Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 13:16
Behavioral task
behavioral1
Sample
OsintAkulaDoxRelease2.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
OsintAkulaDoxRelease2.0.exe
Resource
win10v2004-20250129-en
General
-
Target
OsintAkulaDoxRelease2.0.exe
-
Size
1.6MB
-
MD5
17e5d1ccf6f2250f75bb5fa68f971767
-
SHA1
7d935074dbb166b4e481261c0aa855dd1e775d17
-
SHA256
9410a8eee0f8556bfa0f4231577706b437a14a79af1f2bfff6dc9288e54af828
-
SHA512
a7fd59c415e51fd57545a88c993d7ce8abbc4809e92e7dfc533778002f9492612880d4fab30e5d53358aedb9c3e1ee780bb3fe99313083d9232a3cbe6c5e47cc
-
SSDEEP
24576:U2G/nvxW3Ww0t2IwCzsb0EIYKBInv4BFooOQSK7WmmpC84H366W1e:UbA30twh0rTbF3/7mLz6P
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
resource yara_rule behavioral1/files/0x00070000000192a9-11.dat dcrat behavioral1/memory/2192-13-0x0000000000B30000-0x0000000000C7C000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2192 dhcpcommon.exe -
Loads dropped DLL 2 IoCs
pid Process 352 cmd.exe 352 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OsintAkulaDoxRelease2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2192 dhcpcommon.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2392 2396 OsintAkulaDoxRelease2.0.exe 30 PID 2396 wrote to memory of 2392 2396 OsintAkulaDoxRelease2.0.exe 30 PID 2396 wrote to memory of 2392 2396 OsintAkulaDoxRelease2.0.exe 30 PID 2396 wrote to memory of 2392 2396 OsintAkulaDoxRelease2.0.exe 30 PID 2392 wrote to memory of 352 2392 WScript.exe 31 PID 2392 wrote to memory of 352 2392 WScript.exe 31 PID 2392 wrote to memory of 352 2392 WScript.exe 31 PID 2392 wrote to memory of 352 2392 WScript.exe 31 PID 352 wrote to memory of 2192 352 cmd.exe 33 PID 352 wrote to memory of 2192 352 cmd.exe 33 PID 352 wrote to memory of 2192 352 cmd.exe 33 PID 352 wrote to memory of 2192 352 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\OsintAkulaDoxRelease2.0.exe"C:\Users\Admin\AppData\Local\Temp\OsintAkulaDoxRelease2.0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComProviderservercrt\G1PwR19qmP3OREjedg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComProviderservercrt\3KEVYoQlVUbDaT.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:352 -
C:\ComProviderservercrt\dhcpcommon.exe"C:\ComProviderservercrt\dhcpcommon.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD59aaeb85b68b2c641d6ea8bbc3e7efb1f
SHA1caa2ce69f5eea67e08aa40c844a38c669ef86db5
SHA256d1de03f54cb15974c2e26d79af82446ca304413ae2634faf981dc1327325713e
SHA512b486c4ae73c61b6996f1f902ca8533601361f72fbac93a2ef480f4729afc75b8615c562cfc579a6bce40555d356754839be60ec5cfb86036fd7274c8afa3c06c
-
Filesize
211B
MD5e061686d28660bb9114d963a2ff01c1d
SHA1f4e81a4553722503c473eb7c7f77396aa3323c19
SHA256c14ec59bae7b314a9cb5c9cc01053f93a89547ae882193a57a36d6c31b887e1d
SHA5125fa0180dda99faf18849f9fd248e4de68c3220bd965d176f3c9a081d5c69f9ed100c80dc1cdf3f0a9b7c67c3a832bde565797756cc047d8f10662cb0ef683b9c
-
Filesize
1.3MB
MD5493cf952e6aa65181c8458d312ee1421
SHA16065a925782b18b0e3e018750c5a760ebfaadf4f
SHA256c3e0e8356bd4a52e07679935019f4474715f4b7ae291cfbda9d35bf0bc3e2460
SHA5123db22d2dd54be931f8e55133a2eec56713d7199d803a290de7741c6b3afda50d98fd0c6c3feda7e835361319398bb2d11108a1cba9f8a2cd7fe2c43c7a36efb8