Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ec0a87ee5b...9a.exe

windows7-x64

10

ec0a87ee5b...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    58s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 10:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec0a87ee5b90c3e832df1783ad84ce815699b9650af24d879012ed5a5d72459a.exe

  • Size

    783KB

  • MD5

    2b92024fad384b0fcc4e1934dd6a1fcf

  • SHA1

    9adc4985037273d3734f78c53959cedf5d798de1

  • SHA256

    ec0a87ee5b90c3e832df1783ad84ce815699b9650af24d879012ed5a5d72459a

  • SHA512

    a6b155f4198cccbff59c73f013359550007f38ff8b71bd58a7480870212559fe8af06f63418083d01deba390dacc5b5126fe1549642ceda4ea46d7d754f41503

  • SSDEEP

    12288:mqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqK:m+OQbpbgsFdAyQvzSqaq8q

Score
10/10
dcratdefense_evasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in System32 directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec0a87ee5b90c3e832df1783ad84ce815699b9650af24d879012ed5a5d72459a.exe
    "C:\Users\Admin\AppData\Local\Temp\ec0a87ee5b90c3e832df1783ad84ce815699b9650af24d879012ed5a5d72459a.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2104
    • C:\Users\All Users\Documents\WmiPrvSE.exe
      "C:\Users\All Users\Documents\WmiPrvSE.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ProgramData\Desktop\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ec0a87ee5b90c3e832df1783ad84ce815699b9650af24d879012ed5a5d72459a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\jusched\ec0a87ee5b90c3e832df1783ad84ce815699b9650af24d879012ed5a5d72459a.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2756
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\synceng\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2336
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ec0a87ee5b90c3e832df1783ad84ce815699b9650af24d879012ed5a5d72459a" /sc ONLOGON /tr "'C:\PerfLogs\Admin\ec0a87ee5b90c3e832df1783ad84ce815699b9650af24d879012ed5a5d72459a.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons003e\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0007\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1316

Network

    No results found
  • 92.63.192.30:80
    WmiPrvSE.exe
    152 B
     3
  • 92.63.192.30:80
    WmiPrvSE.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\WmiPrvSE.exe
    Filesize

    783KB

    MD5

    c6a5f989b82aaa179ec9ed1b805e5aae

    SHA1

    020af20b5b867d0c7e3a2f9e1b2bf5af4fa5330d

    SHA256

    41b0aa445a90767b1ecbd815db610d0fc4722862c792edd321593694209d0691

    SHA512

    ad42e34f61db78b1f857607e47f71ebca5295b805be783bc1b85c45fd7eaba2e0b9f44c2dcf7caee703c6296f1d15796d1434c4cdd6784f9b4db14a1c019d2ce

    Download Submit

  • C:\Windows\System32\NlsLexicons0007\RCX40E.tmp
    Filesize

    783KB

    MD5

    ac99a77db79806d21390b127791bf2ee

    SHA1

    30404f041f6c97c4fd2e7315395407fb17a40f16

    SHA256

    c5524e7d658dc28956ec6e2c2370314e6b01e5470fc97006bc64d72cd572940c

    SHA512

    5f405a0e9d6df3b6c4263656016583a58dd53e17e3a9d07d1be88814078ce036aeb2a3d5aa610cc4eb82a7101ddc9d3f44d68cbcd3df95a8ec4be3e8e8a188a5

    Download Submit

  • C:\Windows\System32\synceng\csrss.exe
    Filesize

    783KB

    MD5

    2b92024fad384b0fcc4e1934dd6a1fcf

    SHA1

    9adc4985037273d3734f78c53959cedf5d798de1

    SHA256

    ec0a87ee5b90c3e832df1783ad84ce815699b9650af24d879012ed5a5d72459a

    SHA512

    a6b155f4198cccbff59c73f013359550007f38ff8b71bd58a7480870212559fe8af06f63418083d01deba390dacc5b5126fe1549642ceda4ea46d7d754f41503

    Download Submit

  • memory/2104-16-0x000000001A830000-0x000000001A838000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-22-0x0000000001160000-0x0000000001168000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-4-0x0000000000A10000-0x0000000000A18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-6-0x0000000000A30000-0x0000000000A38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-7-0x0000000000A60000-0x0000000000A6C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2104-8-0x0000000000A80000-0x0000000000A8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2104-9-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2104-10-0x0000000000A50000-0x0000000000A58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-11-0x0000000000A70000-0x0000000000A78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-12-0x0000000000A40000-0x0000000000A48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-13-0x0000000000A90000-0x0000000000A98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-14-0x0000000001150000-0x0000000001158000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-17-0x000000001A840000-0x000000001A848000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2104-5-0x0000000000A20000-0x0000000000A30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2104-20-0x000000001A860000-0x000000001A868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-15-0x0000000001270000-0x0000000001278000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-21-0x000000001B240000-0x000000001B24C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2104-19-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-18-0x000000001A850000-0x000000001A858000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-25-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2104-30-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2104-3-0x0000000000A00000-0x0000000000A08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2104-89-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2104-90-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2104-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2104-1-0x0000000001280000-0x000000000134A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2104-107-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2144-106-0x0000000000160000-0x000000000022A000-memory.dmp

    Filesize

    808KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.