Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
17/01/2025, 07:21
General
-
Target
EC5FDACECCEEE343335D6A686CE75864.exe
-
Size
2.1MB
-
MD5
ec5fdacecceee343335d6a686ce75864
-
SHA1
965f210fa2eccd71a866908320cb92eb926b338d
-
SHA256
d546328a43690c42bc768a5a07588bb43eb0a0962f5994b50fb5108156bc89ad
-
SHA512
533713c84dfcd9d23ffb338d9dd5c237ef6151315037ed8477f91bd89bad02639ee9e936cfc2ea5098f2bbff9e565115b14f71e287297d11328cf9c030512a4c
-
SSDEEP
49152:IBJi/YtO8s26Kzc1OpFAuD86cmG96kZTRc:ycoxd6Yc1+rXG3Rc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\EC5FDACECCEEE343335D6A686CE75864.exe"C:\Users\Admin\AppData\Local\Temp\EC5FDACECCEEE343335D6A686CE75864.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WebWinBrokerDll\d7VV42fpHwMzBQMSzwM0QGomZi6nsu6X6fwca17SIFxI7SHNedkYCWqtFx6.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WebWinBrokerDll\OH5MsEg2KeRkhqJt.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WebWinBrokerDll\BridgeServerruntime.exe"C:\WebWinBrokerDll/BridgeServerruntime.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2sdsspeu\2sdsspeu.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C28.tmp" "c:\Windows\System32\CSCEA255792B6AD4A048CBD50A01348FFF7.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RJjtEq8owq.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgeServerruntimeB" /sc MINUTE /mo 7 /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgeServerruntime" /sc ONLOGON /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgeServerruntimeB" /sc MINUTE /mo 14 /tr "'C:\WebWinBrokerDll\BridgeServerruntime.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD578b9523a1938a8848b66131be9225735
SHA125e6528bc97dcb2c60450d36ba5852c9428b0312
SHA2563980ee6b2d27bfdd782b80017193e5daed77a7174f2cfe241ffed064b2e8d277
SHA51287c415c0bfc5c49ce487d17efe8a5856dc637344629c9adee7f106fe03940ee99a52bc8b3db5b7b3f1357e404f72ddced6ff1c7f81f19e5021bfb9a403a75d20
-
Filesize
198B
MD530e28bbc3f4a60cd74474c677c2aff51
SHA14694f51283ddb53cb7634b2cab89d1e39ad075d2
SHA256f684ac720afb1d611ae3fc1f7e0b29fb58f9101b3c36bfc20a1d9647c6f3c509
SHA51275398a9b8f4833dfa879d95187b7928f1419bfd8a2a852f708cb4c17191b80e27d177b87f699794c802cd4d420a34658a3fa582a2fce22306902b87cdec0e2ce
-
Filesize
107B
MD541c6e0e5b5a7be33fd9e1f2c02adcc1e
SHA11fb52df44fb4a90bcc7311238dedfc1b9ccc6b4f
SHA256f873310a27b36240c42e0d93c877096e7163d2de480caf83fdce2ef1168376e9
SHA512a1ca006a8d9300f3743350243bf90629522bb2f71c80a8f3a6cc41759a5746a9bbe932b69e4ca46de7de3c555d66fe2f86c13a717806cc9acdbc80f02525c0be
-
Filesize
210B
MD57f45c1ae3ffa088fd090281714ccd636
SHA1e256ac2063feb5bbda9261ebd6941fe391fd5e62
SHA256096a645b2d6d4d076b4ee48d1e88372c59f895ce7db2a31d8f8aa0132d7ea5bd
SHA512cadcc93806689bf5b7c3679d160bc9000d6597fea1143f60fa98cc3bcc3107d0efeb2abf661d37ac80189d01fba1e43c533a0f0f31b006eda2175a2f558526b5
-
Filesize
410B
MD55fc904b0971de57e5b22f4e42d869646
SHA1042a445b762920f386c1ac10309c3e6bc99aa16d
SHA256b1d02ca1e195ba84f468a4f2e6e5e00e43624f0f155ad901e448ac48f1e4fc08
SHA512591ba82104e690dc9d26b0656aec76ae1b50e8bff700ce0ae8164d4382c3c8929f727668b327dab07a8ff2f3e3d3d252546f37e2d2c29f2705930d3fb7cb00f8
-
Filesize
235B
MD5843d6206df4788aa0b6eb3d736f861fe
SHA1c113739dd09cead3bb9ae9aacb53c0f1a70b385d
SHA256a5c8ba9ac5a280fc63699be24a840bf50233bd02a8a20d9cf67806bfbcbfe472
SHA5123df86e8278f1fac6d776612284a40502cbcdde161423e69fffebd71cad010d3854fa7771f4337e2a9029788243a8396b0e4c64e8f5ec324353338a1b9142fd92
-
Filesize
1KB
MD5b74f131aab310dc6e37b43e729c24199
SHA1bade4cf35d7e80e79880396c1fdd518d9ab78bdf
SHA2565fdff2a34cc18e36619ff327b292a8255286dc102d85074b7fc625ccbdbe1858
SHA512733cb12c94d0a8bedc9a38c073dff2fc46553854d7e835767aaa749b4754beef77fa3bc8232eab21c92bc808c08b150cafe5c035bb33d82292fbf76fec55d885
-
Filesize
1.8MB
MD556554dd4e4fb40b0b5e23cbac2632fda
SHA1639002e98be388ecb14d2b973388531a124f2311
SHA256e93b10e93c375f1e7a2ad0df4c213a1630d64cac96e6467dd0926b2d44dac295
SHA5128bc6fb271d6459dcf0c27794dc9f90b83d606c100bc762ada33df238011d0518c85da3c64b37f451706a67030cc99f6a1194d65e2bc5a30ed1e5e029a3bb7288
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
56KB