Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:13

General

  • Target

    89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe

  • Size

    2.1MB

  • MD5

    e5ab3ea88a2bc87c9e5b2dc45d2a4dd4

  • SHA1

    2f58fa70410dedf700982f8c7a63e599c98ecff1

  • SHA256

    89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b

  • SHA512

    d7c7cf4283f9a1d0b5fa0b077fb4e99d9285a8872e55f34c1e0b849d9a85c21148a9bcc8b357766e8d5967b0e2f1f42c45e299d3746a5b8c775658963b20cfb2

  • SSDEEP

    49152:6/PzW6Bg//wzCaq4UfvOGh3m1aQOsemlAT33zNgz1Sjcj4N1:wPzWDwG4U3hmcQO18bz1Sje4N

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Disables Task Manager via registry modification
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
    "C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Users\Admin\AppData\Local\Temp\312213.exe
      "C:\Users\Admin\AppData\Local\Temp\312213.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1060
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2920
          • C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe
            "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost/refNet.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2936
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBwDEQ99fC.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:332
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:2424
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:600
                • C:\Program Files\Internet Explorer\fr-FR\Idle.exe
                  "C:\Program Files\Internet Explorer\fr-FR\Idle.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2212
      • C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe
        "C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2972 -s 36
          3⤵
          • Loads dropped DLL
          PID:2872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\312213.exe

      Filesize

      2.2MB

      MD5

      1213f4fc1eb5dca213df57f1f5034a1b

      SHA1

      e925aaf8a58c25e45a57cd6727e3de68fea1d267

      SHA256

      d587bb2da2148bb0fed00e3d8ce93e5bb8207a77d7acbe735078b2372e737340

      SHA512

      1886cb1fb166f44cc8a6aaa9dc0f07faf7bf9e14e1be908e4cee67c95c04151b3df921d9ac71e70a28c2ba9110117670b41d270000300434d9a84f1561ccc942

    • C:\Users\Admin\AppData\Local\Temp\FBwDEQ99fC.bat

      Filesize

      177B

      MD5

      81eba0cf22d1b30479461c14f432f886

      SHA1

      ece3fbc2aacb0ea7e2efe9786322a329bf677a0c

      SHA256

      9a4b73a1bb99dda5c9b2f71010a42793322fab65396738fdf9acfb1f6ce8c153

      SHA512

      01bba5fb92119657d94dc6e252ebcef8845576134940af16145f03a750ecaa998c74bb2c08f2954132b3563cad40e00d3e0f262ec8472c66a6499285be2db29c

    • C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe

      Filesize

      234B

      MD5

      7453933cc2d2d8ad0040f4dcf0cf478b

      SHA1

      25a3fdd6e9194ba888c0ca50eb1494e645cad5b7

      SHA256

      23fc1f6b78cdac4e63ab8fabecea0a0b5016dbc312cf4a5562b1e0991ac64266

      SHA512

      db9c5997203971b7fab2977a753795193f978909a466af2a639104b5f43c0f2386a6c50be3f701aa3ca156345fe2bd5e1fbf71528254237dbd0214d0fb618427

    • C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat

      Filesize

      189B

      MD5

      1d0a67c059050e768d731a6f5f308b53

      SHA1

      4b411281d7255b2512e0b56966f254260b010eb2

      SHA256

      4a8c1eb659ab57354d2255e6071d72f437e1535619b261e922fffb37aec4c145

      SHA512

      97c8f984091fd5a36384e20f00fb9aee5bc22aaf5673a7c0a4c307ecf687a5e6a068ab6b6be0e64be49c0c5679d3da0794fb80a429db5eace8a70389046c9ea5

    • C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe

      Filesize

      569KB

      MD5

      a46f9a51a1e4926a077ddf9420394364

      SHA1

      2573735414873bb050f5b35a4fa637c005488c06

      SHA256

      b47c8f7c749732fc1d5c49f2f0dc830fc47fd19ddb10a8dea9717535e0d630ee

      SHA512

      e97ff39ffa2abb743dbaf739daae99535b18a5958acf5ed0e1338d25ebf131bb8fd6cd4c6801ebfec08bfb83a6412e526eee16d238879a41649d1556bd81543f

    • \Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe

      Filesize

      1.9MB

      MD5

      d2aaad4ccfc17fda2df263f515095e28

      SHA1

      9bfbdb3d4e5c724a4c45f72b4386cd4a9cacd219

      SHA256

      a85bef4cf91e1dc1940124c6d2576d486be7868d996e01dc981c11b8a0dc1b40

      SHA512

      6544effb5c43d28b0905dbf5bf7596197dd83b8bb1d8ade5fbdc7da85b2de9d6a02ac6f98297a04fdf997dde364c1a4a3c52360f6a495a2b57920c1b05c89b54

    • memory/2212-65-0x0000000001100000-0x00000000012E6000-memory.dmp

      Filesize

      1.9MB

    • memory/2636-1-0x0000000000C70000-0x0000000000E90000-memory.dmp

      Filesize

      2.1MB

    • memory/2636-17-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

      Filesize

      9.9MB

    • memory/2636-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

      Filesize

      4KB

    • memory/2936-36-0x00000000009C0000-0x0000000000BA6000-memory.dmp

      Filesize

      1.9MB

    • memory/2936-42-0x00000000003B0000-0x00000000003C8000-memory.dmp

      Filesize

      96KB

    • memory/2936-46-0x00000000003E0000-0x00000000003EC000-memory.dmp

      Filesize

      48KB

    • memory/2936-44-0x00000000003D0000-0x00000000003DE000-memory.dmp

      Filesize

      56KB

    • memory/2936-40-0x0000000000190000-0x00000000001AC000-memory.dmp

      Filesize

      112KB

    • memory/2936-38-0x0000000000180000-0x000000000018E000-memory.dmp

      Filesize

      56KB