Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

95c8a2a9b9...27.exe

windows7-x64

10

95c8a2a9b9...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2025, 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe

  • Size

    2.2MB

  • MD5

    ba5102fee3b188bb6ac65068ec18d95d

  • SHA1

    59a111a9ab515d690995496967de195eb23b097c

  • SHA256

    95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27

  • SHA512

    2dfe580f3e278431fef83d2c33c19e8af33ba958a7d6abc4cce571b202a64a06d7c54fda635b9b649d6bb6090ef0370063cf35cd5e6688dc435db6e6fe07cc37

  • SSDEEP

    49152:ssSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvifC:sLlK6d3/Nh/bV/Oq3Dxp2RUGC

Score
10/10
dcratdefense_evasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 12 IoCs
    defense_evasiontrojan
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • System policy modification 1 TTPs 12 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe
    "C:\Users\Admin\AppData\Local\Temp\95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2524
    • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe
      "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1760
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96d7e339-db79-4242-8a9c-d6ff99ae768f.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe
          "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1636
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cb5a5e-669b-4fb3-bb75-964c0a5d27e1.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2148
            • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe
              "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2764
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6af6a12b-8dc4-4aa0-bc16-1ca2af8cc323.vbs"
                7⤵
                  PID:396
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c972005-0c64-443a-948b-d0f144bf9669.vbs"
                  7⤵
                    PID:1912
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b98979d5-5fcc-4239-8e7d-b7aef2b141f2.vbs"
                5⤵
                  PID:1232
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b096876e-c2e5-4959-acc0-315111aa6353.vbs"
              3⤵
                PID:1600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2712
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3008
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2956
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2760
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2796
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2252
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2456
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1788
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1308
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:748
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1480

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Abuse Elevation Control Mechanism

          1
          T1548

          Bypass User Account Control

          1
          T1548.002

          Impair Defenses

          1
          T1562

          Disable or Modify Tools

          1
          T1562.001

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe
            Filesize

            2.2MB

            MD5

            ba5102fee3b188bb6ac65068ec18d95d

            SHA1

            59a111a9ab515d690995496967de195eb23b097c

            SHA256

            95c8a2a9b99890e2398ab49937de11179c816b92ca6ab2ba269f1f8598675e27

            SHA512

            2dfe580f3e278431fef83d2c33c19e8af33ba958a7d6abc4cce571b202a64a06d7c54fda635b9b649d6bb6090ef0370063cf35cd5e6688dc435db6e6fe07cc37

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\6af6a12b-8dc4-4aa0-bc16-1ca2af8cc323.vbs
            Filesize

            755B

            MD5

            4223e0ac08b68078f58587096de24b8d

            SHA1

            23fca6f341e893ff1384a7dbd4943bf38c61921b

            SHA256

            9d80a08bdec2874dc3dad4fca43e3b418f7f1c3edbd23feb49fcd7d3321fe303

            SHA512

            2874c0d5632da6c6b438bb65842c77bc4c0158e29cb571d50792246bb0d488463161c9c9b3903ab922b28fd509cdc7c0c3b3fa68e545e46f84d269ee954285fa

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\96d7e339-db79-4242-8a9c-d6ff99ae768f.vbs
            Filesize

            755B

            MD5

            29c52809eb6d5810de1f4694cd3f746f

            SHA1

            04e8bde7910610c245e4d3381148e38f52b64dde

            SHA256

            a7c44910c872d8fc719a7ea53978cf9f7e8492989142f984016c457b7609d7fb

            SHA512

            dc7790b2b0fbf1fe533a9a18c4414d927c4ea24800d81162cc0d4ba96de9d16a3a03ebb344ea102d2a7e5e1e04b9d31aa56526b489672eee9107e1355450f67a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RCXA526.tmp
            Filesize

            2.2MB

            MD5

            889f050ef7bc85238ef3ba17c1ca8530

            SHA1

            5168769f30a3efbf81ec2174c84d4290882b4c08

            SHA256

            774341277a7503097d574a8d34ec19abae11986e3d14925de81bdd680eac050d

            SHA512

            4a7c67efba35f6e12d2953466e8e7b3a05254ae1fc0cfd43cb16d9cb50bc4e69bdfb44d25d8555b36d7a6096a8a3c8c160de1cd03ee022c5a57681c59c7bf0ef

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\b096876e-c2e5-4959-acc0-315111aa6353.vbs
            Filesize

            531B

            MD5

            bc0cbbb9b724f7f3a01c44d0ad079204

            SHA1

            3ab89427193fb2c1d975e0404fb999c856290fe7

            SHA256

            39e978a5320c638e5877b02385699f1631b8a51f3774ad0d7a1bc18149c2c5d4

            SHA512

            8abc5654caaf7d0677fd84a0881c53776b5bbc8671dc8f760182f3b937686a4a46640b361d22b74a3f0705b6fdaaaaee2349d5bcc768d20e274fb9caffeb17a7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\d0cb5a5e-669b-4fb3-bb75-964c0a5d27e1.vbs
            Filesize

            755B

            MD5

            03b2b1a59ee621058e52df236e76daeb

            SHA1

            950046edd82f1cb6889d5630d393dc9a405596f4

            SHA256

            c0200d7c03a97955b3c83157ccf989707155774ce88a116bc1a392bd67372de9

            SHA512

            1721857e57e55f83b5f4cd9a728940f58f1fc157e2dc4e50905e3553a41a304c3c368587592bceea5ea78181ac791b98ea26fc9eb479451cfd8934aa82820600

            Download Submit

          • C:\Users\Admin\Links\services.exe
            Filesize

            2.2MB

            MD5

            77f7c6f803bcdc2331b9675e06b988be

            SHA1

            427bc645050f531b26b742d1385fe1c77b8d94ef

            SHA256

            140be28e3178be7bd1bf7ed36f7aab70c27628cce8a7b47817ad289447b93c08

            SHA512

            b50c5c27847c9592597b2589df5af37659c6e7f6ec414e73c48b730c4d9b7b3721d0ff7e0117e30f33bcf0fad6d0960b7ebdc7c139dbb254d925529df5bd5e88

            Download Submit

          • memory/1636-110-0x00000000013C0000-0x00000000015EE000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/1760-99-0x0000000000D00000-0x0000000000D12000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1760-97-0x0000000000D10000-0x0000000000F3E000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/2524-10-0x0000000000B90000-0x0000000000B98000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2524-26-0x000000001AA30000-0x000000001AA3C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2524-12-0x00000000024B0000-0x00000000024BA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2524-13-0x00000000024C0000-0x00000000024CC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2524-14-0x00000000024E0000-0x00000000024E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2524-15-0x00000000024F0000-0x00000000024FC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2524-16-0x0000000002500000-0x0000000002508000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2524-18-0x0000000002510000-0x0000000002522000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2524-19-0x0000000002540000-0x000000000254C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2524-20-0x0000000002550000-0x000000000255C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2524-21-0x0000000002560000-0x000000000256C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2524-22-0x000000001A9F0000-0x000000001A9FA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2524-23-0x000000001AA00000-0x000000001AA0E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2524-24-0x000000001AA10000-0x000000001AA18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2524-25-0x000000001AA20000-0x000000001AA2E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2524-11-0x00000000024D0000-0x00000000024E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2524-27-0x000000001AA40000-0x000000001AA48000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2524-28-0x000000001AA50000-0x000000001AA5C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2524-29-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2524-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2524-9-0x0000000000A00000-0x0000000000A0C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2524-8-0x00000000009E0000-0x00000000009F6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2524-7-0x00000000009D0000-0x00000000009E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2524-98-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2524-6-0x0000000000500000-0x0000000000508000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2524-5-0x00000000009B0000-0x00000000009CC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2524-4-0x00000000004F0000-0x00000000004FE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2524-3-0x0000000000360000-0x000000000036E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2524-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2524-1-0x0000000000BA0000-0x0000000000DCE000-memory.dmp

            Filesize

            2.2MB

            Download