Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/01/2025, 02:05
Behavioral task
behavioral1
Sample
079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe
Resource
win7-20240903-en
General
-
Target
079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe
-
Size
3.2MB
-
MD5
4fabffd3dfad2d1e11ae2317b40b6e4a
-
SHA1
df2ce294dc75060632bfb45add20e69ccc9396c1
-
SHA256
079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a
-
SHA512
bc6ab0e0286913472d6ca8cd19e95b4066d433fbb6247ed377e6ade995a74c201902c32463361e9d9746277fe8898d95b8a08114eedc027f062b38d4ea9550ed
-
SSDEEP
49152:ubA3jIe1fNayqo7lKdSD6qVvWakQ4BnFxFkUP6IqG7bZ0Z2lOWvOhvECUQb:ubQNuAD3vyQ9bLG7yglVv4vHUy
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2796 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2796 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x0008000000018bf3-9.dat dcrat behavioral1/memory/3032-13-0x0000000001120000-0x0000000001418000-memory.dmp dcrat behavioral1/memory/624-49-0x0000000000330000-0x0000000000628000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1248 powershell.exe 1048 powershell.exe 1812 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts webnetdhcp.exe -
Executes dropped EXE 2 IoCs
pid Process 3032 webnetdhcp.exe 624 lsass.exe -
Loads dropped DLL 2 IoCs
pid Process 2372 cmd.exe 2372 cmd.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com 12 ipinfo.io 13 ipinfo.io 4 ip-api.com -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Microsoft Games\6203df4a6bafc7 webnetdhcp.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe webnetdhcp.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\5940a34987c991 webnetdhcp.exe File created C:\Program Files\Microsoft Games\lsass.exe webnetdhcp.exe File opened for modification C:\Program Files\Microsoft Games\lsass.exe webnetdhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 lsass.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1092 schtasks.exe 2580 schtasks.exe 2636 schtasks.exe 2612 schtasks.exe 2608 schtasks.exe 2044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3032 webnetdhcp.exe 3032 webnetdhcp.exe 3032 webnetdhcp.exe 3032 webnetdhcp.exe 1812 powershell.exe 1248 powershell.exe 1048 powershell.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe 624 lsass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 624 lsass.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3032 webnetdhcp.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 624 lsass.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2088 1924 079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe 30 PID 1924 wrote to memory of 2088 1924 079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe 30 PID 1924 wrote to memory of 2088 1924 079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe 30 PID 1924 wrote to memory of 2088 1924 079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe 30 PID 2088 wrote to memory of 2372 2088 WScript.exe 31 PID 2088 wrote to memory of 2372 2088 WScript.exe 31 PID 2088 wrote to memory of 2372 2088 WScript.exe 31 PID 2088 wrote to memory of 2372 2088 WScript.exe 31 PID 2372 wrote to memory of 3032 2372 cmd.exe 33 PID 2372 wrote to memory of 3032 2372 cmd.exe 33 PID 2372 wrote to memory of 3032 2372 cmd.exe 33 PID 2372 wrote to memory of 3032 2372 cmd.exe 33 PID 3032 wrote to memory of 1048 3032 webnetdhcp.exe 42 PID 3032 wrote to memory of 1048 3032 webnetdhcp.exe 42 PID 3032 wrote to memory of 1048 3032 webnetdhcp.exe 42 PID 3032 wrote to memory of 1248 3032 webnetdhcp.exe 43 PID 3032 wrote to memory of 1248 3032 webnetdhcp.exe 43 PID 3032 wrote to memory of 1248 3032 webnetdhcp.exe 43 PID 3032 wrote to memory of 1812 3032 webnetdhcp.exe 44 PID 3032 wrote to memory of 1812 3032 webnetdhcp.exe 44 PID 3032 wrote to memory of 1812 3032 webnetdhcp.exe 44 PID 3032 wrote to memory of 624 3032 webnetdhcp.exe 48 PID 3032 wrote to memory of 624 3032 webnetdhcp.exe 48 PID 3032 wrote to memory of 624 3032 webnetdhcp.exe 48 PID 624 wrote to memory of 1316 624 lsass.exe 49 PID 624 wrote to memory of 1316 624 lsass.exe 49 PID 624 wrote to memory of 1316 624 lsass.exe 49 PID 624 wrote to memory of 872 624 lsass.exe 50 PID 624 wrote to memory of 872 624 lsass.exe 50 PID 624 wrote to memory of 872 624 lsass.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe"C:\Users\Admin\AppData\Local\Temp\079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\runtimebrokerHost\P6MatiaJbshfFUR3.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\runtimebrokerHost\Gjynmp1cQgbqqAJzLCDkc0fMhQUnd.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\runtimebrokerHost\webnetdhcp.exe"C:\runtimebrokerHost\webnetdhcp.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\runtimebrokerHost\webnetdhcp.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\lsass.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Program Files\Microsoft Games\lsass.exe"C:\Program Files\Microsoft Games\lsass.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08f82371-0208-4da7-9183-189d5628c9d7.vbs"6⤵PID:1316
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0f3acf3-c85d-4328-97a2-b620c4d3d340.vbs"6⤵PID:872
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1240
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD52e674e64f7e52d763e7c5a8843cce175
SHA13060f2cd02fb93baefe76ee0212eeecae1697ba4
SHA25673217e64e5a5fd0e9939d53f4dc1e829c86716e8d4538c22a88936714cecfb1d
SHA512ded64d0005e0cc35d70613727a59d03e7e20959630da503bc5938857689a53886b03ad7600a2eec36adc48e717500301b37a06cd6e38dfc9d6ab73dcdf7083c4
-
Filesize
494B
MD5eeaa68eadeb4e83d656b69bba9ef68ec
SHA175bb49b159c20be65a0186ab0bf1331baa5d0cb9
SHA25625d5334fe356e04f82ccbcfe2504290ea53bd9d9faa222fa07a664eb8080a1e2
SHA512a2e2e86a3d982eb62a734e5ddb8fe6c26c0b296fa34594d65049bbe6e19f8aebb043f866ff5ccb95309452039ab0d06e47d57fc7be0b41becaf5b38ecbbfd1e2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54a228c3e0b8a9af315bba660c86161e2
SHA103241de4de1e413a4a1fe61104511f5afc09bcb5
SHA2561bda147a0fa8d833c4cf12569f0b801fc5c12a2c48be9ee5da32035d158ae50e
SHA512c6a79fe8534528f11f9ddd672c214851b2fa6e8c049eaede637c5371e8b19f256c59f4d471a7cea2f90f9103e595c6bbbd7e87f3f8bf3251eed26cb0f71f3d9f
-
Filesize
37B
MD52f75cb9c29ad8dc8dab47b39673a8f09
SHA189b9602bcf66bea31f020c426878acc7aa922b44
SHA256a42bdf46c460b2e7baa4ec022dba0474a9a9a9eef343ae824a533e1ff700417e
SHA51254e8c98fafbeeb42af261747afcf763e17113ef5ee4e23501f6088da93fd004c9db28c1d41c7c9a3fe05211abf9cd40ada3db993cbdd545cb88c32c77eb07812
-
Filesize
223B
MD5e63c96d58301c1f1e3dae1378b1b0eca
SHA1186598fa4a820157a4c284450f13c567bb3cb90e
SHA256ee8722b767b0c57b52c64cdb9f7b4eca2b3593fbcde9c6106391a6b065195b2a
SHA512390d7a2404c0379ff64c26bc6e046e09d6ab420aade79d7a1e8e2aada032c81621f4aaa5faaa1d3c4049799e3fca91f08198e306d2b2e0a2a0947a50e7d345c8
-
Filesize
2.9MB
MD5eec01d18c981a5973da10c8cbac73764
SHA1a366e8aff64b3b84c129a54615700b9a6a3238c1
SHA2564c8610c40e37fb70da6b33ad42c7f5d8a0cc34a16c34a3837af521efbf79fa2f
SHA5126425dd22c982be9bc1b10a5b885ca1e610b6ee30f2c3a5181f5d6bcdb5a84bdf6b4a5a851c9552f9b7b1f29d5141ecd2ffb0d00d41f3b70c64f7f332a877f165