Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1088bc7b6a62...00.exe
windows7-x64
788bc7b6a62...00.exe
windows10-2004-x64
788cdf3a075...59.exe
windows7-x64
1088cdf3a075...59.exe
windows10-2004-x64
1089000a0d00...5b.exe
windows7-x64
1089000a0d00...5b.exe
windows10-2004-x64
1089270d6b49...b4.exe
windows7-x64
189270d6b49...b4.exe
windows10-2004-x64
1892ac0ac36...51.exe
windows7-x64
8892ac0ac36...51.exe
windows10-2004-x64
8894b900bb7...92.exe
windows7-x64
8894b900bb7...92.exe
windows10-2004-x64
8896493118e...17.exe
windows7-x64
10896493118e...17.exe
windows10-2004-x64
1089652cefa9...84.exe
windows7-x64
389652cefa9...84.exe
windows10-2004-x64
10897255af35...03.exe
windows7-x64
10897255af35...03.exe
windows10-2004-x64
10897b60be56...d4.exe
windows7-x64
6897b60be56...d4.exe
windows10-2004-x64
689a1a21003...9d.exe
windows7-x64
389a1a21003...9d.exe
windows10-2004-x64
389ed231ad6...9a.exe
windows7-x64
1089ed231ad6...9a.exe
windows10-2004-x64
108a4e1b5c29...83.exe
windows7-x64
108a4e1b5c29...83.exe
windows10-2004-x64
108a7ce080bb...ba.exe
windows7-x64
108a7ce080bb...ba.exe
windows10-2004-x64
108aa071d8cc...3d.exe
windows7-x64
78aa071d8cc...3d.exe
windows10-2004-x64
78acb86332d...4c.exe
windows7-x64
108acb86332d...4c.exe
windows10-2004-x64
10Analysis
-
max time kernel
119s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:13
Behavioral task
behavioral1
Sample
88bc7b6a627017c4f048d13e756f27b0adc94dc25d0b53c42a2cbdac36177600.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
88bc7b6a627017c4f048d13e756f27b0adc94dc25d0b53c42a2cbdac36177600.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
88cdf3a075a9f38022db50379cd5771e1992a58af68f516812b40c8320dabc59.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
88cdf3a075a9f38022db50379cd5771e1992a58af68f516812b40c8320dabc59.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral7
Sample
89270d6b49877a5303ff4416c74830b4.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
89270d6b49877a5303ff4416c74830b4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
892ac0ac36d3e692e581bde711ae2651.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
892ac0ac36d3e692e581bde711ae2651.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
894b900bb7817bc5ddd0e3ad48eb9c6fbe4ad9ad7741358d311bafe03b988a92.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
894b900bb7817bc5ddd0e3ad48eb9c6fbe4ad9ad7741358d311bafe03b988a92.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Resource
win7-20250207-en
Behavioral task
behavioral14
Sample
896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
89652cefa9366ca2d97d0e0b49525984.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
89652cefa9366ca2d97d0e0b49525984.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
897255af3577597d102569ae36e4a05af7c024eaaaf4b26d4515002d2b257303.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
897255af3577597d102569ae36e4a05af7c024eaaaf4b26d4515002d2b257303.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
897b60be5611091a83c5ceb48f7d2bd4.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
897b60be5611091a83c5ceb48f7d2bd4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
89a1a21003baf78498607da9565222de2ca042713740ff1005123e24f6b2449d.exe
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
89a1a21003baf78498607da9565222de2ca042713740ff1005123e24f6b2449d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
89ed231ad61a9e5a7fd0ab9f2bd75b9a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
8a4e1b5c2998360f622e0279dee68fb7e7130c4a0fa23749b404f70c10dfcd83.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
8a4e1b5c2998360f622e0279dee68fb7e7130c4a0fa23749b404f70c10dfcd83.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
8a7ce080bb43fc3edf2ddf3b300355ba.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
8a7ce080bb43fc3edf2ddf3b300355ba.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
8aa071d8cc2dd74176f041bba8762b3d.exe
Resource
win7-20250207-en
Behavioral task
behavioral30
Sample
8aa071d8cc2dd74176f041bba8762b3d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
8acb86332d3165ca0750e27ecd4b4948ab35ade98d43820de667e14ff849c64c.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
8acb86332d3165ca0750e27ecd4b4948ab35ade98d43820de667e14ff849c64c.exe
Resource
win10v2004-20250314-en
General
-
Target
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe
-
Size
2.1MB
-
MD5
e5ab3ea88a2bc87c9e5b2dc45d2a4dd4
-
SHA1
2f58fa70410dedf700982f8c7a63e599c98ecff1
-
SHA256
89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b
-
SHA512
d7c7cf4283f9a1d0b5fa0b077fb4e99d9285a8872e55f34c1e0b849d9a85c21148a9bcc8b357766e8d5967b0e2f1f42c45e299d3746a5b8c775658963b20cfb2
-
SSDEEP
49152:6/PzW6Bg//wzCaq4UfvOGh3m1aQOsemlAT33zNgz1Sjcj4N1:wPzWDwG4U3hmcQO18bz1Sje4N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Disables Task Manager via registry modification
-
Executes dropped EXE 4 IoCs
pid Process 2748 312213.exe 2972 cGlzeWFwb3_crypted_LAB.exe 2936 refNet.exe 2212 Idle.exe -
Loads dropped DLL 9 IoCs
pid Process 2636 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 2636 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 2968 Process not Found 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe 2872 WerFault.exe 1060 cmd.exe 1060 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\fr-FR\Idle.exe refNet.exe File created C:\Program Files\Internet Explorer\fr-FR\6ccacd8608530f refNet.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\L2Schemas\dwm.exe refNet.exe File created C:\Windows\L2Schemas\6cb0b6c459d5d3 refNet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 312213.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 600 PING.EXE -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2920 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 600 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe 2936 refNet.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2936 refNet.exe Token: SeDebugPrivilege 2212 Idle.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2748 2636 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 30 PID 2636 wrote to memory of 2748 2636 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 30 PID 2636 wrote to memory of 2748 2636 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 30 PID 2636 wrote to memory of 2748 2636 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 30 PID 2636 wrote to memory of 2972 2636 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 31 PID 2636 wrote to memory of 2972 2636 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 31 PID 2636 wrote to memory of 2972 2636 89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe 31 PID 2972 wrote to memory of 2872 2972 cGlzeWFwb3_crypted_LAB.exe 33 PID 2972 wrote to memory of 2872 2972 cGlzeWFwb3_crypted_LAB.exe 33 PID 2972 wrote to memory of 2872 2972 cGlzeWFwb3_crypted_LAB.exe 33 PID 2748 wrote to memory of 2608 2748 312213.exe 34 PID 2748 wrote to memory of 2608 2748 312213.exe 34 PID 2748 wrote to memory of 2608 2748 312213.exe 34 PID 2748 wrote to memory of 2608 2748 312213.exe 34 PID 2608 wrote to memory of 1060 2608 WScript.exe 35 PID 2608 wrote to memory of 1060 2608 WScript.exe 35 PID 2608 wrote to memory of 1060 2608 WScript.exe 35 PID 2608 wrote to memory of 1060 2608 WScript.exe 35 PID 1060 wrote to memory of 2920 1060 cmd.exe 37 PID 1060 wrote to memory of 2920 1060 cmd.exe 37 PID 1060 wrote to memory of 2920 1060 cmd.exe 37 PID 1060 wrote to memory of 2920 1060 cmd.exe 37 PID 1060 wrote to memory of 2936 1060 cmd.exe 38 PID 1060 wrote to memory of 2936 1060 cmd.exe 38 PID 1060 wrote to memory of 2936 1060 cmd.exe 38 PID 1060 wrote to memory of 2936 1060 cmd.exe 38 PID 2936 wrote to memory of 332 2936 refNet.exe 39 PID 2936 wrote to memory of 332 2936 refNet.exe 39 PID 2936 wrote to memory of 332 2936 refNet.exe 39 PID 332 wrote to memory of 2424 332 cmd.exe 41 PID 332 wrote to memory of 2424 332 cmd.exe 41 PID 332 wrote to memory of 2424 332 cmd.exe 41 PID 332 wrote to memory of 600 332 cmd.exe 42 PID 332 wrote to memory of 600 332 cmd.exe 42 PID 332 wrote to memory of 600 332 cmd.exe 42 PID 332 wrote to memory of 2212 332 cmd.exe 43 PID 332 wrote to memory of 2212 332 cmd.exe 43 PID 332 wrote to memory of 2212 332 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe"C:\Users\Admin\AppData\Local\Temp\89000a0d0047c48b96288186968f343d17f06f470b2985cfdd4ebcf56f9efe5b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\312213.exe"C:\Users\Admin\AppData\Local\Temp\312213.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\Znb3Kfyp6V6O4bcQ.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\jQuUq4BxkQ7YPdkLPwU2V7M1bbhMug.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost\refNet.exe"C:\Users\Admin\AppData\Local\Temp\PortComAgentserverHost/refNet.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBwDEQ99fC.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2424
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:600
-
-
C:\Program Files\Internet Explorer\fr-FR\Idle.exe"C:\Program Files\Internet Explorer\fr-FR\Idle.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe"C:\Users\Admin\AppData\Local\Temp\cGlzeWFwb3_crypted_LAB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2972 -s 363⤵
- Loads dropped DLL
PID:2872
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD51213f4fc1eb5dca213df57f1f5034a1b
SHA1e925aaf8a58c25e45a57cd6727e3de68fea1d267
SHA256d587bb2da2148bb0fed00e3d8ce93e5bb8207a77d7acbe735078b2372e737340
SHA5121886cb1fb166f44cc8a6aaa9dc0f07faf7bf9e14e1be908e4cee67c95c04151b3df921d9ac71e70a28c2ba9110117670b41d270000300434d9a84f1561ccc942
-
Filesize
177B
MD581eba0cf22d1b30479461c14f432f886
SHA1ece3fbc2aacb0ea7e2efe9786322a329bf677a0c
SHA2569a4b73a1bb99dda5c9b2f71010a42793322fab65396738fdf9acfb1f6ce8c153
SHA51201bba5fb92119657d94dc6e252ebcef8845576134940af16145f03a750ecaa998c74bb2c08f2954132b3563cad40e00d3e0f262ec8472c66a6499285be2db29c
-
Filesize
234B
MD57453933cc2d2d8ad0040f4dcf0cf478b
SHA125a3fdd6e9194ba888c0ca50eb1494e645cad5b7
SHA25623fc1f6b78cdac4e63ab8fabecea0a0b5016dbc312cf4a5562b1e0991ac64266
SHA512db9c5997203971b7fab2977a753795193f978909a466af2a639104b5f43c0f2386a6c50be3f701aa3ca156345fe2bd5e1fbf71528254237dbd0214d0fb618427
-
Filesize
189B
MD51d0a67c059050e768d731a6f5f308b53
SHA14b411281d7255b2512e0b56966f254260b010eb2
SHA2564a8c1eb659ab57354d2255e6071d72f437e1535619b261e922fffb37aec4c145
SHA51297c8f984091fd5a36384e20f00fb9aee5bc22aaf5673a7c0a4c307ecf687a5e6a068ab6b6be0e64be49c0c5679d3da0794fb80a429db5eace8a70389046c9ea5
-
Filesize
569KB
MD5a46f9a51a1e4926a077ddf9420394364
SHA12573735414873bb050f5b35a4fa637c005488c06
SHA256b47c8f7c749732fc1d5c49f2f0dc830fc47fd19ddb10a8dea9717535e0d630ee
SHA512e97ff39ffa2abb743dbaf739daae99535b18a5958acf5ed0e1338d25ebf131bb8fd6cd4c6801ebfec08bfb83a6412e526eee16d238879a41649d1556bd81543f
-
Filesize
1.9MB
MD5d2aaad4ccfc17fda2df263f515095e28
SHA19bfbdb3d4e5c724a4c45f72b4386cd4a9cacd219
SHA256a85bef4cf91e1dc1940124c6d2576d486be7868d996e01dc981c11b8a0dc1b40
SHA5126544effb5c43d28b0905dbf5bf7596197dd83b8bb1d8ade5fbdc7da85b2de9d6a02ac6f98297a04fdf997dde364c1a4a3c52360f6a495a2b57920c1b05c89b54