of 4892 4720 WScript.exe 94 PID 4720 wrote to memory of 4892 4720 WScript.exe 94 PID 4892 wrote to memory of 2748 4892 cmd.exe 96 PID 4892 wrote to memory of 2748 4892 cmd.exe 96 PID 2748 wrote to memory of 380 2748 hyperBlockServerSavesSession.exe 100 PID 2748 wrote to memory of 380 2748 hyperBlockServerSavesSession.exe 100 PID 380 wrote to memory of 1228 380 csc.exe 102 PID 380 wrote to memory of 1228 380 csc.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NeverLose Loader.exe"C:\Users\Admin\AppData\Local\Temp\NeverLose Loader.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\agentsavesSessioncrt\wvAy3g2cwUA0WlAR67rDwx6ilqeJ3huGsrpLtUKpTSpXZqeLmD5jcZq.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\agentsavesSessioncrt\fqPjTa5dmPVCKdRywzd7JYZCOwyT6TkVbtC1AmfVOodlKWVPvDa.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\agentsavesSessioncrt\hyperBlockServerSavesSession.exe"C:\agentsavesSessioncrt/hyperBlockServerSavesSession.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zklvxjjd\zklvxjjd.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE733.tmp" "c:\Windows\System32\CSC64A9DA5E912B45C380D89BBEBED6B8C9.TMP"6⤵PID:1228
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\agentsavesSessioncrt\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\agentsavesSessioncrt\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\agentsavesSessioncrt\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5616b1ca7043b460eb8509579739269dc
SHA1d373c0154cb2d5811fdc465951b5531c937c9fa2
SHA256c8658d76547b54703bac347d7248674bd16d1c6e9aa3bedceadec9b68f40a9a2
SHA512d71422a2ae3ebdd77190dd26ce2e1d1f31acae87327827cb3e8f9d328bbc900475768ae51e351f7f798f72a6c2d00564b0fc9da8cc70d0290cb0fc9e843c0b95
-
Filesize
103B
MD5ebe4c21126c470353bc85eac1cef774a
SHA1ee65d9ffab4a9d4781feb71d087a946bd64476cb
SHA25627dc735359b7b713506b5a2dbacbbdb43d296f0cc4f11f374b59d605ec4f64e0
SHA51267b2b033fb58cd3df39a1b7741d14729ef092d21c142c0a06611eed6479000ca29595496624b8d2acf43041ef8332e4cb66923d10b9b6a29dc29e9e007885f13
-
Filesize
2.3MB
MD522a0f7e0137b38061bcea6990ea2b3d8
SHA165b9d717a7a53df2bd8c58351510033e771cfd02
SHA256ad7b5a48b29168ac72ab4d887e21021c3c63d4320de8b0b88ae8d295c98a051e
SHA512192acb8169f883ece3af2c83eacef49bc6fa465bbe943b3716af785e8bb4bc959fe7e6457b14bb5474adba6fd5f18fc9e30bf2a1a63b5147d0dca5e52681ae25
-
Filesize
250B
MD5a0513e519e74038b3105c6da2ab0d334
SHA16c5f7f413c19c0f7c2584e706a60d08c27823e36
SHA2563ed9c9074b5448cb4fdc13904739407317f5e083eda10b4ab6145888ffa12033
SHA512222c2107dcfc29a0e0a05a5378ac38a564c175868d9a9428de4610cff53b35c16dee575e4d63eb427ad23bcaec7a8649167b4918aaf18e78bf7329a6c2e3b877
-
Filesize
373B
MD588fac8c11bfa1d3d9760f01a8102a18b
SHA1082b3403249570f33844ebd4ee1836c3b649be1d
SHA25635314d50c7c404da406f186f75740a4c96ce3f2c5ac03ec739dcab8e420151e3
SHA512ea0dcdb390c48d2c7a2e4557ad46e2fae4212c4e46a4d0a7ac4da49ab41209e2ba9906d3f417d269a22bc31dfc2f27ffa9043bb9e664b0303d2afb153b8b212a
-
Filesize
235B
MD525b8e1f70d5c054f5a5450049f0052ad
SHA1998aac474fa791c5a2234fc482309a52028e95ff
SHA2561cf05f8d483aae7d09b83e9eaa6098719ec9b8d9a03311ffe6e4c8fb6124a3eb
SHA5125fdc0e86ebb15c6bd36055a93e3de896c0c21a3e14bcb8a5075a5cf8c2f597d33ff5728d1576eff70eba587313fced6ec462b4dd744f04ea84ff856d5deaad45
-
Filesize
1KB
MD575e32610d8ef6143201c7c28465fcda9
SHA1b2bae99fade2dda07aecbe1659d184be0fc4e7a6
SHA25697ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b
SHA512b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc