Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f8cd2c9aa1...91.exe

windows7-x64

10

f8cd2c9aa1...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe

  • Size

    783KB

  • MD5

    d1f8a9706cdd91485e3571bf4d3c2098

  • SHA1

    db09131e7267caa8157d4c74aceeb9644d5cdf5f

  • SHA256

    f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91

  • SHA512

    d086b4bcb399ee372a6487eeb5c907480afc0b5919ec855c8923c9f7e962c510b980fe89ee409a8aa956e6920065f2cf3eaafc4c136b37bb2ba18a595a35fb4f

  • SSDEEP

    12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqKa:G+OQbpbgsFdAyQvzSqaq8qV

Score
10/10
dcratevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 7 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe
    "C:\Users\Admin\AppData\Local\Temp\f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2348
    • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe
      "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:1640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\addins\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Kno5B3C\f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2572
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\msisip\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2664
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2592
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:628
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\WmpDui\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\lsm.exe
    Filesize

    783KB

    MD5

    d1f8a9706cdd91485e3571bf4d3c2098

    SHA1

    db09131e7267caa8157d4c74aceeb9644d5cdf5f

    SHA256

    f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91

    SHA512

    d086b4bcb399ee372a6487eeb5c907480afc0b5919ec855c8923c9f7e962c510b980fe89ee409a8aa956e6920065f2cf3eaafc4c136b37bb2ba18a595a35fb4f

    Download Submit

  • memory/1640-94-0x0000000000E40000-0x0000000000F0A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2348-12-0x0000000000640000-0x0000000000648000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-25-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2348-4-0x0000000000460000-0x0000000000468000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-5-0x0000000000470000-0x0000000000480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2348-6-0x0000000000480000-0x0000000000488000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-7-0x0000000000620000-0x000000000062C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2348-8-0x0000000000610000-0x000000000061A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2348-9-0x0000000000660000-0x000000000066A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2348-10-0x0000000000690000-0x0000000000698000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-11-0x00000000006A0000-0x00000000006A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-0-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2348-13-0x0000000000630000-0x0000000000638000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-3-0x00000000003D0000-0x00000000003D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-16-0x00000000006C0000-0x00000000006C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-14-0x0000000000670000-0x0000000000678000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-15-0x00000000006B0000-0x00000000006B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-19-0x0000000000B30000-0x0000000000B38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-18-0x0000000000B10000-0x0000000000B18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-20-0x0000000000B40000-0x0000000000B48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-21-0x0000000000650000-0x000000000065C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2348-22-0x0000000000680000-0x0000000000688000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-17-0x00000000006D0000-0x00000000006D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2348-2-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2348-1-0x0000000000E60000-0x0000000000F2A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2348-95-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

    Filesize

    9.9MB

    Download