Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 22:44
Behavioral task
behavioral1
Sample
f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe
Resource
win10v2004-20241007-en
General
-
Target
f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe
-
Size
783KB
-
MD5
d1f8a9706cdd91485e3571bf4d3c2098
-
SHA1
db09131e7267caa8157d4c74aceeb9644d5cdf5f
-
SHA256
f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91
-
SHA512
d086b4bcb399ee372a6487eeb5c907480afc0b5919ec855c8923c9f7e962c510b980fe89ee409a8aa956e6920065f2cf3eaafc4c136b37bb2ba18a595a35fb4f
-
SSDEEP
12288:GqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqKa:G+OQbpbgsFdAyQvzSqaq8qV
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2852 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2852 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2852 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 2852 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2852 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 2852 schtasks.exe 31 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2852 schtasks.exe 31 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe -
resource yara_rule behavioral1/memory/2348-1-0x0000000000E60000-0x0000000000F2A000-memory.dmp dcrat behavioral1/files/0x000500000001927a-32.dat dcrat behavioral1/memory/1640-94-0x0000000000E40000-0x0000000000F0A000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 1640 lsass.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Kno5B3C\\f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe\"" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\msisip\\sppsvc.exe\"" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\PerfLogs\\Admin\\WmiPrvSE.exe\"" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Documents and Settings\\lsm.exe\"" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\209d6542-69f6-11ef-b491-62cb582c238c\\lsass.exe\"" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\WmpDui\\services.exe\"" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\addins\\taskhost.exe\"" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\msisip\RCXDD57.tmp f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File opened for modification C:\Windows\System32\msisip\sppsvc.exe f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File opened for modification C:\Windows\System32\WmpDui\RCXE641.tmp f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File opened for modification C:\Windows\System32\WmpDui\services.exe f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File created C:\Windows\System32\msisip\sppsvc.exe f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File created C:\Windows\System32\msisip\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File created C:\Windows\System32\WmpDui\services.exe f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File created C:\Windows\System32\WmpDui\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\addins\taskhost.exe f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File opened for modification C:\Windows\addins\taskhost.exe f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File created C:\Windows\addins\b75386f1303e64d8139363b71e44ac16341adf4e f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe File opened for modification C:\Windows\addins\RCXD950.tmp f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 628 schtasks.exe 2896 schtasks.exe 2844 schtasks.exe 2572 schtasks.exe 2664 schtasks.exe 2592 schtasks.exe 2612 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe 1640 lsass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Token: SeDebugPrivilege 1640 lsass.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1640 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 39 PID 2348 wrote to memory of 1640 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 39 PID 2348 wrote to memory of 1640 2348 f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe 39 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lsass.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe"C:\Users\Admin\AppData\Local\Temp\f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2348 -
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1640
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\addins\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Kno5B3C\f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\msisip\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PerfLogs\Admin\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Documents and Settings\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\WmpDui\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
783KB
MD5d1f8a9706cdd91485e3571bf4d3c2098
SHA1db09131e7267caa8157d4c74aceeb9644d5cdf5f
SHA256f8cd2c9aa166be23955974effbf60aa6d3c7d4d7b65317f3a61229642a8a0d91
SHA512d086b4bcb399ee372a6487eeb5c907480afc0b5919ec855c8923c9f7e962c510b980fe89ee409a8aa956e6920065f2cf3eaafc4c136b37bb2ba18a595a35fb4f