Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

3c7b097b31...0f.exe

windows7-x64

8

3c7b097b31...0f.exe

windows10-2004-x64

8

3c8a6c6cde...86.exe

windows7-x64

10

3c8a6c6cde...86.exe

windows10-2004-x64

10

3ca3e4676b...f1.exe

windows7-x64

10

3ca3e4676b...f1.exe

windows10-2004-x64

10

3cb47c4bbe...c1.exe

windows7-x64

10

3cb47c4bbe...c1.exe

windows10-2004-x64

10

3d18edb3bf...ff.exe

windows7-x64

1

3d18edb3bf...ff.exe

windows10-2004-x64

3d1ee6caf0...b4.exe

windows7-x64

10

3d1ee6caf0...b4.exe

windows10-2004-x64

10

3d2f05086d...0c.exe

windows7-x64

10

3d2f05086d...0c.exe

windows10-2004-x64

10

3d81f411b0...ba.exe

windows7-x64

10

3d81f411b0...ba.exe

windows10-2004-x64

10

3d90976d58...8c.exe

windows7-x64

10

3d90976d58...8c.exe

windows10-2004-x64

10

3d97ea72c5...9e.exe

windows7-x64

10

3d97ea72c5...9e.exe

windows10-2004-x64

10

3dd452b939...18.exe

windows7-x64

3

3dd452b939...18.exe

windows10-2004-x64

3

3dfc71cfc4...bd.exe

windows7-x64

10

3dfc71cfc4...bd.exe

windows10-2004-x64

10

3e435c9ff2...57.exe

windows7-x64

10

3e435c9ff2...57.exe

windows10-2004-x64

10

3e624f48a8...2b.exe

windows7-x64

1

3e624f48a8...2b.exe

windows10-2004-x64

4

3e8acfab95...cc.exe

windows7-x64

10

3e8acfab95...cc.exe

windows10-2004-x64

10

3e9a136b97...9d.exe

windows7-x64

10

3e9a136b97...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d81f411b0ec1ac7d861358e145db4ba.exe

  • Size

    999KB

  • MD5

    3d81f411b0ec1ac7d861358e145db4ba

  • SHA1

    4b945e693bc455840912fc5b5f155c36501d235e

  • SHA256

    72b49e4d9aa54af40111e35d0d4bcb4a7a313c4f2f5c5f33c3b7a093b7f4fc0e

  • SHA512

    216c654e895ec5065b7d724f5421184e2a3445f4b801f0ebcc3ce34676e2d89240f22af079fd7a7d074af3567ee483ebe2f6b40bfea224956ff00f5d326894fe

  • SSDEEP

    12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Process spawned unexpected child process 16 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d81f411b0ec1ac7d861358e145db4ba.exe
    "C:\Users\Admin\AppData\Local\Temp\3d81f411b0ec1ac7d861358e145db4ba.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Default User\dwm.exe
      "C:\Users\Default User\dwm.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2376
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:828
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1788
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONSTART /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2724
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAP" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe
    Filesize

    999KB

    MD5

    8f05c0b74d4df510fcd0b906d4ca6cc2

    SHA1

    f007161911b3d34324b84e84ac57cbfc95fb2b95

    SHA256

    b1b77aeb607edae38e49c887ff8f877c09fd5696082d28710649b034ac8fc8ec

    SHA512

    f120c7c55194b07b3683cbe15b5fe816bdf054a869c7d8bddaf6da5717d8aede91c511b6bde6dd99fa0480276395e04694734704cdd6f9a4435719e2f622ec83

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RCXED6B.tmp
    Filesize

    999KB

    MD5

    da56cff4516b76687da17d9a3b1b5d08

    SHA1

    751e83c090fc145d34effdaaa980bf30cde4f6f4

    SHA256

    e63ca9ad331af5913746ac924aeeb9de1c2f7fb6d4c44abb7f6004104da3d4c3

    SHA512

    66836ec711669e665021f6e774c660a8d8a30df8e0002f9eb4c9465571ebe1d15f7e514eb8bb2688aa25860ae230a88aa9bb2cd0cbffebdc3be48c98b77f3690

    Download Submit

  • C:\Users\Default\WMIADAP.exe
    Filesize

    999KB

    MD5

    8bb16937b89fdcf47ea46aa0331d7ea0

    SHA1

    b847173ac819c84029031aea144c0cbe82a3302c

    SHA256

    4584905755fcf7a04d9345476e22985a21a6e2cce26eec791ca08dbf7d312eaa

    SHA512

    df599847656b9a53e5542f6f8359bad7a8843fe6e1e18f6cb42be54d2a5a2d5fa9bd2601a07c95f73d47f6ef6f01565fcc17a03bd766d4a45f2e9b97a2b0d994

    Download Submit

  • C:\Users\Default\dwm.exe
    Filesize

    999KB

    MD5

    49e795eb383bc04e7886add25b9866a9

    SHA1

    aa239b5c2119ad8db13efca9d13f67308db05c37

    SHA256

    c12779e43073f292b9607563b0fc007087c6c4c93d8f90fd52a8f66930b846b3

    SHA512

    01752ec991448f30d66f34591d5ca6e556f6df01bda8567532fb7f79ea184bb3d92273b69fbef1a15f451691f3603530c0a95256f3e97b00e6a9fae5689a4143

    Download Submit

  • memory/1928-76-0x0000000000190000-0x0000000000290000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2336-4-0x00000000006C0000-0x00000000006D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2336-5-0x0000000000C10000-0x0000000000C20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2336-7-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2336-10-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2336-9-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2336-8-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2336-6-0x0000000000C20000-0x0000000000C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2336-0-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2336-3-0x00000000004B0000-0x00000000004CC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2336-2-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2336-1-0x0000000000D80000-0x0000000000E80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2336-77-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

    Filesize

    9.9MB

    Download