Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
103c7b097b31...0f.exe
windows7-x64
83c7b097b31...0f.exe
windows10-2004-x64
83c8a6c6cde...86.exe
windows7-x64
103c8a6c6cde...86.exe
windows10-2004-x64
103ca3e4676b...f1.exe
windows7-x64
103ca3e4676b...f1.exe
windows10-2004-x64
103cb47c4bbe...c1.exe
windows7-x64
103cb47c4bbe...c1.exe
windows10-2004-x64
103d18edb3bf...ff.exe
windows7-x64
13d18edb3bf...ff.exe
windows10-2004-x64
3d1ee6caf0...b4.exe
windows7-x64
103d1ee6caf0...b4.exe
windows10-2004-x64
103d2f05086d...0c.exe
windows7-x64
103d2f05086d...0c.exe
windows10-2004-x64
103d81f411b0...ba.exe
windows7-x64
103d81f411b0...ba.exe
windows10-2004-x64
103d90976d58...8c.exe
windows7-x64
103d90976d58...8c.exe
windows10-2004-x64
103d97ea72c5...9e.exe
windows7-x64
103d97ea72c5...9e.exe
windows10-2004-x64
103dd452b939...18.exe
windows7-x64
33dd452b939...18.exe
windows10-2004-x64
33dfc71cfc4...bd.exe
windows7-x64
103dfc71cfc4...bd.exe
windows10-2004-x64
103e435c9ff2...57.exe
windows7-x64
103e435c9ff2...57.exe
windows10-2004-x64
103e624f48a8...2b.exe
windows7-x64
13e624f48a8...2b.exe
windows10-2004-x64
43e8acfab95...cc.exe
windows7-x64
103e8acfab95...cc.exe
windows10-2004-x64
103e9a136b97...9d.exe
windows7-x64
103e9a136b97...9d.exe
windows10-2004-x64
10Analysis
-
max time kernel
104s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:25
Behavioral task
behavioral1
Sample
3c7b097b31ed5df2ce6313dddd86da0f.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3c7b097b31ed5df2ce6313dddd86da0f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
3c8a6c6cde2240783bed48a2f3d849a30bfa841d7cb55177721631dcec1eb086.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
3c8a6c6cde2240783bed48a2f3d849a30bfa841d7cb55177721631dcec1eb086.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
3ca3e4676bac76c4f7eaf0ab169b8af1.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
3ca3e4676bac76c4f7eaf0ab169b8af1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
3cb47c4bbe6856c45fd89eb5eb2723c1.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
3cb47c4bbe6856c45fd89eb5eb2723c1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
3d18edb3bf6b0493a6572edd73f937ff.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
3d18edb3bf6b0493a6572edd73f937ff.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
3d1ee6caf0803c689aa17a8bada108bd515a77493a9d76dca7d55762bb6d33b4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
3d2f05086d9da9564c7c7e945875e80c.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
3d2f05086d9da9564c7c7e945875e80c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
3d81f411b0ec1ac7d861358e145db4ba.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
3d81f411b0ec1ac7d861358e145db4ba.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
3d90976d58eb1346f68434f0575cec2ed017a5959384e7137600668ad7777d8c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
3d97ea72c561c7d15574a99be582c59e.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
3d97ea72c561c7d15574a99be582c59e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
3dd452b9394976fd7b431d3dbae57d18.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
3dd452b9394976fd7b431d3dbae57d18.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
3dfc71cfc45034d671ac0f319bc080bd.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
3dfc71cfc45034d671ac0f319bc080bd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
3e435c9ff25f6dca4a3e7262825aa557.exe
Resource
win7-20250207-en
Behavioral task
behavioral26
Sample
3e435c9ff25f6dca4a3e7262825aa557.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral27
Sample
3e624f48a849ad8a70e09f6d4e75f02b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
3e624f48a849ad8a70e09f6d4e75f02b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
3e8acfab95493518077e0028fd0f2dcc.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
3e8acfab95493518077e0028fd0f2dcc.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
3e9a136b97b7ad7104019ae696b4f59d.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
3e9a136b97b7ad7104019ae696b4f59d.exe
Resource
win10v2004-20250314-en
General
-
Target
3e435c9ff25f6dca4a3e7262825aa557.exe
-
Size
984KB
-
MD5
3e435c9ff25f6dca4a3e7262825aa557
-
SHA1
57cb6e337e1c91c2937544fdfa78d3704d2ff408
-
SHA256
db97ef403b3433d2cae1fc98d893d14e67b83a14e7d8e4e428152fde8d83d934
-
SHA512
00c0863dc6728e01cddb5c605d1210c0d1c2b7bf7b4e2426f61bb2b6eb4addb102c7ef5d46db693557b3e8dcf4d68a33ddcfe499713666afd05d986b5be9ebe8
-
SSDEEP
12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 2296 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2296 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4476 2296 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 2296 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 2296 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 2296 schtasks.exe 87 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation 3e435c9ff25f6dca4a3e7262825aa557.exe -
Executes dropped EXE 1 IoCs
pid Process 1512 services.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\navshutdown\\RuntimeBroker.exe\"" 3e435c9ff25f6dca4a3e7262825aa557.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\services.exe\"" 3e435c9ff25f6dca4a3e7262825aa557.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\winlogon.exe\"" 3e435c9ff25f6dca4a3e7262825aa557.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\hid\\taskhostw.exe\"" 3e435c9ff25f6dca4a3e7262825aa557.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\licensingdiag\\winlogon.exe\"" 3e435c9ff25f6dca4a3e7262825aa557.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default User\\sihost.exe\"" 3e435c9ff25f6dca4a3e7262825aa557.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\System32\navshutdown\9e8d7a4ca61bd9 3e435c9ff25f6dca4a3e7262825aa557.exe File opened for modification C:\Windows\System32\licensingdiag\RCX7F53.tmp 3e435c9ff25f6dca4a3e7262825aa557.exe File opened for modification C:\Windows\System32\navshutdown\RCX837B.tmp 3e435c9ff25f6dca4a3e7262825aa557.exe File opened for modification C:\Windows\System32\hid\RCX89F6.tmp 3e435c9ff25f6dca4a3e7262825aa557.exe File opened for modification C:\Windows\System32\licensingdiag\winlogon.exe 3e435c9ff25f6dca4a3e7262825aa557.exe File created C:\Windows\System32\licensingdiag\cc11b995f2a76d 3e435c9ff25f6dca4a3e7262825aa557.exe File created C:\Windows\System32\navshutdown\RuntimeBroker.exe 3e435c9ff25f6dca4a3e7262825aa557.exe File created C:\Windows\System32\hid\taskhostw.exe 3e435c9ff25f6dca4a3e7262825aa557.exe File created C:\Windows\System32\hid\ea9f0e6c9e2dcd 3e435c9ff25f6dca4a3e7262825aa557.exe File opened for modification C:\Windows\System32\navshutdown\RuntimeBroker.exe 3e435c9ff25f6dca4a3e7262825aa557.exe File opened for modification C:\Windows\System32\hid\taskhostw.exe 3e435c9ff25f6dca4a3e7262825aa557.exe File created C:\Windows\System32\licensingdiag\winlogon.exe 3e435c9ff25f6dca4a3e7262825aa557.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\winlogon.exe 3e435c9ff25f6dca4a3e7262825aa557.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe 3e435c9ff25f6dca4a3e7262825aa557.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\c5b4cb5e9653cc 3e435c9ff25f6dca4a3e7262825aa557.exe File created C:\Program Files (x86)\Windows Defender\es-ES\winlogon.exe 3e435c9ff25f6dca4a3e7262825aa557.exe File created C:\Program Files (x86)\Windows Defender\es-ES\cc11b995f2a76d 3e435c9ff25f6dca4a3e7262825aa557.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX8580.tmp 3e435c9ff25f6dca4a3e7262825aa557.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe 3e435c9ff25f6dca4a3e7262825aa557.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RCX87F2.tmp 3e435c9ff25f6dca4a3e7262825aa557.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings 3e435c9ff25f6dca4a3e7262825aa557.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4792 schtasks.exe 2724 schtasks.exe 4476 schtasks.exe 4432 schtasks.exe 4580 schtasks.exe 4552 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4352 3e435c9ff25f6dca4a3e7262825aa557.exe 4352 3e435c9ff25f6dca4a3e7262825aa557.exe 4352 3e435c9ff25f6dca4a3e7262825aa557.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4352 3e435c9ff25f6dca4a3e7262825aa557.exe Token: SeDebugPrivilege 1512 services.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4352 wrote to memory of 4776 4352 3e435c9ff25f6dca4a3e7262825aa557.exe 94 PID 4352 wrote to memory of 4776 4352 3e435c9ff25f6dca4a3e7262825aa557.exe 94 PID 4776 wrote to memory of 3444 4776 cmd.exe 96 PID 4776 wrote to memory of 3444 4776 cmd.exe 96 PID 4776 wrote to memory of 1512 4776 cmd.exe 100 PID 4776 wrote to memory of 1512 4776 cmd.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e435c9ff25f6dca4a3e7262825aa557.exe"C:\Users\Admin\AppData\Local\Temp\3e435c9ff25f6dca4a3e7262825aa557.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cVFbq3E1J4.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3444
-
-
C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe"C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\licensingdiag\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\navshutdown\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\hid\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
984KB
MD53e435c9ff25f6dca4a3e7262825aa557
SHA157cb6e337e1c91c2937544fdfa78d3704d2ff408
SHA256db97ef403b3433d2cae1fc98d893d14e67b83a14e7d8e4e428152fde8d83d934
SHA51200c0863dc6728e01cddb5c605d1210c0d1c2b7bf7b4e2426f61bb2b6eb4addb102c7ef5d46db693557b3e8dcf4d68a33ddcfe499713666afd05d986b5be9ebe8
-
Filesize
984KB
MD56a4ccd5e0eb3afc38242402f16a066c0
SHA10df1305ab91b99b9b3123150e178aa99bf1401c8
SHA2566e7e6651cc7b819c2ecb066f111a181bc4c56e64e51254b8d324c41dfbbf7d88
SHA5125358194ead2c255939a8bddbb4ce64774aaf7e2e6ab04dcd3133532e182054c617a9ecd45faeef64f47dec21d65282118a36d89ceed5ec124846d2284cf5ed51
-
Filesize
233B
MD5fec38b3468416a435960bece94b362af
SHA1db1c7582a9cd697b8c928a2263185140642b9a77
SHA256ddd6f7fa8764f10d2e416e86f8a9137bde82cc95b6dc713946976741e8044301
SHA512e158a300e9f7a2f02cc47ffe0cb29d18294288691cf0395514a95256fd7250aab7ea584007a4297ee27981804fb4e8bc3eec25c3f815f2a1b0108918a1eca441