Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25/01/2025, 16:51
General
-
Target
51ee1c43b8c4c83a1ee89f486a002e8a.exe
-
Size
1.9MB
-
MD5
51ee1c43b8c4c83a1ee89f486a002e8a
-
SHA1
ac3559b85e9f8328fc661c4f7dc17d464aa461fa
-
SHA256
2c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253
-
SHA512
3191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6
-
SSDEEP
49152:SIsY+oZb+wZGTt6IDmYYg+tfxXi1Mq39V:SIg6IDatJXbM9V
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe"C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lsisvfhs\lsisvfhs.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0A3.tmp" "c:\Windows\System32\CSC3B59D0D6A8274109B8D3621FC0184C5C.TMP"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\fr-FR\csrss.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\StartMenuExperienceHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\SearchApp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O5XlsI6eTZ.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\PolicyDefinitions\fr-FR\csrss.exe"C:\Windows\PolicyDefinitions\fr-FR\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\fr-FR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\AppReadiness\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a5" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "51ee1c43b8c4c83a1ee89f486a002e8a5" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\51ee1c43b8c4c83a1ee89f486a002e8a.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a43e653ffb5ab07940f4bdd9cc8fade4
SHA1af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA51262a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
172B
MD5407ae48c57cf1c27e4d3f73f521fb1f4
SHA1bf207fae4c2d79954e989d7ab55dc857d2d8cc0c
SHA256cd261ae4f78d69547b158cd6cdb9624bff05515984cd5237a92a46dc5552453c
SHA512a3ca9855ba6ad1e27b4b50ca5a4c4d10ad4c299529c4d807e3725176355ed8cf5e45ab2aa352b7d4e3b66469d202139e317fad0a0c200206b5932c6f35e7823c
-
Filesize
1KB
MD5e4c534689fc5c2e5da402fd74572f543
SHA1e321c4fb1f5f20d10870d6b0f45a84f44328b331
SHA256326ef6fc4138b6a3f0beb7751a751703bae0429f756e8ad574cc3debb4b9b618
SHA5127fbfc0204d6c67e6e7e2ff75b623bbdb10f8b4d3cd68403c8ef81188e20dc1dc19893cee7a425840d2ff0ce803f1ea174b255c3525f57004a2d52ce29853bc20
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.9MB
MD551ee1c43b8c4c83a1ee89f486a002e8a
SHA1ac3559b85e9f8328fc661c4f7dc17d464aa461fa
SHA2562c359780ff1c635fd866c9f81e53ea9a95c0af2c9b303aec259675882dd13253
SHA5123191012d5078beb815ff733c3981545858a30e5051ffbbb7b4bb1dff5bab82004809a0d407af0d8312b241c05738591d7a83ce2e01e0c9b2e8f9d325ca9649d6
-
Filesize
370B
MD581b29194984605fa3f9e0950a9782e9f
SHA1454d9da1a7adbbad92b875c2b674534b2d8ba5ae
SHA256226e86428f0663cf0fc91a5548807240da7ecbf07e8a17eb90f7b8906aa73403
SHA5124b0175af9a0a9f88450120f914a42ec47a940da636a6daaf8638a3088b81c9f827b7a05c87359548fa2e5f011e4ca1fb871b25193a9dc100d958c886fdea29ff
-
Filesize
235B
MD5aedc91acdae3c24e15d404e04fc6c7a9
SHA15df9488ba2b273f48681b65e6b4d74230e5a7dcf
SHA2569ed51b26412c4f07fc3ad14ced4c70a8b8369fa19a8f1b7d183009e31941c5a2
SHA51270cb2b15b9c91de903feff501661aa46dccbef4dffcab8d91ffce2cebf9c41602bf0a2f4a8dc31bf343dc876a1f23b384aa101b0a68efb7c71f9cb6da30ff293
-
Filesize
1KB
MD582a7b8ef3bc275711e3b27c6df93c7ff
SHA1bdac909f26475c94c74145576bcf22adb0f8203c
SHA256582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124
SHA512f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248
-
Filesize
820KB
-
Filesize
10.8MB
-
Filesize
1.0MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
820KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
1.9MB
-
Filesize
112KB
-
Filesize
820KB
-
Filesize
1.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB